refactor: More polish

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

Release Notes

• Refactor

  • Improved internal access control validation logic with clearer helper functions.
  • Enhanced user removal from spaces with consistent audit logging and error handling.

• Tests

  • Added validation tests for attribute definitions.
  • Updated test assertions for consistency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: b3b0adb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The changes refactor ABAC (Attribute-Based Access Control) management across multiple modules by introducing helper predicates to detect ABAC-managed rooms and teams, centralizing user removal logic with consistent audit logging, and adding a new function to validate attribute definitions. Existing control flow is preserved while reducing code duplication.

Changes

Cohort / File(s)	Summary
Room settings validators apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts	Imported ITeam type and added two new helper predicates—isAbacManagedRoom() and isAbacManagedTeam()—to encapsulate ABAC management checks; refactored default, roomType, and team-specific ABAC conditionals to use these helpers instead of inline checks.
ABAC service infrastructure ee/packages/abac/src/index.ts	Added two private helper methods—removeUserFromRoom() and removeUserFromRoomList()—to centralize user removal with consistent audit logging and error handling; refactored multiple code paths (canAccessObject, onRoomAttributesChanged, onSubjectAttributesChanged) to use these helpers with typed reason parameters.
ABAC helpers and tests ee/packages/abac/src/helper.spec.ts	Added new public function ensureAttributeDefinitionsExist with async validation; migrated test assertions from Chai (deep.equal, to.be.undefined) to Jest matchers (toEqual, toBeUndefined) across multiple test suites; added new test describe block covering empty input, missing definitions, and invalid values.
Test mocks and comments ee/packages/abac/src/can-access-object.spec.ts, ee/packages/abac/src/service.spec.ts	Updated mockRoomRemoveUserFromRoom to jest.fn().mockResolvedValue(undefined) for async alignment; added clarifying inline comments in service tests regarding noop addSubjectAttributes calls.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

• saveRoomSettings.ts: Verify helper predicates correctly encapsulate ABAC conditions and are applied consistently across all validators.
• helper.spec.ts: Confirm ensureAttributeDefinitionsExist implementation in the source file matches the new test expectations; review Jest migration to ensure no assertion logic was lost.
• index.ts: Check that new removeUserFromRoom/removeUserFromRoomList helpers handle all error cases consistently and that audit logging is correct across all call sites; verify reason parameter propagation.
• Test mocking: Ensure mockResolvedValue(undefined) aligns with actual async behavior in the code being tested.

Possibly related PRs

• RocketChat/Rocket.Chat#37303: Modifies the same saveRoomSettings.ts file to implement ABAC-managed room/team checks for room type validations.
• RocketChat/Rocket.Chat#37506: Modifies ABAC room-user enforcement and introduces room non-compliance condition logic related to user removal.
• RocketChat/Rocket.Chat#37655: Updates ee/packages/abac/src/index.ts to change room-related ABAC handling including room projections and audit payloads.

Suggested reviewers

• tassoevan
• MartinSchoeler
• ggazzo

Poem

🐰 Helper functions hop into place,
Audit logs trace their steady pace,
ABAC checks now shine so bright,
Predicates extracted just right,
Refactored with care—a bundled delight! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'refactor: More polish' is vague and non-descriptive, using generic language that does not convey meaningful information about the changeset.	Replace with a specific title that describes the main refactoring focus, such as 'refactor: Centralize ABAC policy checks and user removal logic' to clearly communicate the primary changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	360MiB	349MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+13KiB
queue-worker-service	132MiB	132MiB	+12KiB
ddp-streamer-service	126MiB	126MiB	+9.7KiB
account-service	113MiB	113MiB	+9.6KiB
authorization-service	111MiB	111MiB	+70KiB
stream-hub-service	111MiB	111MiB	+9.3KiB
presence-service	111MiB	111MiB	+8.6KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 16:35", "12/10 18:45 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 17 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37736
• Baseline: develop
• Timestamp: 2025-12-10 18:45:49 UTC
• Historical data points: 17

---

Updated: Wed, 10 Dec 2025 18:45:49 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.28%. Comparing base (b3fd9fb) to head (b3b0adb).
⚠️ Report is 1 commits behind head on feat/abac.

Additional details and impacted files

@@              Coverage Diff              @@
##           feat/abac   #37736      +/-   ##
=============================================
- Coverage      54.50%   54.28%   -0.22%     
=============================================
  Files           2633     2633              
  Lines          50105    50105              
  Branches       11224    11224              
=============================================
- Hits           27308    27198     -110     
- Misses         20607    20732     +125     
+ Partials        2190     2175      -15     

Flag	Coverage Δ
e2e	57.25% <ø> (-0.01%)	⬇️
e2e-api	43.71% <ø> (-0.98%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[KevLehman]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ee/packages/abac/src/helper.spec.ts (1)

264-279: Import and use the exported buildNonCompliantConditions function instead of defining a local copy.

The function buildNonCompliantConditions is exported from helper.ts (line 179), but the test defines a local implementation instead of importing it. This creates divergence risk and means the test doesn't verify the actual implementation. Remove the local function definition and import the real function from the helper module.

🧹 Nitpick comments (4)

ee/packages/abac/src/index.ts (1)

620-634: Excellent refactoring—centralizes user removal with consistent auditing and error handling.

