fix: Prevent invite when license/setting is disabled and room is abac managed (#37756)

KevLehman · web-flow · commit cdc3da5839e4 · 2025-12-10T08:02:17.000-06:00
diff --git a/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts b/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
@@ -8,15 +8,15 @@ beforeAddUserToRoom.patch(async (prev, users, room, actor) => {
 	await prev(users, room, actor);
 
 	const validUsers = users.filter(Boolean);
-	if (
-		!room?.abacAttributes?.length ||
-		!validUsers.length ||
-		!License.hasModule('abac') ||
-		room.t !== 'p' ||
-		!settings.get('ABAC_Enabled')
-	) {
+	// No need to check ABAC when theres no users or when room is not private or when room is not ABAC managed
+	if (!validUsers.length || room.t !== 'p' || !room?.abacAttributes?.length) {
 		return;
 	}
 
+	// Throw error (prevent add) if ABAC is disabled (setting, license) but room is ABAC managed
+	if (!settings.get('ABAC_Enabled') || !License.hasModule('abac')) {
+		throw new Error('error-room-is-abac-managed');
+	}
+
 	await Abac.checkUsernamesMatchAttributes(validUsers as string[], room.abacAttributes);
 });
diff --git a/apps/meteor/tests/end-to-end/api/abac.ts b/apps/meteor/tests/end-to-end/api/abac.ts
@@ -1550,7 +1550,6 @@ const addAbacAttributesToUserDirectly = async (userId: string, abacAttributes: I
 		it('INVITE: after room loses attributes user without attributes can be invited', async () => {
 			await request.delete(`${v1}/abac/rooms/${roomWithAttr._id}/attributes/${accessAttrKey}`).set(credentials).expect(200);
 
-			// Try inviting again - should now succeed
 			await request
 				.post(`${v1}/groups.invite`)
 				.set(credentials)
@@ -1560,6 +1559,82 @@ const addAbacAttributesToUserDirectly = async (userId: string, abacAttributes: I
 					expect(res.body).to.have.property('success', true);
 				});
 		});
+
+		describe('ABAC disabled with ABAC-managed room', () => {
+			let enabledAccessAttrKey: string;
+			let enabledUser: IUser;
+			let managedRoom: IRoom;
+
+			before(async () => {
+				enabledAccessAttrKey = `${accessAttrKey}_disabled_case`;
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: enabledAccessAttrKey, values: ['v1'] })
+					.expect(200);
+
+				await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: enabledAccessAttrKey, values: ['v1'] }]);
+
+				managedRoom = (await createRoom({ type: 'p', name: `abac-access-disabled-${Date.now()}` })).body.group;
+
+				await request
+					.post(`${v1}/abac/rooms/${managedRoom._id}/attributes/${enabledAccessAttrKey}`)
+					.set(credentials)
+					.send({ values: ['v1'] })
+					.expect(200);
+
+				const username = `abac-enabled-user-${Date.now()}`;
+				const createUserRes = await request
+					.post(`${v1}/users.create`)
+					.set(credentials)
+					.send({
+						email: `${username}@example.com`,
+						name: username,
+						username,
+						password: 'pass@123',
+					})
+					.expect(200);
+
+				enabledUser = createUserRes.body.user;
+				await addAbacAttributesToUserDirectly(enabledUser._id, [{ key: enabledAccessAttrKey, values: ['v1'] }]);
+
+				await updateSetting('ABAC_Enabled', false);
+			});
+
+			after(async () => {
+				await updateSetting('ABAC_Enabled', true);
+
+				await deleteRoom({ type: 'p', roomId: managedRoom._id });
+				await deleteUser(enabledUser);
+			});
+
+			it('INVITE: should fail adding user to ABAC-managed private room when ABAC is disabled', async () => {
+				await request
+					.post(`${v1}/groups.invite`)
+					.set(credentials)
+					.send({ roomId: managedRoom._id, usernames: [enabledUser.username] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('errorType', 'error-room-is-abac-managed');
+					});
+			});
+
+			it('INVITE: should still fail after user loses attributes when ABAC is disabled', async () => {
+				await addAbacAttributesToUserDirectly(enabledUser._id, [{ key: enabledAccessAttrKey, values: [] }]);
+
+				await request
+					.post(`${v1}/groups.invite`)
+					.set(credentials)
+					.send({ roomId: managedRoom._id, usernames: [enabledUser.username] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('errorType', 'error-room-is-abac-managed');
+					});
+			});
+		});
 	});
 
 	describe('Room access (after subscribed)', () => {
