Moderate severityNVD Advisory· Published Jun 30, 2025· Updated Jun 30, 2025
Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management
CVE-2025-46702
Description
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 0.0.0-20250513065225-4ae5d647fb88 | 0.0.0-20250513065225-4ae5d647fb88 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250513065225-4ae5d647fb88 | 8.0.0-20250513065225-4ae5d647fb88 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.16 | 9.11.16 |
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0, < 10.5.6 | 10.5.6 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0, < 10.6.6 | 10.6.6 |
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0, < 10.7.3 | 10.7.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.8.0, < 10.8.1 | 10.8.1 |
Affected products
1- Range: 10.5.0
Patches
231142f101e3cPermission schema error fix (#30953) (#31014)
3 files changed · +460 −14
webapp/channels/src/components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings.test.tsx+31 −0 modified@@ -336,12 +336,14 @@ describe('components/admin_console/permission_schemes_settings/permission_team_s permissions: ['invite_user'], }, bbb: { + name: 'team_admin', permissions: ['add_user_to_team'], }, ccc: { permissions: ['add_reaction'], }, ddd: { + name: 'channel_admin', permissions: ['delete_post'], }, eee: { @@ -350,6 +352,18 @@ describe('components/admin_console/permission_schemes_settings/permission_team_s fff: { permissions: ['delete_post'], }, + ggg: { + permissions: ['delete_post'], + }, + hhh: { + permissions: ['delete_post'], + }, + iii: { + permissions: ['delete_post'], + }, + jjj: { + permissions: ['delete_post'], + }, }, }; @@ -361,6 +375,23 @@ describe('components/admin_console/permission_schemes_settings/permission_team_s expect(getAnyInstance(wrapper).getStateRoles()).toMatchSnapshot(); done(); }); + + const instance = getAnyInstance(wrapper); + + // A moderated permission should set team/channel admins + instance.togglePermission('channel_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.channel_admin.permissions.indexOf(Permissions.CREATE_POST)).toBeGreaterThan(-1); + + // toggle again and disable + instance.togglePermission('channel_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.channel_admin.permissions.indexOf(Permissions.CREATE_POST)).toBe(-1); + + instance.togglePermission('team_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.team_admin.permissions.indexOf(Permissions.CREATE_POST)).toBeGreaterThan(-1); + + // toggle again and disable + instance.togglePermission('team_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.team_admin.permissions.indexOf(Permissions.CREATE_POST)).toBe(-1); }); test('should match snapshot on edit without guest permissions', (done) => {
webapp/channels/src/components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings.tsx+9 −2 modified@@ -502,7 +502,14 @@ export default class PermissionTeamSchemeSettings extends React.PureComponent<Pr togglePermission = (roleId: string, permissions: string[]) => { const roles = {...this.getStateRoles()} as RolesMap; - const role = {...roles[roleId]} as Role; + const rolesKey = Object.keys(roles).find((roleKey) => roles[roleKey].name === roleId); + + if (!rolesKey) { + return; + } + + const role = {...roles[rolesKey]} as Role; + const newPermissions = [...role.permissions]; for (const permission of permissions) { if (newPermissions.indexOf(permission) === -1) { @@ -512,7 +519,7 @@ export default class PermissionTeamSchemeSettings extends React.PureComponent<Pr } } role.permissions = newPermissions; - roles[roleId] = role; + roles[rolesKey] = role; if (roleId === 'all_users') { const channelAdminRole = {...roles.channel_admin} as Role;