This helper consolidates the user removal logic that was previously duplicated across multiple code paths, ensuring:

• Consistent removal options (skipAppPreEvents, customSystemMessage)
• Uniform audit logging with contextual reasons
• Graceful error handling that logs failures without blocking other operations

ee/packages/abac/src/helper.spec.ts (3)

70-78: Remove duplicate test case.

This test is identical to the one at lines 44-51, testing the same scenario with the same inputs and expected outcome.

Apply this diff to remove the duplicate:

-	it('throws when a key exceeds the maximum number of unique values (bucket size limit)', () => {
-		const values = Array.from({ length: MAX_ABAC_ATTRIBUTE_VALUES + 1 }, (_, i) => `value-${i}`);
-
-		expect(() =>
-			validateAndNormalizeAttributes({
-				role: values,
-			}),
-		).toThrow('error-invalid-attribute-values');
-	});
-

---

80-86: Remove duplicate test case.

This test is identical to the one at lines 36-42, testing the same scenario with identical inputs and expected behavior.

Apply this diff to remove the duplicate:

-	it('throws when a key has only invalid/empty values after sanitization', () => {
-		expect(() =>
-			validateAndNormalizeAttributes({
-				role: ['   ', '\n', '\t'],
-			}),
-		).toThrow('error-invalid-attribute-values');
-	});

---

465-465: Consider removing inline comment.

Per coding guidelines, avoid code comments. The implementation detail about Set insertion order could be incorporated into the test description if needed.

Apply this diff:

-		// Order is preserved by insertion into the Set in implementation: ['Eng', 'Sales']
 		expect(result).toEqual({

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0326915 and b3b0adb.

📒 Files selected for processing (5)

• apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts (5 hunks)
• ee/packages/abac/src/can-access-object.spec.ts (1 hunks)
• ee/packages/abac/src/helper.spec.ts (26 hunks)
• ee/packages/abac/src/index.ts (6 hunks)
• ee/packages/abac/src/service.spec.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• ee/packages/abac/src/service.spec.ts
• ee/packages/abac/src/can-access-object.spec.ts
• apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• ee/packages/abac/src/helper.spec.ts
• ee/packages/abac/src/index.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• ee/packages/abac/src/helper.spec.ts

🧠 Learnings (9)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• ee/packages/abac/src/helper.spec.ts

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

• ee/packages/abac/src/helper.spec.ts
• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-11-07T14:50:33.544Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37423
File: packages/i18n/src/locales/en.i18n.json:18-18
Timestamp: 2025-11-07T14:50:33.544Z
Learning: Rocket.Chat settings: in apps/meteor/ee/server/settings/abac.ts, the Abac_Cache_Decision_Time_Seconds setting uses invalidValue: 0 as the fallback when ABAC is unlicensed. With a valid license, admins can still set the value to 0 to intentionally disable the ABAC decision cache.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

Applied to files:

• ee/packages/abac/src/index.ts

🧬 Code graph analysis (2)

ee/packages/abac/src/helper.spec.ts (1)

ee/packages/abac/src/helper.ts (7)

• MAX_ABAC_ATTRIBUTE_KEYS (13-13)
• validateAndNormalizeAttributes (93-143)
• MAX_ABAC_ATTRIBUTE_VALUES (14-14)
• ensureAttributeDefinitionsExist (153-177)
• diffAttributeSets (246-324)
• buildNonCompliantConditions (179-190)
• extractAttribute (16-47)

ee/packages/abac/src/index.ts (4)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

packages/core-typings/src/IUser.ts (1)

• IUser (187-259)

packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (1)

• AbacAuditReason (6-6)

ee/packages/abac/src/audit.ts (1)

• Audit (29-142)

🔇 Additional comments (8)

ee/packages/abac/src/index.ts (3)

4-13: LGTM! Import changes support the new helper methods.

The addition of AbacAuditReason and FindCursor types is minimal and necessary for the new helper methods introduced in this refactoring.

Also applies to: 17-17

---

636-643: LGTM! Batch removal helper with proper rate limiting.

The removeUserFromRoomList method effectively handles bulk user removals with appropriate rate limiting to prevent server overload.

---

562-562: LGTM! Call sites correctly updated to use the new helpers.

All invocations use appropriate audit reasons ('realtime-policy-eval', 'room-attributes-change', 'ldap-sync') and apply rate limiting where needed. The type inference at line 649 aligns with concise TypeScript practices.

Also applies to: 603-603, 649-649, 662-662, 672-672

ee/packages/abac/src/helper.spec.ts (5)

8-20: LGTM! Mock setup is well-structured.

The Jest mock for AbacAttributes.find correctly simulates the MongoDB driver pattern with toArray() returning the mock function result, enabling proper async testing of ensureAttributeDefinitionsExist.

---

89-116: LGTM! Well-structured test coverage.

The new test suite properly covers key scenarios for ensureAttributeDefinitionsExist: no-op on empty input, missing definitions, and invalid values. The mock reset in afterEach prevents test pollution.

---

118-259: LGTM! Assertion migration is correct.

The conversion from Chai to Jest matchers (toEqual) is accurate, and the test suite comprehensively covers edge cases including empty sets, additions, removals, and order independence.

---

337-431: LGTM! Comprehensive test coverage.

The assertion updates to Jest toEqual are correct, and the tests thoroughly cover single keys, multiple keys, and edge cases like empty value arrays.

---

433-494: LGTM! Assertion migration is correct.

The conversion to Jest matchers (toEqual, toBeUndefined) is accurate, and the tests comprehensively cover edge cases including missing keys, undefined values, trimming, deduplication, and filtering.