chore: Restrict certain messages actions on ABAC rooms

[MartinSchoeler]

Proposed changes (including videos or screenshots)

Restricts the following message actions on ABAC managed rooms:

• Permalink Message
• Reply in DM
• Forward Message

Contains #37127

Issue(s)

ABAC-42

Steps to test or reproduce

Further comments

I've set the PR as chore since these changes are not available without mocking data

Summary by CodeRabbit

• New Features

  • Message toolbar actions (Copy link, Forward, Reply in DM) now respect room policies and encryption: actions are disabled in ABAC-managed rooms or for encrypted messages, with explanatory tooltips.
  • Forward action now receives room context so its availability and label reflect room/encryption state.
  • Consistent behavior across default, mobile, and thread toolbars.
  • Added user-facing tooltip text for ABAC-managed rooms.

• Tests

  • Added comprehensive unit and accessibility tests for permalink and forward actions covering normal, encrypted, and ABAC-managed scenarios.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is targeting the wrong base branch. It should target 7.12.0, but it targets 7.11.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 005da73

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Adds room-aware ABAC checks and tooltips to message actions (forward, permalink, reply-in-DM), passes room context to affected hooks/components, updates action disabled/tooltip logic, and adds tests plus an English i18n string.

Changes

Cohort / File(s)	Summary
Toolbar wiring apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx	Updated usePermalinkAction calls to include a third argument { room } for permalink, star, and pinned actions.
Forward action call sites apps/meteor/client/components/message/toolbar/items/DefaultItems.tsx, apps/meteor/client/components/message/toolbar/items/MobileItems.tsx, apps/meteor/client/components/message/toolbar/items/ThreadsItems.tsx	ForwardMessageAction invoked with room={room} alongside message={message}.
Forward action logic & tests apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx, apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx	Component API now accepts { message, room }; computes ABAC state, includes ABAC in disabled conditions and tooltip selection; added unit tests covering normal, encrypted, ABAC, combined, and a11y cases.
Permalink hook & tests apps/meteor/client/components/message/toolbar/usePermalinkAction.ts, apps/meteor/client/components/message/toolbar/usePermalinkAction.spec.ts	Hook signature extended to accept { room }; computes ABAC state, sets disabled and tooltip accordingly; tests validate labels, disabled states, tooltips, and action shape.
Reply-in-DM action apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts	Adds ABAC detection from room.abacAttributes; updates disabled flag and tooltip generation to account for ABAC and encryption.
Localization packages/i18n/src/locales/en.i18n.json	Added Not_available_for_ABAC_enabled_rooms: "Not available in ABAC-managed rooms".

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant MT as Message Toolbar
  participant A as Action Hook / Component
  participant R as Room Context

  U->>MT: Open message actions
  MT->>A: computeAction(message, meta, { room })
  A->>R: read room.abacAttributes
  A->>A: determine isEncrypted || isABACEnabled
  alt Disabled (encrypted or ABAC)
    A-->>MT: { disabled: true, tooltip }
    U->>MT: Hover / press
    MT-->>U: Show tooltip
  else Enabled
    A-->>MT: { disabled: false }
    U->>MT: Click action
    MT->>A: execute action
    A-->>U: Open modal / copy link
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: Stop hardcoding tooltips on message actions #37127 — Modifies usePermalinkAction and tooltip handling for message actions; closely related to adding room-aware tooltips and action-shape changes.

