From f84f1022e1d052b1837dcc50ff2a9d934d356665 Mon Sep 17 00:00:00 2001
From: Matthias Fischmann <mf@zerobuzz.net>
Date: Tue, 26 May 2026 16:39:09 +0200
Subject: [PATCH 1/3] Changelog.

---
 ...ve-members-to-_-from-team-if-they-are-are-conversation-admins | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/3-bug-fixes/WPB-25521-allow-collaborators-to-add-_-remove-members-to-_-from-team-if-they-are-are-conversation-admins

diff --git a/changelog.d/3-bug-fixes/WPB-25521-allow-collaborators-to-add-_-remove-members-to-_-from-team-if-they-are-are-conversation-admins b/changelog.d/3-bug-fixes/WPB-25521-allow-collaborators-to-add-_-remove-members-to-_-from-team-if-they-are-are-conversation-admins
new file mode 100644
index 0000000000..6e458eb3fd
--- /dev/null
+++ b/changelog.d/3-bug-fixes/WPB-25521-allow-collaborators-to-add-_-remove-members-to-_-from-team-if-they-are-are-conversation-admins
@@ -0,0 +1 @@
+Allow collaborators to add / remove members to / from team if they are are conversation admins.

From f148b7d22db145ce3ee98265a9e00cdf7fe0e7e9 Mon Sep 17 00:00:00 2001
From: Matthias Fischmann <mf@zerobuzz.net>
Date: Tue, 26 May 2026 16:49:41 +0200
Subject: [PATCH 2/3] Add openapi3 docs for collaborator permissions.

---
 .../src/Wire/API/Team/Collaborator.hs         | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/libs/wire-api/src/Wire/API/Team/Collaborator.hs b/libs/wire-api/src/Wire/API/Team/Collaborator.hs
index d256ce9247..3210d4158d 100644
--- a/libs/wire-api/src/Wire/API/Team/Collaborator.hs
+++ b/libs/wire-api/src/Wire/API/Team/Collaborator.hs
@@ -19,6 +19,7 @@
 
 module Wire.API.Team.Collaborator where
 
+import Control.Lens qualified as L
 import Data.Aeson qualified as A
 import Data.Id
 import Data.OpenApi qualified as S
@@ -33,11 +34,23 @@ data CollaboratorPermission = CreateTeamConversation | ImplicitConnection
 
 instance ToSchema CollaboratorPermission where
   schema =
-    enum @Text $
-      mconcat
-        [ element "create_team_conversation" CreateTeamConversation,
-          element "implicit_connection" ImplicitConnection
-        ]
+    (doc . description L.?~ descr) $
+      enum @Text $
+        mconcat
+          [ element "create_team_conversation" CreateTeamConversation,
+            element "implicit_connection" ImplicitConnection
+          ]
+    where
+      descr =
+        "<p>Permission granted to a team collaborator.</p>\
+        \<ul><li>`create_team_conversation`: equivalent to the `CreateConversation` and \
+        \`AddRemoveConvMember` permissions for team members (both implied in the `member` \
+        \role); allows creating team group conversations and adding members to them.</li>\n\
+        \<li>`implicit_connection`: team members are implicitly connected to each \
+        \other, allowing conversations (1:1 or group) without an explicit connection \
+        \request. This permission grants the same to a collaborator.</li></ul>\n\
+        \<p>NB: a member of team A can always open conversations with a collaborator of \
+        \team A; the permission only controls the collaborator's abilities.</p>"
 
 data TeamCollaboratorsError
   = InsufficientRights

From e3297b1ff5d496da3d82c9465bcafab05f5279a5 Mon Sep 17 00:00:00 2001
From: Matthias Fischmann <mf@zerobuzz.net>
Date: Wed, 27 May 2026 13:25:18 +0200
Subject: [PATCH 3/3] [drive-by fix] Allow regular team members to list
 collaborators.

Without this change, nobody could invite apps from other teams into
conversations except team admins.
---
 libs/wire-api/src/Wire/API/Team/Member.hs                     | 2 ++
 .../src/Wire/TeamCollaboratorsSubsystem/Interpreter.hs        | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libs/wire-api/src/Wire/API/Team/Member.hs b/libs/wire-api/src/Wire/API/Team/Member.hs
index 7a0b09dbe0..61f3282755 100644
--- a/libs/wire-api/src/Wire/API/Team/Member.hs
+++ b/libs/wire-api/src/Wire/API/Team/Member.hs
@@ -492,6 +492,7 @@ data HiddenPerm
   | ChangeTeamMemberProfiles
   | SearchContacts
   | NewTeamCollaborator
+  | GetTeamCollaborators
   | JoinRegularConversations
   | CreateApp
   | ManageApps
@@ -597,6 +598,7 @@ roleHiddenPermissions role = HiddenPermissions p p
       (roleHiddenPerms RoleExternalPartner <>) $
         Set.fromList
           [ ViewSameTeamEmails,
+            GetTeamCollaborators,
             SearchContacts
           ]
     roleHiddenPerms RoleExternalPartner =
diff --git a/libs/wire-subsystems/src/Wire/TeamCollaboratorsSubsystem/Interpreter.hs b/libs/wire-subsystems/src/Wire/TeamCollaboratorsSubsystem/Interpreter.hs
index 7af4b25c9a..30a970706e 100644
--- a/libs/wire-subsystems/src/Wire/TeamCollaboratorsSubsystem/Interpreter.hs
+++ b/libs/wire-subsystems/src/Wire/TeamCollaboratorsSubsystem/Interpreter.hs
@@ -82,7 +82,7 @@ createTeamCollaboratorImpl ::
   Set CollaboratorPermission ->
   Sem r ()
 createTeamCollaboratorImpl zUser user team perms = do
-  guardPermission (tUnqualified zUser) team TeamMember.NewTeamCollaborator InsufficientRights
+  guardPermission (tUnqualified zUser) team TeamMember.GetTeamCollaborators InsufficientRights
   Store.createTeamCollaborator user team perms
 
   -- TODO: Review the event's values
@@ -97,7 +97,7 @@ getAllTeamCollaboratorsImpl ::
   TeamId ->
   Sem r [TeamCollaborator]
 getAllTeamCollaboratorsImpl zUser team = do
-  guardPermission (tUnqualified zUser) team TeamMember.NewTeamCollaborator InsufficientRights
+  guardPermission (tUnqualified zUser) team TeamMember.GetTeamCollaborators InsufficientRights
   Store.getAllTeamCollaborators team
 
 internalGetTeamCollaboratorsWithIdsImpl ::