feat: Prevent ABAC managed rooms becoming public while ABAC is active

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC-10

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• New Features
  • Added protection for ABAC-managed rooms: private rooms and team rooms with ABAC attributes can no longer be converted to public when ABAC governance is active, ensuring consistent access control policies.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: c09c378

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR enforces ABAC protection by preventing ABAC-managed private rooms and team rooms from being converted to public. It adds validation logic in saveRoomSettings.ts that blocks room type conversions when ABAC is enabled and the room has ABAC attributes. Comprehensive E2E tests validate the protection for both individual rooms and team scenarios.

Changes

Cohort / File(s)	Change Summary
ABAC Room Type Conversion Validation apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts	Adds conditional logic to reject room type changes from private to non-private when ABAC is enabled and the room has ABAC attributes, for both direct rooms and private team rooms
ABAC Room Type & Team Type Conversion Tests apps/meteor/tests/end-to-end/api/abac.ts	Adds two E2E test suites: one for room type conversion with ABAC management, another for team type conversion; both validate error responses when converting ABAC-managed private rooms/teams to public while ABAC is enabled, and success when ABAC is disabled

Sequence Diagram

sequenceDiagram
    participant User
    participant API as saveRoomSettings API
    participant Room DB
    participant Validation

    User->>API: Request room type change (private → public)
    API->>Room DB: Fetch room & ABAC status
    Room DB-->>API: Return room data
    
    alt ABAC enabled AND has ABAC attributes
        API->>Validation: Check if converting away from private
        Validation-->>API: Validation fails
        API-->>User: ❌ Error: Cannot convert ABAC room to public
    else ABAC disabled OR no ABAC attributes
        API->>Room DB: Update room type
        Room DB-->>API: Success
        API-->>User: ✅ Room type changed
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

• ABAC validation logic in saveRoomSettings.ts requires verification that conditions correctly identify ABAC-managed private rooms across both direct and team room scenarios
• Test scenarios are comprehensive and follow clear patterns, but comprehension of ABAC state management and attribute handling is needed

Possibly related PRs

• chore: Prevent default room & team channels from becoming abac managed (and viceversa) #37264: Also modifies saveRoomSettings.ts to add ABAC-related validation, specifically blocking ABAC rooms from being marked as default

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• tassoevan
• dougfabris

Poem

🐰 A private warren with ABAC keys,
No public doors can set them free,
The validation hops through night and day,
Keeping unwanted guests at bay! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Linked Issues Check	❓ Inconclusive	The PR appears to partially address requirements from ABAC-10 by implementing server-side validation in saveRoomSettings.ts to prevent room type changes to public when ABAC is enabled on private rooms and teams, with corresponding test coverage. However, based on the raw summary provided, the PR does not appear to address other key coding requirements from the linked issue: (1) blocking ABAC enablement on non-private rooms with error code error-abac-requires-private-room, and (2) UI-layer controls to disable/hide "Make Public" options and display inline error messages in ABAC-managed rooms. The changes shown focus only on the room type conversion prevention aspect.	Verification is needed to confirm whether the PR fully addresses all coding-related requirements in ABAC-10, particularly: whether server validation includes blocking ABAC enablement on non-private rooms with the specified error code, and whether UI controls and error messaging have been implemented elsewhere in the changeset not reflected in the provided summary. Consider clarifying the scope of this PR—whether it addresses all requirements or if related work is handled in companion PRs.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "feat: Prevent ABAC managed rooms becoming public while ABAC is active" directly and accurately describes the main change in the changeset. The modifications to saveRoomSettings.ts add validation logic that prevents private rooms with ABAC attributes from being converted to public when ABAC is enabled, and the new test suite validates this behavior. The title is clear, specific, and concise without unnecessary noise, effectively communicating the primary objective of the PR to anyone reviewing the git history.
Out of Scope Changes Check	✅ Passed	All changes in the PR are directly aligned with the stated objective of preventing ABAC-managed rooms from becoming public. The modifications to saveRoomSettings.ts add ABAC-related validation logic for room type changes, and the additions to abac.ts implement comprehensive test suites specifically for ABAC room and team type conversion scenarios. No unrelated changes, cleanup tasks, or tangential modifications are evident in the provided summary.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/prevent-public

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.04%. Comparing base (0aa0e27) to head (c09c378).
⚠️ Report is 3 commits behind head on feat/abac.