Suggested reviewers

• MartinSchoeler
• aleksandernsilva
• sampaiodiego

Poem

I thump my nose, the rules are clear,
In ABAC burrows, some paths disappear.
Encrypted tunnels close with care,
Tooltips whisper, "Do not share."
Still in open meadows, I hop and forward with delight. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues Check	⚠️ Warning	The linked issue ABAC-42 requires disabling the “Forward Message” and “Invite Link” actions, but the code changes disable “Forward Message” and also add ABAC restrictions for “Permalink” and “Reply in DM,” while failing to address the “Invite Link” action at all. This mismatch means the pull request does not fulfill the invite link requirement and extends beyond the stated scope by adding unrelated action restrictions.	Implement ABAC-aware disabling for the invite link action and remove or defer the unrelated permalink and reply-in-DM modifications, or update the linked issue to reflect the broader set of action restrictions.
Out of Scope Changes Check	⚠️ Warning	The pull request introduces ABAC restrictions for message permalink and reply-in-DM actions, which are not requested by the linked issue ABAC-42 and thus fall outside the specified objectives. These additional changes increase complexity and risk unintended side effects unrelated to disabling forward message and invite link.	Remove the ABAC logic from the permalink and reply-in-DM functionality or split these into a separate, clearly scoped pull request, and focus this PR solely on disabling forward message and invite link per the linked issue.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly indicates that the pull request introduces restrictions on message actions in ABAC-managed rooms, which aligns with the main change of adding ABAC checks to several message action components. It is concise, avoids extraneous details, and directly references the ABAC context where the restrictions apply. The phrasing succinctly summarizes the primary intent without unnecessary noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/ABAC-message-restrictions

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 711c693 and fb5966b.

📒 Files selected for processing (1)

• packages/i18n/src/locales/en.i18n.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/i18n/src/locales/en.i18n.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: Builds matrix rust bindings against alpine
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 95.45455% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.42%. Comparing base (c8f1354) to head (005da73).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37128      +/-   ##
===========================================
+ Coverage    67.40%   67.42%   +0.01%     
===========================================
  Files         3288     3288              
  Lines       111688   111814     +126     
  Branches     20405    20419      +14     
===========================================
+ Hits         75285    75388     +103     
- Misses       33716    33738      +22     
- Partials      2687     2688       +1     

Flag	Coverage Δ
e2e	57.33% <77.77%> (+0.02%)	⬆️
unit	71.44% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts (2)

19-20: Document timeline for IRoom type extension.

The ts-expect-error indicates abacAttributes is not yet in the IRoom type definition. Please ensure there's a tracking issue or timeline for adding this field to IRoom in @rocket.chat/core-typings to avoid long-term type suppression.

---

42-50: Consistent tooltip logic across actions.

The tooltip computation prioritizes encryption over ABAC. Verify this precedence is intentional and consistent with ForwardMessageAction and usePermalinkAction. If ABAC should take precedence or both conditions should display a combined message, update the logic accordingly.

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx (1)

86-105: Verify tooltip precedence is intentional.

Line 103 expects the encryption tooltip when both conditions are true. Ensure this precedence (encryption over ABAC) is intentional and documented. If both conditions should display a combined message or ABAC should take precedence, update both the implementation and test.

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx (2)

21-22: Document timeline for IRoom type extension.

The ts-expect-error indicates abacAttributes is not yet in the IRoom type definition. Ensure there's a tracking issue or timeline for adding this field to IRoom in @rocket.chat/core-typings to avoid long-term type suppression. This pattern is repeated across multiple files in this PR (useReplyInDMAction.ts, test files).

---

24-32: Verify tooltip precedence is consistent.

The title computation prioritizes encryption over ABAC (lines 25-30). Ensure this precedence is:

1. Intentional and documented
2. Consistent across all ABAC-aware actions (Reply in DM, Permalink)

If the precedence differs or should be unified, update accordingly.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 40a45d8 and 24a0228.

📒 Files selected for processing (13)

• .changeset/wicked-ligers-hide.md (1 hunks)
• apps/meteor/app/ui-utils/client/lib/MessageAction.ts (1 hunks)
• apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx (2 hunks)
• apps/meteor/client/components/message/toolbar/MessageToolbarStarsActionMenu.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/DefaultItems.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/MobileItems.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/ThreadsItems.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx (2 hunks)
• apps/meteor/client/components/message/toolbar/usePermalinkAction.spec.ts (1 hunks)
• apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (3 hunks)
• apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts (4 hunks)
• packages/i18n/src/locales/en.i18n.json (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (6)

