What is the min permissions needed for slack app that listens to all messages and can edit message

Question

The app is fairly simple, its listens to all messages and if a keyword is present in message it adds an attachment to that message. I would like this to work in all areas (groups, channels, dm, threads etc..)

I am using slacks event callback system to have all messages set to endpoint.

I am listening to these events

message.channels
message.groups
message.im
message.mpim

And the permission scopes I have configured are

chat:write:user
channels:history
groups:history
im:history
mpim:history
commands

However Slack have rejected the app

Thanks for resubmitting! However after taking a look it appears that for your app to function it requires access to the entire message history of the authorising user (the *:history scopes). In addition to this, for the app to work best it would require all users in a workspace to authorise, potentially giving your app access to the entire message history for a workspace. After reviewing the functionality of your app we have come to the conclusion that your app does not provide the requisite functionality to justify this level of access.

Slack did suggest I use a bot user but I would ideally like to avoid this if possible.

Am I able to achieve the ability to read and edit message without the above permissions/scopes?

Answer 1

I am guessing you want to use chat.update to add attachments to existing messages. The problem is that this method only works for messages posted by yourself. So if you post a message with the bot user of your app you can use that method to change the message later - similar to how you can change your own messages on Slack after posting.

From the official documentation:

Only messages posted by the authenticated user are able to be updated using this method. This includes regular chat messages, as well as messages containing the me_message subtype. Bot users may also update the messages they post.

In order to change messages from other users every user on a workspace need to grant your app the permission to act on his/her behalf. In practice this means that every user of a workspace will need to install your app once - thus granting the app a user token, which it can then use with chat.update.

In addition the edit feature needs to be activated for that workspace by admins.

This is the only way. There is no global permission that would give you app full access. Due to Slack's strict security architecture there are no global admin permissions, so not even the owner of a workspace can edit messages from others.

Btw. you also can also not see private channels and direct message channels from other users, so your app would not receive messages from those channels unless it has been authenticated by all users.

From a security perspective I can understand why the Slack team had issues with your app. Also I doubt many workspace admins would allow your app to be installed due to security concerns.