Can you assign me?

@hmhealey I was trying to reproduce this bug accordingly to your description and for me it shows a different error message. I added a screenshot of the message at the bottom. Honestly, for me it looks quite friendly. What do you think?

Can you also tell me what version of Mattermost are you using here? I'm using Mattermost Team Edition with the latest master branch.

I also saw the "This URL is taken" error message when I just tested on my admin account, but I see the incorrect error message on my other account, so there's something else going on here. It seems like either there's something here caused by incorrect permissions or perhaps it has to do with being on that other team.

Hopefully that gives you something to work off of, but let me know if neither of those end up being the issue, and I can take another look.

Also, if it still matters, I'm on the latest master branch as well

@hmhealey thanks for a hint about permissions. I found a way to recreate this behavior.

Here are the steps to reproduce the bug:

1. Create User No. 1.
2. Create a team with the URL “/lorem” using that user, but do not invite anyone.
3. Create User No. 2.
4. As User No. 2, attempt to create a new team with the same URL “/lorem.”
5. An error message stating “Must call update for existing team” will be displayed.

Now I'm trying to fix the issue.

@hmhealey I believe I've identified the code responsible for this issue. The team.go file contains a teamExists function that checks if the name of a new team is available or already taken, but I'm puzzled by its logic. Not only does it verify the team name, but it also checks if the current user has access to that team if it exists. If the user lacks access, the function returns false, implying the team doesn't exist. Shouldn't it return true instead?

I'm curious about this because the teamExists function is invoked during team creation and it's causing this issue.

Here is the link to this function:

Looking back further, that permission check goes back to #12130 which is to fix a minor security issue where guest users could figure out if a team exists using that endpoint when they shouldn't have been able to. Unfortunately, that makes it so that the teamExists API is kind of useless for what it's supposed to do.

Since I don't think we can change the API to make that more helpful, I guess the next best thing would be to detect the "must call update" error in the frontend and show a nicer error message to the end user. There's an error ID that you could use for that.

How does that sound?

Also, CC @jespino in case he has any ideas for how to make that API more useful again for non-admin, non-guest users

@hmhealey Sure. The error on the frontend side comes from this line of code where we are calling the endpoint to create a team:

I'm just not sure what should be the error message here. Wouldn't A team with that URL already exists also cause the same security issue? Maybe it should be something more general like You cannot use this URL?

That's a good point. I guess the difference here is that the createTeam endpoint requires stricter permissions than teamExists, and guests shouldn't have that permission so they'd get a "permission denied" before they could find if a team with that URL exists.

Because of that, I think it's fine to still use "A team with this URL already exists" in this case