fix: incoming webhooks improperly post in public channels under private teams

[abhinavkrin]

Proposed changes (including videos or screenshots)

This PR fixes a permission issue where incoming webhooks could send messages to public channels under private teams even when the webhook user was not a team member.

Issue(s)

Steps to test or reproduce

1. Create a private team with a public channel inside it.
2. Configure a webhook using a user that is not a member of the team.
3. Try posting a message via webhook.

Further comments

CORE-1086
VLN-114

---

This pull request addresses a specific issue in the Rocket.Chat repository where incoming webhooks were improperly posting messages in public channels under private teams. The fix involves updating the @rocket.chat/meteor package to ensure that team membership checks are enforced for incoming webhooks. Additionally, the PR refactors the room joining logic in the getRoomByNameOrIdWithOptionToJoin function by replacing the local addUserToRoom function with the centralized Room.join method from @rocket.chat/core-services when the joinChannel option is enabled. This change aims to streamline the process and ensure consistency in how users are added to channel rooms.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: c0cc4da

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 36 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/instance-status	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.23%. Comparing base (2c19074) to head (c0cc4da).
Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #35782      +/-   ##
===========================================
+ Coverage    61.17%   61.23%   +0.05%     
===========================================
  Files         2971     2971              
  Lines        70839    70839              
  Branches     16185    16185              
===========================================
+ Hits         43335    43375      +40     
+ Misses       24556    24502      -54     
- Partials      2948     2962      +14     

Flag	Coverage Δ
e2e	57.69% <ø> (-0.01%)	⬇️
unit	75.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

PR Preview Action v1.6.1
🚀 View preview at https://RocketChat.github.io/Rocket.Chat/pr-preview/pr-35782/
Built to branch gh-pages at 2025-04-17 05:57 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[pierre-lehnen-rc]

A few comments but nothing that prevents merging this.

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Kody Review Complete

Great news! 🎉
No issues were found that match your current review configurations.

Keep up the excellent work! 🚀

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[abhinavkrin]

/backport 7.4.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.4.3-35782
git cherry-pick fe5f8a2cf346ab7757a67873060127db2cd8265d
// solve the conflict
git push

after that just run /backport 7.4.3 again

[abhinavkrin]

/backport 7.4.3

[dionisio-bot]

Pull request #35896 added to Project: "Patch 7.4.3"

[abhinavkrin]

/backport 7.3.5

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.3.5-35782
git cherry-pick fe5f8a2cf346ab7757a67873060127db2cd8265d
// solve the conflict
git push

after that just run /backport 7.3.5 again

[abhinavkrin]

/backport 7.3.5

[dionisio-bot]

Pull request #35897 added to Project: "Patch 7.3.5"

[abhinavkrin]

/backport 7.2.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.2.6-35782
git cherry-pick fe5f8a2cf346ab7757a67873060127db2cd8265d
// solve the conflict
git push

after that just run /backport 7.2.6 again

[abhinavkrin]

/backport 7.2.6

[dionisio-bot]

Pull request #35898 added to Project: "Patch 7.2.6"

[abhinavkrin]

/backport 7.1.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.1.6-35782
git cherry-pick fe5f8a2cf346ab7757a67873060127db2cd8265d
// solve the conflict
git push

after that just run /backport 7.1.6 again

[abhinavkrin]

/backport 7.1.6

[dionisio-bot]

Pull request #35899 added to Project: "Patch 7.1.6"

[abhinavkrin]

/backport 7.0.10

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.0.10-35782
git cherry-pick fe5f8a2cf346ab7757a67873060127db2cd8265d
// solve the conflict
git push

after that just run /backport 7.0.10 again

[abhinavkrin]

/backport 7.0.10

[dionisio-bot]

Pull request #35900 added to Project: "Patch 7.0.10"