webapp/channels/src/components/admin_console/permission_schemes_settings/permission_team_scheme_settings/__snapshots__/permission_team_scheme_settings.test.tsx.snap+420 −12 modified@@ -1,28 +1,436 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings should match snapshot on edit with permissions 1`] = `<LoadingScreen />`; +exports[`components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings should match snapshot on edit with permissions 1`] = ` +<div + className="wrapper--fixed" +> + <AdminHeader + withBackButton={true} + > + <div> + <Connect(Component) + className="fa fa-angle-left back" + to="/admin_console/user_management/permissions" + /> + <MemoizedFormattedMessage + defaultMessage="Team Scheme" + id="admin.permissions.teamScheme" + /> + </div> + </AdminHeader> + <div + className="admin-console__wrapper" + > + <div + className="admin-console__content" + > + <div + className="banner info" + > + <div + className="banner__content" + > + <span> + <MemoizedFormattedMessage + defaultMessage="<linkOverrideTeam>Team Override Schemes</linkOverrideTeam> set the permissions for Team Admins, Channel Admins and other members in specific teams. Use a Team Override Scheme when specific teams need permission exceptions to the <linkSystemScheme>System Scheme</linkSystemScheme>." + id="admin.permissions.teamScheme.introBanner" + values={ + Object { + "linkOverrideTeam": [Function], + "linkSystemScheme": [Function], + } + } + /> + </span> + </div> + </div> + <AdminPanel + subtitle={ + Object { + "defaultMessage": "Set the name and description for this scheme.", + "id": "admin.permissions.teamScheme.schemeDetailsDescription", + } + } + title={ + Object { + "defaultMessage": "Scheme Details", + "id": "admin.permissions.teamScheme.schemeDetailsTitle", + } + } + > + <div + className="team-scheme-details" + > + <div + className="form-group" + > + <label + className="control-label" + htmlFor="scheme-name" + > + <MemoizedFormattedMessage + defaultMessage="Scheme Name:" + id="admin.permissions.teamScheme.schemeNameLabel" + /> + </label> + <LocalizedPlaceholderInput + className="form-control" + disabled={false} + id="scheme-name" + onChange={[Function]} + placeholder={ + Object { + "defaultMessage": "Scheme Name", + "id": "admin.permissions.teamScheme.schemeNamePlaceholder", + } + } + type="text" + value="Test scheme" + /> + </div> + <div + className="form-group" + > + <label + className="control-label" + htmlFor="scheme-description" + > + <MemoizedFormattedMessage + defaultMessage="Scheme Description:" + id="admin.permissions.teamScheme.schemeDescriptionLabel" + /> + </label> + <LocalizedPlaceholderTextarea + className="form-control" + disabled={false} + id="scheme-description" + onChange={[Function]} + placeholder={ + Object { + "defaultMessage": "Scheme Description", + "id": "admin.permissions.teamScheme.schemeDescriptionPlaceholder", + } + } + rows={5} + value="Test scheme description" + /> + </div> + </div> + </AdminPanel> + <AdminPanelWithButton + buttonText={ + Object { + "defaultMessage": "Add Teams", + "id": "admin.permissions.teamScheme.addTeams", + } + } + className="permissions-block" + disabled={false} + onButtonClick={[Function]} + subtitle={ + Object { + "defaultMessage": "Select teams where permission exceptions are required.", + "id": "admin.permissions.teamScheme.selectTeamsDescription", + } + } + title={ + Object { + "defaultMessage": "Select teams to override permissions", + "id": "admin.permissions.teamScheme.selectTeamsTitle", + } + } + > + <div + className="teams-list" + > + <div + className="no-team-schemes" + > + <MemoizedFormattedMessage + defaultMessage="No team selected. Please add teams to this list." + id="admin.permissions.teamScheme.noTeams" + /> + </div> + </div> + </AdminPanelWithButton> + <AdminPanelTogglable + className="permissions-block all_users" + id="all_users" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to all members, including administrators and newly created users.", + "id": "admin.permissions.systemScheme.allMembersDescription", + } + } + title={ + Object { + "defaultMessage": "All Members", + "id": "admin.permissions.systemScheme.allMembersTitle", + } + } + > + <Connect(PermissionsTree) + onToggle={[Function]} + readOnly={false} + role={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + scope="team_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + <AdminPanelTogglable + className="permissions-block