paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-25 17:14:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

slack_integration: Audit the Slack bot token scope requirements.

Browse Source 
This clarifies which Slack bot token scopes the integration really uses.
Extraneous scopes are: `users:read.email`, `team:read`, and
`emoji:read`.

Fixes part of #30827.
This commit is contained in:
PieterCK
2025-10-06 16:09:35 +07:00
committed by Tim Abbott
parent e65fb2d051
commit c54dee9fab
2 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
zerver/webhooks/slack/doc.md
View File

@@ -48,14 +48,14 @@ If you are looking to quickly move your Slack integrations to Zulip, check out
1. Create a new [Slack app][4], and open it. Navigate to the **OAuth 1. Create a new [Slack app][4], and open it. Navigate to the **OAuth
& Permissions** menu, and scroll down to the **Scopes** section. & Permissions** menu, and scroll down to the **Scopes** section.
1. Make sure **Bot Token Scopes** includes `channels:read`, 1. Make sure **Bot Token Scopes** includes `channels:history`, `channels:read`,
`channels:history`, `emoji:read`, `team:read`, `users:read`, and and `users:read`. If you're setting up a [bidirectional bridge][6], make sure
`users:read.email`. to also include the `chat:write` scope.
!!! tip "" !!! tip ""
See [Slack's Events API documentation][3] for details about See the [required bot token scopes](#required-bot-token-scopes)
these scopes. section for details about these scopes.
1. Scroll to the **OAuth Tokens for Your Workspace** section in the 1. Scroll to the **OAuth Tokens for Your Workspace** section in the
same menu, and click **Install to Workspace**. same menu, and click **Install to Workspace**.
@@ -79,6 +79,26 @@ If you are looking to quickly move your Slack integrations to Zulip, check out
![](/static/images/integrations/slack/001.png) ![](/static/images/integrations/slack/001.png)
### Required bot token scopes
- `channels:history` is required by Slack's Event API's
[message.channels](https://api.slack.com/events/message.channels) event. This
is used to send new messages from Slack to Zulip.
- `channels:read` is required for Slack's
[conversations.info](https://api.slack.com/methods/conversations.info)
endpoint. This is used to get the name of the Slack channel a message came
from.
- For a [bidirectional bridge][6] setup, the `chat:write` is also required for
Slack's
[chat.postMessage](https://docs.slack.dev/reference/methods/chat.postMessage/)
method. This is used to send new messages from Zulip to Slack.
- `users:read` is required to call
Slack's [users.info](https://api.slack.com/methods/users.info) endpoint. This
is used to get the name of the Slack message's sender.
### Related documentation ### Related documentation
- [Forward messages Slack <-> Zulip][6] (both directions) - [Forward messages Slack <-> Zulip][6] (both directions)

10
zerver/webhooks/slack/view.py
View File

@@ -155,12 +155,12 @@ def is_retry_call_from_slack(request: HttpRequest) -> bool:
SLACK_INTEGRATION_TOKEN_SCOPES = { SLACK_INTEGRATION_TOKEN_SCOPES = {
"channels:read", # For Slack's users.info endpoint: https://api.slack.com/methods/users.info
"channels:history",
"users:read", "users:read",
"emoji:read", # For Slack's conversations.info endpoint: https://api.slack.com/methods/conversations.info
"team:read", "channels:read",
"users:read.email", # For Slack's Event's API: https://api.slack.com/events/message.channels
"channels:history",
} }
INVALID_SLACK_TOKEN_MESSAGE = """ INVALID_SLACK_TOKEN_MESSAGE = """