Description:

If I create a write-protected channel - all users should be muted or read only in some way. If I test this manually this works perfect. (Adding a user from the WebGUI)

I tried to use the Rest-API for this with a broadcast channel - the api seems to be not evaluating if that is a broadcast channel, results in a writable channel for all users added via rest-api. (/v1/api/channels.addAll)

Steps to reproduce:

1. Create a Broadcast Channel
2. Add all users from the server to this channel via the api /v1/api/channels.addAll
3. All Users added can read / write on a write-protected channel

Expected behavior:

All users added should only have read permissions like it works from the webgui.

Actual behavior:

All users can write in a writeprotected channel.

You can see that this user has no explicit permission to write to this channel, but can write in the channel like a content-moderator or administrator.

Server Setup Information:

• Version of Rocket.Chat Server: 0.69.2
• Operating System: Ubuntu Server 16.04 LTS
• Deployment Method: docker
• Number of Running Instances: 3
• DB Replicaset Oplog: yes
• NodeJS Version: v8.11.3
• MongoDB Version: 3.6

Additional context

After some further testing with happens also with "only" write-protected channels.

WORKAROUND: You can set the flag "write-protected" on a read-only channel again (just make it writeable and read-only) - to force the server to set all the mutes again.