channel_admin" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to channel creators and any users promoted to Channel Administrator.", + "id": "admin.permissions.systemScheme.channelAdminsDescription", + } + } + title={ + Object { + "defaultMessage": "Channel Administrators", + "id": "admin.permissions.systemScheme.channelAdminsTitle", + } + } + > + <Connect(PermissionsTree) + onToggle={[Function]} + parentRole={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + readOnly={false} + role={ + Object { + "name": "channel_admin", + "permissions": Array [ + "delete_post", + ], + } + } + scope="channel_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + <AdminPanelTogglable + className="permissions-block" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to administrators of a playbook.", + "id": "admin.permissions.systemScheme.playbookAdminSubtitle", + } + } + title={ + Object { + "defaultMessage": "Playbook Administrator", + "id": "admin.permissions.systemScheme.playbookAdmin", + } + } + > + <PermissionsTreePlaybooks + license={ + Object { + "CustomPermissionsSchemes": "true", + "GuestAccountsPermissions": "true", + "IsLicensed": "true", + } + } + onToggle={[Function]} + parentRole={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + readOnly={false} + role={ + Object { + "permissions": Array [ + "delete_post", + ], + } + } + scope="playbook_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + <AdminPanelTogglable + className="permissions-block team_admin" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to team creators and any users promoted to Team Administrator.", + "id": "admin.permissions.systemScheme.teamAdminsDescription", + } + } + title={ + Object { + "defaultMessage": "Team Administrators", + "id": "admin.permissions.systemScheme.teamAdminsTitle", + } + } + > + <Connect(PermissionsTree) + onToggle={[Function]} + parentRole={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + readOnly={false} + role={ + Object { + "name": "team_admin", + "permissions": Array [ + "add_user_to_team", + ], + } + } + scope="team_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + </div> + </div> + <div + className="admin-console-save" + > + <SaveButton + disabled={true} + onClick={[Function]} + saving={false} + savingMessage={ + <Memo(MemoizedFormattedMessage) + defaultMessage="Saving Config..." + id="admin.saving" + /> + } + /> + <Connect(Component) + className="cancel-button" + to="/admin_console/user_management/permissions" + > + <MemoizedFormattedMessage + defaultMessage="Cancel" + id="admin.permissions.permissionSchemes.cancel" + /> + </Connect(Component)> + <div + className="error-message" + > + <Memo(FormError) + error={null} + /> + </div> + </div> +</div> +`; exports[`components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings should match snapshot on edit with permissions 2`] = ` Object { "all_users": Object { "displayName": "All members", "name": "all_users", - "permissions": Array [], + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + }, + "channel_admin": Object { + "name": "channel_admin", + "permissions": Array [ + "delete_post", + ], + }, + "channel_guest": Object { + "permissions": Array [ + "delete_post", + ], + }, + "channel_user": Object { + "permissions": Array [ + "add_reaction", + ], }, - "channel_admin": undefined, - "channel_guest": undefined, - "channel_user": undefined, "guests": Object { "displayName": "Guests", "name": "guests", - "permissions": undefined, + "permissions": Array [ + "edit_post", + "delete_post", + ], + }, + "playbook_admin": Object { + "permissions": Array [ + "delete_post", + ], + }, + "playbook_member": Object { + "permissions": Array [ + "delete_post", + ], + }, + "run_member": Object { + "permissions": Array [ + "delete_post", + ], + }, + "team_admin": Object { + "name": "team_admin", + "permissions": Array [ + "add_user_to_team", + ], + }, + "team_guest": Object { + "permissions": Array [ + "edit_post", + ], + }, + "team_user": Object { + "permissions": Array [ + "invite_user", + ], }, - "playbook_admin": undefined, - "playbook_member": undefined, - "run_member": undefined, - "team_admin": undefined, - "team_guest": undefined, - "team_user": undefined, } `;
