Via HackerOne. The severity of this is extremely low so I'm not sure when I'll get around to fixing it, but here's a UI approach:
- Alice joins room General Chat.
- Alice loads General Chat in her browser.
- In another window, kick Alice out of the room and change "Can Join" to something like "No One".
- Send a message from the first window.
The message sends, which is incorrect. There's a more general version of this with raw HTTP requests but it's more cumbersome.
This is an outgrowth of CAN_VIEW usually being sufficient to comment in other applications (e.g., tasks don't have a "Can Join").
Maybe one fix for this is really just to remove the "Can Join" permission completely? But if we don't, we should check for it before accepting messages.