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx (2)

packages/core-typings/src/IRoom.ts (1)

• IRoom (21-95)

packages/core-typings/src/IMessage/IMessage.ts (1)

• isE2EEMessage (426-426)

apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (3)

packages/core-typings/src/IRoom.ts (1)

• IRoom (21-95)

apps/meteor/app/ui-utils/client/lib/MessageAction.ts (1)

• MessageActionConfig (21-33)

packages/core-typings/src/IMessage/IMessage.ts (1)

• isE2EEMessage (426-426)

apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx (1)

apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (1)

• usePermalinkAction (10-52)

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx (2)

packages/mock-providers/src/index.ts (1)

• mockAppRoot (3-3)

apps/meteor/tests/mocks/data.ts (1)

• createFakeRoom (46-61)

apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts (1)

packages/ui-contexts/src/index.ts (1)

• usePermission (55-55)

apps/meteor/client/components/message/toolbar/usePermalinkAction.spec.ts (5)

apps/meteor/tests/mocks/data.ts (1)

• createFakeUser (32-44)

packages/mock-providers/src/index.ts (1)

• mockAppRoot (3-3)

packages/core-typings/src/IMessage/IMessage.ts (1)

• IMessage (138-239)

packages/core-typings/src/IRoom.ts (1)

• IRoom (21-95)

apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (1)

• usePermalinkAction (10-52)

🔇 Additional comments (20)

apps/meteor/client/components/message/toolbar/items/MobileItems.tsx (1)

21-21: LGTM!

Correctly passes the room prop to ForwardMessageAction to enable ABAC-aware forwarding logic, consistent with updates in DefaultItems.tsx and ThreadsItems.tsx.

apps/meteor/app/ui-utils/client/lib/MessageAction.ts (1)

26-26: LGTM!

Clean extension of the MessageActionConfig type to support explicit tooltip strings. The optional field is non-breaking and aligns with the broader tooltip handling refactor across message actions.

apps/meteor/client/components/message/toolbar/items/DefaultItems.tsx (1)

20-20: LGTM!

Correctly passes the room prop to ForwardMessageAction, consistent with the component's updated signature.

apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts (1)

86-87: LGTM!

Correctly disables the action when encrypted or ABAC-enabled, and conditionally spreads the tooltip when present.

apps/meteor/client/components/message/toolbar/items/ThreadsItems.tsx (1)

19-19: LGTM!

Correctly passes the room prop to ForwardMessageAction, consistent with the component's updated signature.

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx (3)

35-48: LGTM!

Comprehensive test coverage for the normal message case with accessibility validation.

Also applies to: 107-119

---

50-66: LGTM!

Correctly tests the encrypted message scenario with proper disabled state and accessibility checks.

Also applies to: 121-136

---

68-84: LGTM!

Correctly tests the ABAC-enabled room scenario with proper disabled state and accessibility checks.

Also applies to: 138-153

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx (1)

1-2: LGTM!

Clean integration of room context and ABAC-aware disabled state. The component correctly computes the title based on encryption and ABAC state, and disables the action when either condition is true.

Also applies to: 4-4, 13-13, 16-16, 38-38, 40-40

apps/meteor/client/components/message/toolbar/MessageToolbarStarsActionMenu.tsx (1)

40-40: Disabled actions already provide explicit tooltips. Verified that the disabled case in MessageToolbarStarsActionMenu.tsx includes an explicit tooltip.

apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (3)

1-4: LGTM!

The additional imports (IRoom and useMemo) are correctly used for the new room-based ABAC logic and tooltip memoization.

---

22-30: LGTM!

The tooltip logic correctly prioritizes encryption over ABAC when both conditions are true, and the memoization is appropriate for the dependencies.

---

49-50: LGTM!

The disabled logic correctly combines both conditions, and the conditional tooltip spreading is a clean pattern that avoids adding undefined fields to the return object.

apps/meteor/client/components/message/toolbar/usePermalinkAction.spec.ts (5)

29-68: LGTM!