4ae5d647fb88Permission schema error fix (#30953)
3 files changed · +460 −14
webapp/channels/src/components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings.test.tsx+31 −0 modified@@ -336,12 +336,14 @@ describe('components/admin_console/permission_schemes_settings/permission_team_s permissions: ['invite_user'], }, bbb: { + name: 'team_admin', permissions: ['add_user_to_team'], }, ccc: { permissions: ['add_reaction'], }, ddd: { + name: 'channel_admin', permissions: ['delete_post'], }, eee: { @@ -350,6 +352,18 @@ describe('components/admin_console/permission_schemes_settings/permission_team_s fff: { permissions: ['delete_post'], }, + ggg: { + permissions: ['delete_post'], + }, + hhh: { + permissions: ['delete_post'], + }, + iii: { + permissions: ['delete_post'], + }, + jjj: { + permissions: ['delete_post'], + }, }, }; @@ -361,6 +375,23 @@ describe('components/admin_console/permission_schemes_settings/permission_team_s expect(getAnyInstance(wrapper).getStateRoles()).toMatchSnapshot(); done(); }); + + const instance = getAnyInstance(wrapper); + + // A moderated permission should set team/channel admins + instance.togglePermission('channel_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.channel_admin.permissions.indexOf(Permissions.CREATE_POST)).toBeGreaterThan(-1); + + // toggle again and disable + instance.togglePermission('channel_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.channel_admin.permissions.indexOf(Permissions.CREATE_POST)).toBe(-1); + + instance.togglePermission('team_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.team_admin.permissions.indexOf(Permissions.CREATE_POST)).toBeGreaterThan(-1); + + // toggle again and disable + instance.togglePermission('team_admin', [Permissions.CREATE_POST]); + expect(getAnyState(wrapper).roles.team_admin.permissions.indexOf(Permissions.CREATE_POST)).toBe(-1); }); test('should match snapshot on edit without guest permissions', (done) => {
webapp/channels/src/components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings.tsx+9 −2 modified@@ -502,7 +502,14 @@ export default class PermissionTeamSchemeSettings extends React.PureComponent<Pr togglePermission = (roleId: string, permissions: string[]) => { const roles = {...this.getStateRoles()} as RolesMap; - const role = {...roles[roleId]} as Role; + const rolesKey = Object.keys(roles).find((roleKey) => roles[roleKey].name === roleId); + + if (!rolesKey) { + return; + } + + const role = {...roles[rolesKey]} as Role; + const newPermissions = [...role.permissions]; for (const permission of permissions) { if (newPermissions.indexOf(permission) === -1) { @@ -512,7 +519,7 @@ export default class PermissionTeamSchemeSettings extends React.PureComponent<Pr } } role.permissions = newPermissions; - roles[roleId] = role; + roles[rolesKey] = role; if (roleId === 'all_users') { const channelAdminRole = {...roles.channel_admin} as Role;
webapp/channels/src/components/admin_console/permission_schemes_settings/permission_team_scheme_settings/__snapshots__/permission_team_scheme_settings.test.tsx.snap+420 −12 modified@@ -1,28 +1,436 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings should match snapshot on edit with permissions 1`] = `<LoadingScreen />`; +exports[`components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings should match snapshot on edit with permissions 1`] = ` +<div + className="wrapper--fixed" +> + <AdminHeader + withBackButton={true} + > + <div> + <Connect(Component) + className="fa fa-angle-left back" + to="/admin_console/user_management/permissions" + /> + <MemoizedFormattedMessage + defaultMessage="Team Scheme" + id="admin.permissions.teamScheme" + /> + </div> + </AdminHeader> + <div + className="admin-console__wrapper" + > + <div + className="admin-console__content" + > + <div + className="banner info" + > + <div + className="banner__content" + > + <span> + <MemoizedFormattedMessage + defaultMessage="<linkOverrideTeam>Team Override Schemes</linkOverrideTeam> set