Patrick Bass Area: Messaging & chat (audit p4) · Surface: POST /rooms/{slug}/messages (ChatRoomController@sendMessage) + rooms/show.php composer · Dimension: competitor-gap · Severity: major
Discord, Slack, Circle, and Mighty Networks all treat image/file drop-in as a baseline chat feature — screenshots, PDFs, and photos are the most common chat payloads after text. Our community chat (mobieusChat, the all-tiers default per project memory) can post a Giphy GIF but cannot attach a screenshot or document, which makes it feel like a toy next to the DM surface that already has full upload, drag-drop, preview, and progress UI. The DM upload pipeline is directly reusable.
Evidence
ChatRoomController::sendMessage (src/Controllers/ChatRoomController.php:161-256) only reads `$_POST['body']` and `reply_to_id` — no `$_FILES` handling at all. The composer in templates/rooms/show.php:213-237 has a GIF button (#mc-gif-btn), an emoji button (#mc-emoji-btn), and send — but no attach/file input (grep for 'attach|upload|file' in show.php returns only the unrelated profile-effects.js script tag). By contrast DMs fully support attachments (MessageController::sendMessage:630-698, 100MB, finfo MIME, ClamAV-adjacent blocking).Suggested fix. Add a file input + drag-drop to the chat composer and extend ChatRoomController::sendMessage to accept attachments using the same BLOCKED_EXTENSIONS / finfo MIME / size-cap pipeline already in MessageController, storing under public/uploads/ per the uploads-under-public rule, and render image/file bubbles in _message.php + the SSE payload.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
