Open
Description
A customer asked for this feature.
The !help command currently just dumps every command that is loaded by st2chatops. This is due to how hubot commands are loaded (into robot.commands) and how the hubot-help plugin works.
It would be helpful if the bot only dumped out commands that the authenticated ChatOps user can run. This would reduce confusion, because the situation right now amounts to:
- User chats
!help - Hubot dumps all loaded ST2 commands
- User starts trying to run listed commands
- ST2 RBAC returns authorization errors
- User has to iterate through entire list to figure out what they can run
A few additional notes:
- SECURITY: If results are dumped back into a public channel and that channel history is accessible to all users, it would allow a malicious user or an attacker to target users that can run commands the attacker is interested in.
- ChatOps RBAC extensions to only allow certain commands to only be run in certain channels/by certain users (#2481, #4559) will have different results depending on which channel the
!helpis run from, or it would require a complete listing of the allowed commands on a per-channel basis. This listing can grow very quickly, so this feature would greatly complicate that feature.
Example:!help#public-channel --------------- * do_thing_1 * do_thing_2 #private-channel-aaylmao ------------------------ * do_thing_1 * do_thing_3 * do_thing_4 #private-channel-omgstahp ------------------------- * do_thing_2 * do_thing_5 - ChatOps RBAC extensions to only allow certain users to run some commands with only certain parameters (eg: restrictions on
hostnameparameter) will similarly be complicated by this feature.