OpenIM Server Version
- openim-server:
v3.8.3-patch.15 - openim-chat: v1.8.4-patch.3
Operating System and CPU Architecture
Linux (AMD)
Deployment Method
Docker Deployment
Bug Description and Steps to Reproduce
Bug Report: NoPermissionError when sending @ message in v3.8.3-patch.15
Issue Title
GetGroupMemberUserIDs RPC permission denied when sending @ message (atUserList)
Version
- openim-server:
v3.8.3-patch.15
- openim-chat:
v1.8.4-patch.3
Environment
- Docker Compose deployment
- MongoDB, Redis, Kafka, etcd configured
Problem Description
When sending a group message with @ mentions (using atUserList parameter), the RPC call to GetGroupMemberUserIDs is rejected with NoPermissionError.
API Request
curl -X POST http://10.1.3.170:10002/msg/send_msg \
-H "Content-Type: application/json" \
-H "operationID: 12122113-19" \
-H "token: <token>" \
-d '{
"sendID": "imAdmin",
"groupID": "3655350729",
"content": {
"text": "hello",
"atUserList": ["5735385206"],
"isAtSelf": false
},
"contentType": 106,
"sessionType": 3
}'Error Log
ERROR openim-rpc-msg [rpccache/group.go:62] GroupLocalCache getGroupMemberIDs return
{"operationID": "@@@12122113-19", "groupID": "3655350729", "error": "Error: 1002 NoPermissionError opUser no permission | -> group.(*groupServer).GetGroupMemberUserIDs() ..."}
Root Cause Analysis
Based on GitHub Issue #3314, v3.8.3-patch.14/15 added stricter permission checks to fix horizontal privilege escalation vulnerabilities in these APIs:
/group/get_groups_info/group/get_full_join_group_ids/friend/get_full_friend_user_ids/group/get_group_member_list/group/get_full_group_member_user_ids
However, the permission check is too strict - internal RPC calls between services (e.g., rpc-msg calling rpc-group) are also rejected because they don't pass proper permission credentials.
Impact
@ mentions in group messages cannot work properly- Internal service-to-service RPC calls fail
- The error only affects messages with
atUserList parameter (contentType 106)
Workaround
- Use single chat (
sessionType: 1) instead of group chat with @ mentions
- Send regular group messages without
@ mentions (works fine)
Related Information
Expected Behavior
Internal RPC calls between services should be allowed to bypass the permission check, or the permission check should validate that the caller is an internal service.
Screenshots Link
No response
OpenIM Server Version
v3.8.3-patch.15- openim-chat:v1.8.4-patch.3Operating System and CPU Architecture
Linux (AMD)
Deployment Method
Docker Deployment
Bug Description and Steps to Reproduce
Bug Report: NoPermissionError when sending @ message in v3.8.3-patch.15
Issue Title
GetGroupMemberUserIDsRPC permission denied when sending @ message (atUserList)Version
v3.8.3-patch.15v1.8.4-patch.3Environment
Problem Description
When sending a group message with
@mentions (usingatUserListparameter), the RPC call toGetGroupMemberUserIDsis rejected withNoPermissionError.API Request
Error Log
Root Cause Analysis
Based on GitHub Issue #3314,
v3.8.3-patch.14/15added stricter permission checks to fix horizontal privilege escalation vulnerabilities in these APIs:/group/get_groups_info/group/get_full_join_group_ids/friend/get_full_friend_user_ids/group/get_group_member_list/group/get_full_group_member_user_idsHowever, the permission check is too strict - internal RPC calls between services (e.g.,
rpc-msgcallingrpc-group) are also rejected because they don't pass proper permission credentials.Impact
@mentions in group messages cannot work properlyatUserListparameter (contentType 106)Workaround
sessionType: 1) instead of group chat with @ mentions@mentions (works fine)Related Information
Expected Behavior
Internal RPC calls between services should be allowed to bypass the permission check, or the permission check should validate that the caller is an internal service.
Screenshots Link
No response