feat: restrict @all and @here autocomplete by user permissions#40262
Open
ishanmitra wants to merge 1 commit intoRocketChat:developfrom
Open
feat: restrict @all and @here autocomplete by user permissions#40262ishanmitra wants to merge 1 commit intoRocketChat:developfrom
ishanmitra wants to merge 1 commit intoRocketChat:developfrom
Conversation
- Adds unit tests covering all permission combinations.
Contributor
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
|
Contributor
WalkthroughA test suite and implementation changes that add permission-based filtering for mention autocomplete in the composer, gating the special Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
coderabbitai
Bot
added
the
type: feature
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx`:
- Around line 12-17: The permission mock for hasAtLeastOnePermission ignores the
scope/rid so tests don't verify scoped checks; update the mocked function in
ComposerPopupProvider.spec.tsx (the jest.mock that defines
hasAtLeastOnePermission and uses mockGrantedPermissions) to accept the second
argument (scope) and validate that the granted entry includes the room id—either
by asserting scope === expectedRid when called or by encoding grants with a
composite key (e.g., `${scope}:${permission}`) and checking
mockGrantedPermissions for that composite, so the mock enforces room-scoped
permission checks used by ComposerPopupProvider.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bd8e36e6-3bf6-49c1-85df-5d74e2c09ac3
📒 Files selected for processing (2)
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsxapps/meteor/client/views/room/providers/ComposerPopupProvider.tsx
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsxapps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
🧠 Learnings (18)
📓 Common learnings
Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.
Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.
📚 Learning: 2025-11-04T16:49:19.107Z
Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsx
📚 Learning: 2026-03-11T22:04:20.529Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsx
📚 Learning: 2026-04-17T17:38:15.994Z
Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39858
File: packages/ui-kit/src/interactions/UserInteraction.ts:33-33
Timestamp: 2026-04-17T17:38:15.994Z
Learning: In RocketChat/Rocket.Chat (`packages/ui-kit/src/interactions/UserInteraction.ts`), `ViewSubmitUserInteraction` and `ViewClosedUserInteraction` intentionally do NOT include `rid` when the interaction originates from a **modal** surface. Modals are not scoped to a room, so no room id is available in that context. The `rid?: string` field is optional to support the contextual bar surface (where room context exists) while remaining absent for modals. Do not flag the absence of `rid` in modal viewSubmit/viewClosed interactions as a missing-context bug.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsx
📚 Learning: 2026-03-09T18:39:21.178Z
Learnt from: Harxhit
Repo: RocketChat/Rocket.Chat PR: 39476
File: apps/meteor/server/methods/addAllUserToRoom.ts:0-0
Timestamp: 2026-03-09T18:39:21.178Z
Learning: In apps/meteor/server/methods/addAllUserToRoom.ts, the implementation uses a single cursor pass (Users.find(userFilter).batchSize(100)) that collects both the full user objects (collectedUsers: IUser[]) and their usernames (usernames: string[]) in one iteration. `beforeAddUserToRoom` is then called once with the full usernames batch (preserving batch-validation semantics), and the subsequent subscription/message processing loop iterates over the same stable `collectedUsers` array — no second DB query is made. This avoids any race condition between validation and processing while preserving the original batch-validation behavior.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsx
📚 Learning: 2026-03-27T14:52:56.865Z
Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsxapps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-12-10T21:00:54.909Z
Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2026-04-17T18:33:27.211Z
Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39858
File: apps/meteor/tests/e2e/apps/uikit-interactions.spec.ts:123-151
Timestamp: 2026-04-17T18:33:27.211Z
Learning: In RocketChat/Rocket.Chat (`apps/meteor/tests/e2e/apps/uikit-interactions.spec.ts`), `executeBlockActionHandler` invocations originating from a **modal** surface intentionally do NOT include a `block_action_room` (room property) in the interaction payload. Modals are not scoped to a room, so no room id is available in that context. Do not flag the absence of a room assertion in the modal block-action test as a missing coverage bug; instead, document it explicitly with a `test.step` asserting the room entry is `undefined`.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2026-02-24T19:36:55.089Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/page-objects/fragments/home-content.ts:60-82
Timestamp: 2026-02-24T19:36:55.089Z
Learning: In RocketChat/Rocket.Chat e2e tests (apps/meteor/tests/e2e/page-objects/fragments/home-content.ts), thread message preview listitems do not have aria-roledescription="message", so lastThreadMessagePreview locator cannot be scoped to messageListItems (which filters for aria-roledescription="message"). It should remain scoped to page.getByRole('listitem') or mainMessageList.getByRole('listitem').