the permissions for Team Admins, Channel Admins and other members in specific teams. Use a Team Override Scheme when specific teams need permission exceptions to the <linkSystemScheme>System Scheme</linkSystemScheme>." + id="admin.permissions.teamScheme.introBanner" + values={ + Object { + "linkOverrideTeam": [Function], + "linkSystemScheme": [Function], + } + } + /> + </span> + </div> + </div> + <AdminPanel + subtitle={ + Object { + "defaultMessage": "Set the name and description for this scheme.", + "id": "admin.permissions.teamScheme.schemeDetailsDescription", + } + } + title={ + Object { + "defaultMessage": "Scheme Details", + "id": "admin.permissions.teamScheme.schemeDetailsTitle", + } + } + > + <div + className="team-scheme-details" + > + <div + className="form-group" + > + <label + className="control-label" + htmlFor="scheme-name" + > + <MemoizedFormattedMessage + defaultMessage="Scheme Name:" + id="admin.permissions.teamScheme.schemeNameLabel" + /> + </label> + <LocalizedPlaceholderInput + className="form-control" + disabled={false} + id="scheme-name" + onChange={[Function]} + placeholder={ + Object { + "defaultMessage": "Scheme Name", + "id": "admin.permissions.teamScheme.schemeNamePlaceholder", + } + } + type="text" + value="Test scheme" + /> + </div> + <div + className="form-group" + > + <label + className="control-label" + htmlFor="scheme-description" + > + <MemoizedFormattedMessage + defaultMessage="Scheme Description:" + id="admin.permissions.teamScheme.schemeDescriptionLabel" + /> + </label> + <LocalizedPlaceholderTextarea + className="form-control" + disabled={false} + id="scheme-description" + onChange={[Function]} + placeholder={ + Object { + "defaultMessage": "Scheme Description", + "id": "admin.permissions.teamScheme.schemeDescriptionPlaceholder", + } + } + rows={5} + value="Test scheme description" + /> + </div> + </div> + </AdminPanel> + <AdminPanelWithButton + buttonText={ + Object { + "defaultMessage": "Add Teams", + "id": "admin.permissions.teamScheme.addTeams", + } + } + className="permissions-block" + disabled={false} + onButtonClick={[Function]} + subtitle={ + Object { + "defaultMessage": "Select teams where permission exceptions are required.", + "id": "admin.permissions.teamScheme.selectTeamsDescription", + } + } + title={ + Object { + "defaultMessage": "Select teams to override permissions", + "id": "admin.permissions.teamScheme.selectTeamsTitle", + } + } + > + <div + className="teams-list" + > + <div + className="no-team-schemes" + > + <MemoizedFormattedMessage + defaultMessage="No team selected. Please add teams to this list." + id="admin.permissions.teamScheme.noTeams" + /> + </div> + </div> + </AdminPanelWithButton> + <AdminPanelTogglable + className="permissions-block all_users" + id="all_users" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to all members, including administrators and newly created users.", + "id": "admin.permissions.systemScheme.allMembersDescription", + } + } + title={ + Object { + "defaultMessage": "All Members", + "id": "admin.permissions.systemScheme.allMembersTitle", + } + } + > + <Connect(PermissionsTree) + onToggle={[Function]} + readOnly={false} + role={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + scope="team_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + <AdminPanelTogglable + className="permissions-block channel_admin" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to channel creators and any users promoted to Channel Administrator.", + "id": "admin.permissions.systemScheme.channelAdminsDescription", + } + } + title={ + Object { + "defaultMessage": "Channel Administrators", + "id": "admin.permissions.systemScheme.channelAdminsTitle", + } + } + > + <Connect(PermissionsTree) + onToggle={[Function]} + parentRole={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + readOnly={false} + role={ + Object { + "name": "channel_admin", + "permissions": Array [ + "delete_post", + ], + } + } + scope="channel_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + <AdminPanelTogglable + className="permissions-block" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to administrators of a playbook.", + "id": "admin.permissions.systemScheme.playbookAdminSubtitle", + } + } + title={ + Object { + "defaultMessage": "Playbook Administrator", + "id": "admin.permissions.systemScheme.playbookAdmin", + } + } + > + <PermissionsTreePlaybooks + license={ + Object { + "CustomPermissionsSchemes": "true", + "GuestAccountsPermissions": "true", + "IsLicensed": "true", + } + } + onToggle={[Function]} + parentRole={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + readOnly={false} + role={ + Object { + "permissions": Array [ + "delete_post", + ], + } + } + scope="playbook_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + <AdminPanelTogglable + className="permissions-block team_admin" + onToggle={[Function]} + open={true} + subtitle={ + Object { + "defaultMessage": "Permissions granted to team creators and any users promoted to Team Administrator.", + "id": "admin.permissions.systemScheme.teamAdminsDescription", + } + } + title={ + Object { + "defaultMessage": "Team Administrators", + "id": "admin.permissions.systemScheme.teamAdminsTitle", + } + } + > + <Connect(PermissionsTree) + onToggle={[Function]} + parentRole={ + Object { + "displayName": "All members", + "name": "all_users", + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + } + } + readOnly={false} + role={ + Object { + "name": "team_admin", + "permissions": Array [ + "add_user_to_team", + ], + } + } + scope="team_scope" + selectRow={[Function]} + /> + </AdminPanelTogglable> + </div> + </div> + <div + className="admin-console-save" + > + <SaveButton + disabled={true} + onClick={[Function]} + saving={false} + savingMessage={ + <Memo(MemoizedFormattedMessage) + defaultMessage="Saving Config..." + id="admin.saving" + /> + } + /> + <Connect(Component) + className="cancel-button" + to="/admin_console/user_management/permissions" + > + <MemoizedFormattedMessage + defaultMessage="Cancel" + id="admin.permissions.permissionSchemes.cancel" + /> + </Connect(Component)> + <div + className="error-message" + > + <Memo(FormError) + error={null} + /> + </div> + </div> +</div> +`; exports[`components/admin_console/permission_schemes_settings/permission_team_scheme_settings/permission_team_scheme_settings should match snapshot on edit with permissions 2`] = ` Object { "all_users": Object { "displayName": "All members", "name": "all_users", - "permissions": Array [], + "permissions": Array [ + "invite_user", + "add_reaction", + "delete_post", + "delete_post", + ], + }, + "channel_admin": Object { + "name": "channel_admin", + "permissions": Array [ + "delete_post", + ], + }, + "channel_guest": Object { + "permissions": Array [ + "delete_post", + ], + }, + "channel_user": Object { + "permissions": Array [ + "add_reaction", + ], }, - "channel_admin": undefined, - "channel_guest": undefined, - "channel_user": undefined, "guests": Object { "displayName": "Guests", "name": "guests", - "permissions": undefined, + "permissions": Array [ + "edit_post", + "delete_post", + ], + }, + "playbook_admin": Object { + "permissions": Array [ + "delete_post", + ], + }, + "playbook_member": Object { + "permissions": Array [ + "delete_post", + ], + }, + "run_member": Object { + "permissions": Array [ + "delete_post", + ], + }, + "team_admin": Object { + "name": "team_admin", + "permissions": Array [ + "add_user_to_team", + ], + }, + "team_guest": Object { + "permissions": Array [ + "edit_post", + ], + }, + "team_user": Object { + "permissions": Array [ + "invite_user", + ], }, - "playbook_admin": undefined, - "playbook_member": undefined, - "run_member": undefined, - "team_admin": undefined, - "team_guest": undefined, - "team_user": undefined, } `;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v8fr-vxmw-6mf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46702ghsaADVISORY
- github.com/mattermost/mattermost/commit/31142f101e3cce6171e2b6cb4980a1aa8eaefae0ghsaWEB
- github.com/mattermost/mattermost/commit/4ae5d647fb8893d77dccbb57d114855939a775ceghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.