From c54dee9fabe9b25935f8c8b64601e9b036c575cf Mon Sep 17 00:00:00 2001 From: PieterCK Date: Mon, 6 Oct 2025 16:09:35 +0700 Subject: [PATCH] slack_integration: Audit the Slack bot token scope requirements. This clarifies which Slack bot token scopes the integration really uses. Extraneous scopes are: `users:read.email`, `team:read`, and `emoji:read`. Fixes part of #30827. --- zerver/webhooks/slack/doc.md | 30 +++++++++++++++++++++++++----- zerver/webhooks/slack/view.py | 10 +++++----- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/zerver/webhooks/slack/doc.md b/zerver/webhooks/slack/doc.md index e8b604dd71..6cc5e6107f 100644 --- a/zerver/webhooks/slack/doc.md +++ b/zerver/webhooks/slack/doc.md @@ -48,14 +48,14 @@ If you are looking to quickly move your Slack integrations to Zulip, check out 1. Create a new [Slack app][4], and open it. Navigate to the **OAuth & Permissions** menu, and scroll down to the **Scopes** section. -1. Make sure **Bot Token Scopes** includes `channels:read`, - `channels:history`, `emoji:read`, `team:read`, `users:read`, and - `users:read.email`. +1. Make sure **Bot Token Scopes** includes `channels:history`, `channels:read`, + and `users:read`. If you're setting up a [bidirectional bridge][6], make sure + to also include the `chat:write` scope. !!! tip "" - See [Slack's Events API documentation][3] for details about - these scopes. + See the [required bot token scopes](#required-bot-token-scopes) + section for details about these scopes. 1. Scroll to the **OAuth Tokens for Your Workspace** section in the same menu, and click **Install to Workspace**. @@ -79,6 +79,26 @@ If you are looking to quickly move your Slack integrations to Zulip, check out ![](/static/images/integrations/slack/001.png) +### Required bot token scopes + +- `channels:history` is required by Slack's Event API's + [message.channels](https://api.slack.com/events/message.channels) event. This + is used to send new messages from Slack to Zulip. + +- `channels:read` is required for Slack's + [conversations.info](https://api.slack.com/methods/conversations.info) + endpoint. This is used to get the name of the Slack channel a message came + from. + +- For a [bidirectional bridge][6] setup, the `chat:write` is also required for + Slack's + [chat.postMessage](https://docs.slack.dev/reference/methods/chat.postMessage/) + method. This is used to send new messages from Zulip to Slack. + +- `users:read` is required to call + Slack's [users.info](https://api.slack.com/methods/users.info) endpoint. This + is used to get the name of the Slack message's sender. + ### Related documentation - [Forward messages Slack <-> Zulip][6] (both directions) diff --git a/zerver/webhooks/slack/view.py b/zerver/webhooks/slack/view.py index 4cbfc33a14..a0dd1a6779 100644 --- a/zerver/webhooks/slack/view.py +++ b/zerver/webhooks/slack/view.py @@ -155,12 +155,12 @@ def is_retry_call_from_slack(request: HttpRequest) -> bool: SLACK_INTEGRATION_TOKEN_SCOPES = { - "channels:read", - "channels:history", + # For Slack's users.info endpoint: https://api.slack.com/methods/users.info "users:read", - "emoji:read", - "team:read", - "users:read.email", + # For Slack's conversations.info endpoint: https://api.slack.com/methods/conversations.info + "channels:read", + # For Slack's Event's API: https://api.slack.com/events/message.channels + "channels:history", } INVALID_SLACK_TOKEN_MESSAGE = """