The mock factories are well-structured with sensible defaults and support for overrides, enabling flexible test scenarios.

---

71-94: LGTM!

The test correctly verifies that the permalink action is enabled for normal messages without encryption or ABAC restrictions.

---

95-122: Verify the expected tooltip value.

Line 120 expects tooltip: 'Action_not_available_encrypted_content', but the implementation (usePermalinkAction.ts line 24) calls t('Action_not_available_encrypted_content', { action: t('Copy_link') }), which should return a translated string, not the translation key. Confirm whether the test should expect the translated value or if the mockAppRoot is configured to return translation keys as-is.

---

152-181: LGTM with verification needed.

The test correctly validates that when both encryption and ABAC are present, the encrypted tooltip takes priority (line 179), which aligns with the implementation logic in usePermalinkAction.ts. However, the same translation key vs. translated value concern applies here as noted in the previous comment.

---

21-27: Ensure all tooltip translations are mocked in tests.

The usePermalinkAction.spec.ts setup mocks only Copy_link and Copied but asserts tooltips Action_not_available_encrypted_content and Not_available_for_ABAC_enabled_rooms; mock those keys or verify fallback behavior.

apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx (2)

53-64: LGTM!

All three usePermalinkAction calls correctly pass the room parameter, enabling ABAC-aware behavior for permalink actions in different contexts (starred, pinned, and general messages).

---

106-106: LGTM!

Delegating tooltip handling to the action configuration is cleaner and more flexible, allowing each action hook to provide its own contextual tooltip.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 24a0228 and 3700d4b.

📒 Files selected for processing (10)

• apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/DefaultItems.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/MobileItems.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/ThreadsItems.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx (1 hunks)
• apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx (2 hunks)
• apps/meteor/client/components/message/toolbar/usePermalinkAction.spec.ts (1 hunks)
• apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (3 hunks)
• apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts (3 hunks)
• packages/i18n/src/locales/en.i18n.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• apps/meteor/client/components/message/toolbar/items/DefaultItems.tsx
• apps/meteor/client/components/message/toolbar/items/ThreadsItems.tsx
• apps/meteor/client/components/message/toolbar/items/MobileItems.tsx
• apps/meteor/client/components/message/toolbar/usePermalinkAction.spec.ts
• apps/meteor/client/components/message/toolbar/usePermalinkAction.ts

🧰 Additional context used

🧬 Code graph analysis (3)

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx (2)

packages/core-typings/src/IRoom.ts (1)

• IRoom (21-95)

packages/core-typings/src/IMessage/IMessage.ts (1)

• isE2EEMessage (426-426)

apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx (1)

apps/meteor/client/components/message/toolbar/usePermalinkAction.ts (1)

• usePermalinkAction (10-52)

apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.spec.tsx (2)

packages/mock-providers/src/index.ts (1)

• mockAppRoot (3-3)

apps/meteor/tests/mocks/data.ts (1)

• createFakeRoom (46-61)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (5)

apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts (2)

42-50: LGTM!

The tooltip calculation correctly prioritizes encrypted content messaging over ABAC restrictions and properly uses the new i18n key. The dependency array is complete and the logic is sound.

---

86-87: LGTM!

The disabled flag correctly combines both encrypted and ABAC states, and the conditional tooltip spread is implemented idiomatically. The changes align well with the tooltip calculation logic.

apps/meteor/client/components/message/toolbar/MessageToolbarActionMenu.tsx (2)

53-54: LGTM!

The addition of the { room } parameter to both permalink action calls is correct and aligns with the updated usePermalinkAction signature. The room context is properly passed from the component scope.

---

55-64: LGTM!

The multi-line formatting improves readability for this complex permalink action configuration, and the { room } parameter is correctly added. All contexts, type, and order properties are properly specified.

packages/i18n/src/locales/en.i18n.json (1)

7039-7042: ABAC tooltip string looks good

Key naming and copy align with the existing locale patterns. No issues spotted.

[dougfabris]

LGTM!