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Prefer web-first assertions (`toBeVisible`, `toHaveText`, etc.) in Playwright tests
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure clean state for each test execution in Playwright tests
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : All test files must be created in `apps/meteor/tests/e2e/` directory
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2026-04-13T00:56:24.562Z
Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 40078
File: apps/meteor/tests/e2e/utils/getPermissionRoles.ts:4-6
Timestamp: 2026-04-13T00:56:24.562Z
Learning: In RocketChat/Rocket.Chat, the `getPermissionRoles` utility in `apps/meteor/tests/e2e/utils/getPermissionRoles.ts` intentionally returns an empty array (`[]`) when a permission is not found or has no roles, rather than throwing. This is by design: the helper is a general-purpose utility and individual tests are responsible for handling the empty-array case as appropriate for their scenario.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
📚 Learning: 2026-03-06T18:10:15.268Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.
Applied to files:
apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx
🔇 Additional comments (2)
apps/meteor/client/views/room/providers/ComposerPopupProvider.tsx (1)
97-130: Permission-gated special mentions look good.
@alland@hereare now added only when their specific permission is granted forrid, while preserving the existing filter matching.apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx (1)
74-101: Good coverage of the permission combinations.The four cases clearly cover neither, each individual permission, and both permissions for the special mention entries.
Comment on lines
+12
to
+17
| jest.mock('../../../../app/authorization/client', () => ({ | ||
| hasAtLeastOnePermission: (permissions: string[] | string) => { | ||
| const permissionList = Array.isArray(permissions) ? permissions : [permissions]; | ||
|
|
||
| return permissionList.some((permission) => mockGrantedPermissions.has(permission)); | ||
| }, |
Contributor
There was a problem hiding this comment.
Make the permission mock enforce the room scope.
The mock ignores scope, so these tests would still pass if ComposerPopupProvider accidentally called hasAtLeastOnePermission('mention-all') without rid. Encode the room id into the mocked grant, or assert the second argument, so the test protects the scoped permission behavior.
🧪 Proposed test hardening
const mockGrantedPermissions = new Set<string>();
jest.mock('../../../../app/authorization/client', () => ({
- hasAtLeastOnePermission: (permissions: string[] | string) => {
+ hasAtLeastOnePermission: (permissions: string[] | string, scope?: string) => {
const permissionList = Array.isArray(permissions) ? permissions : [permissions];
- return permissionList.some((permission) => mockGrantedPermissions.has(permission));
+ return permissionList.some((permission) => mockGrantedPermissions.has(`${scope}:${permission}`));
},
})); const renderProvider = async (permissions: string[] = []) => {
- mockGrantedPermissions.clear();
- permissions.forEach((permission) => mockGrantedPermissions.add(permission));
-
- const room = createFakeRoom({ t: 'c' });
- const appRoot = permissions.reduce((wrapper, permission) => wrapper.withPermission(permission), mockAppRoot().withJohnDoe()).build();
+ const room = createFakeRoom({ _id: 'permission-scoped-room', t: 'c' });
+
+ mockGrantedPermissions.clear();
+ permissions.forEach((permission) => mockGrantedPermissions.add(`${room._id}:${permission}`));
+
+ const appRoot = mockAppRoot().withJohnDoe().build();apps/meteor/app/authorization/client/hasPermission.ts:72-73 exposes scope as the second argument, and lines 41-64 pass it into validation.
Also applies to: 40-45
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@apps/meteor/client/views/room/providers/ComposerPopupProvider.spec.tsx`
around lines 12 - 17, The permission mock for hasAtLeastOnePermission ignores
the scope/rid so tests don't verify scoped checks; update the mocked function in
ComposerPopupProvider.spec.tsx (the jest.mock that defines
hasAtLeastOnePermission and uses mockGrantedPermissions) to accept the second
argument (scope) and validate that the granted entry includes the room id—either
by asserting scope === expectedRid when called or by encoding grants with a
composite key (e.g., `${scope}:${permission}`) and checking
mockGrantedPermissions for that composite, so the mock enforces room-scoped
permission checks used by ComposerPopupProvider.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
The Compose mentions list currently shows
@alland@hereregardless of the user's permissions, whether they are allowed to or not. This change introduces only showing the allowed tags.Issue(s)
This feature request has been implemented in React Native based on this feature request:
RocketChat/feature-requests#871
Reference to the merged PR in the React Native Rocket Chat repository:
RocketChat/Rocket.Chat.ReactNative#6821
Screenshots
mention-allpermissionmention-herepermissionFurther comments
Unit tests have been added for the above feature.
Summary by CodeRabbit