Additional details and impacted files

@@              Coverage Diff              @@
##           feat/abac   #37303      +/-   ##
=============================================
- Coverage      70.08%   70.04%   -0.04%     
=============================================
  Files           3032     3032              
  Lines         103981   103987       +6     
  Branches       18488    18490       +2     
=============================================
- Hits           72875    72841      -34     
- Misses         29151    29196      +45     
+ Partials        1955     1950       -5     

Flag	Coverage Δ
e2e	57.41% <ø> (+0.02%)	⬆️
unit	71.57% <ø> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

apps/meteor/tests/end-to-end/api/abac.ts (3)

1113-1123: Assert structured error code and 403 (not 400).

Change expectation to match API requirement and new error code.

- .expect(400)
- .expect((res) => {
-   expect(res.body).to.have.property('success', false);
-   expect(res.body).to.have.property('error').to.include('Changing an ABAC managed private room to public is not allowed');
- });
+ .expect(403)
+ .expect((res) => {
+   expect(res.body).to.have.property('success', false);
+   expect(res.body).to.have.property('error', 'error-abac-room-cannot-be-public');
+ });

If the REST layer currently maps Meteor.Error to 400, adjust server to emit 403 (statusCode: 403) as proposed, or update the REST mapping accordingly.

---

1196-1232: Team main room conversion: apply same spec (403 + code; block even when globally disabled).

Mirror the room flow: first fail while ABAC disabled, then succeed after deleting attributes from the main room.

- it('should allow converting private team (main room) with ABAC attributes to public when ABAC disabled', async () => {
-   await updateSetting('ABAC_Enabled', false);
-   await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: mainRoomIdWithAttrAbacDisabled, roomType: 'c' })
-     .expect(200)
-     .expect((res) => { expect(res.body.success).to.be.true; });
- });
+ it('should still fail while ABAC disabled (attributes present), then succeed after removing attributes (team main room)', async () => {
+   await updateSetting('ABAC_Enabled', false);
+   await request
+     .post(`${v1}/rooms.saveRoomSettings`)
+     .set(credentials)
+     .send({ rid: mainRoomIdWithAttrAbacDisabled, roomType: 'c' })
+     .expect(403)
+     .expect((res) => { expect(res.body.error).to.equal('error-abac-room-cannot-be-public'); });
+   await request.delete(`${v1}/abac/room/${mainRoomIdWithAttrAbacDisabled}/attributes`).set(credentials).expect(200);
+   await request
+     .post(`${v1}/rooms.saveRoomSettings`)
+     .set(credentials)
+     .send({ rid: mainRoomIdWithAttrAbacDisabled, roomType: 'c' })
+     .expect(200)
+     .expect((res) => { expect(res.body.success).to.be.true; });
+ });

---

1059-1137: Add missing coverage: public/DM/discussion rooms cannot receive ABAC; enabling ABAC on non-private must fail.

Add a small case creating a public room and asserting POST /abac/room/:rid/attributes/:key fails with error-abac-requires-private-room.

Example:

it('should fail adding ABAC attribute to public room (requires private)', async () => {
  const pub = (await createRoom({ type: 'c', name: `abac-public-${Date.now()}` })).body.channel;
  await request
    .post(`${v1}/abac/room/${pub._id}/attributes/${attrKey}`)
    .set(credentials)
    .send({ values: ['val1'] })
    .expect(422)
    .expect((res) => {
      expect(res.body.error).to.equal('error-abac-requires-private-room');
    });
  await deleteRoom({ type: 'c', roomId: pub._id });
});

Happy to send a patch.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 38bc363 and c09c378.

📒 Files selected for processing (2)

• apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts (2 hunks)
• apps/meteor/tests/end-to-end/api/abac.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: KevLehman
PR: RocketChat/Rocket.Chat#37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.338Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

📚 Learning: 2025-10-24T17:32:05.338Z

Learnt from: KevLehman
PR: RocketChat/Rocket.Chat#37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.338Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts

🧬 Code graph analysis (1)

apps/meteor/tests/end-to-end/api/abac.ts (2)

apps/meteor/tests/data/api-data.ts (2)

• request (10-10)
• credentials (39-42)

apps/meteor/tests/e2e/utils/create-target-channel.ts (2)

• deleteRoom (48-50)
• deleteTeam (66-68)