Links on E2EE channels to nonprivileged private channels breaks rendering of messages #36580
Description
Description:
Linking other private channel messages on E2EE enabled channel breaks rendering of messages in the web client. The requirement is that the user does not have privilege to read that other channel.
Steps to reproduce:
- Create an E2EE channel for two users, Alice and Bob.
- Type in few messages on the channel. Check that both users can see all messages.
- Create a private channel with user Alice. Add a message to this new channel.
- Copy the link of the above regular private channel message to E2EE channel as a new message.
- As Bob, refresh your browser on E2EE channel screen.
Expected behavior:
Bob can see a message that shows that they do not have privileges to see the content of the latest message.
Actual behavior:
Everything works for Alice as it should, but all or most of the messages on the E2EE channel become invisible to Bob. (You may be able to see some old messages sometimes, but only few.)
Server Setup Information:
- Version of Rocket.Chat Server: 7.8.3, also tested with 7.9.0
- License Type: Enterprise
- Number of Users: 500+
- Operating System: RHEL8
- Deployment Method: docker
- Number of Running Instances: 4
- DB Replicaset Oplog: Yes
- NodeJS Version: v22.14.0
- MongoDB Version: 7.0.22
Client Setup Information
- Desktop App or Browser Version: Latest Firefox and Chrome
Additional context
To fix the situation, original sender (Alice) of the linked message can remove the message using web client (from that E2EE-channel). After this all messages become visible again after Bob refreshes their screen again.
Mobile client does not suffer from this issue. Note that deleting the message that triggered it cannot be completely deleted using the mobile client; You can try but it remains on the channel if you look at it with the web client, and the issue persists.