Right now outgoing webhooks are unavailable in private channels. Quoting @it33:
it was done for privacy concerns--if you have a public channel, the expectation is that you're okay with anyone reading its contents, so public webhooks are okay.
If you have a private channel, your expectation as a user is that you decide who reads it. If someone adds an outgoing webhook, then someone you didn't add to the private group can read its contents--which seems "unobvious" and so we didn't offer outgoing webhooks in private groups. Bots appear as users within private groups, so the user is aware they're listening, so that is okay.
Now a user may run a bot using her own account, so that the other participants wouldn't be able to tell if a bot is present. One could imagine preventing API access to a private channel, but even this won't prevent old-fashioned copy-paste.
I propose to re-enable outgoing webhooks from private channels for the users that are present in the channel.
As a bonus proposal, I suggest to closer match the format of incoming and outgoing webhooks. For some reason an outgoing webhook expects a JSON entry username
, while the outgoing webhook provides user_name
. Making these two formats identical would go a long way towards mattermost federation. Likewise adding an icon_url
entry to the outgoing webhook.