feat: New endpoint for showing ABAC managed rooms

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC-82

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• New Features
  • Added ABAC room listing endpoint with pagination and total counts.
  • Administrators can filter rooms by name, attribute key, attribute value, or search across all fields.
  • Endpoint is protected and requires ABAC management permission.
• Tests
  • Added end-to-end tests covering listing, filtering modes, pagination, and access control checks.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d3ac393

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

Walkthrough

Adds a paginated, filterable GET endpoint abac/rooms, AJV request/response schemas, a new AbacService method to list ABAC-managed rooms with filtering, an IAbacService interface update, and end-to-end tests (with a duplicated test block present).

Changes

Cohort / File(s)	Summary
API Endpoint & route exports apps/meteor/ee/server/api/abac/index.ts	Added GET abac/rooms route (authRequired, permission abac-management), uses GETAbacRoomsListQueryValidator for query and GETAbacRoomsResponseValidator for 200 responses; handler parses pagination and calls Abac.listAbacRooms.
API Schemas / Validators apps/meteor/ee/server/api/abac/schemas.ts	Added GETAbacRoomsListQuery type and validator (paginated request with filter/filterType) and GETAbacRoomsResponse schema/validator (paginated result with rooms: IRoom[]).
Service implementation ee/packages/abac/src/index.ts	Added AbacService.listAbacRooms({ offset, count, filter, filterType }) implementing paginated Mongo queries, regex-based filtering modes (all, roomName, attribute, value), cursor materialization and total count.
Public service interface packages/core-services/src/types/IAbacService.ts	Added listAbacRooms(...) declaration to IAbacService with return type { rooms: IRoom[]; offset: number; count: number; total: number }.
End-to-end tests apps/meteor/tests/end-to-end/api/abac.ts	Added comprehensive tests for listing ABAC rooms: baseline visibility, filtering by key/value/roomName/all, pagination, private-team scenarios, and unauthorized access. (Note: duplicate test block present.)

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API as "GET /abac/rooms"
    participant Route as "Route Handler"
    participant Abac as "AbacService"
    participant DB as "MongoDB"

    Client->>API: GET /abac/rooms?filter=&filterType=&offset=&count=
    API->>Route: auth & permission check
    Route->>Route: validate query (GETAbacRoomsListQueryValidator)
    Route->>Abac: listAbacRooms({offset,count,filter,filterType})
    Abac->>DB: findPaginated(query with ABAC attrs + regex filter)
    DB-->>Abac: cursor + totalCount
    Abac->>Abac: toArray() -> rooms[]
    Abac-->>Route: { rooms, offset, count, total }
    Route-->>Client: 200 GETAbacRoomsResponse
    rect rgba(200,150,255,0.14)
      note right of API: permission: abac-management
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Focus review on:
  • ee/packages/abac/src/index.ts — correctness and performance of Mongo query construction, regex escaping, pagination (skip/limit) and totalCount retrieval.
  • apps/meteor/ee/server/api/abac/schemas.ts and apps/meteor/ee/server/api/abac/index.ts — AJV validators and type/schema consistency with handler inputs/outputs.
  • apps/meteor/tests/end-to-end/api/abac.ts — duplicated test block (confirm intentional or remove duplication), and test isolation/cleanup.

Possibly related PRs

• feat: Access Checks for ABAC managed rooms #37423 — Modifies AbacService in ee/packages/abac/src/index.ts; likely overlaps with the added listAbacRooms implementation.
• feat: Remove users from room when new attributes are added to the room #37172 — Alters AbacService behavior; touches same service file and may affect room/attribute lifecycle logic.

Suggested reviewers

• tassoevan
• MartinSchoeler
• d-gubert

Poem

🐰 I hopped through routes and regex light,
I counted offsets deep at night,
Rooms and attributes in tidy rows,
Pages turn where the ABAC wind blows,
A little rabbit cheers the new rooms' sight.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a new endpoint for showing ABAC managed rooms, which is clearly reflected in the code additions across multiple files.
Linked Issues check	✅ Passed	The PR fully implements the objective from ABAC-82 by adding a new GET endpoint for listing ABAC-managed rooms with pagination and filtering capabilities through service, schema, and API layers.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the ABAC rooms listing endpoint; no out-of-scope modifications are present beyond the core feature implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/abac-rooms-endp

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 61716e0 and d3ac393.

📒 Files selected for processing (1)

• apps/meteor/ee/server/api/abac/schemas.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/ee/server/api/abac/schemas.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (feat/abac@c2d7ee2). Learn more about missing BASE report.

Additional details and impacted files

@@             Coverage Diff              @@
##             feat/abac   #37536   +/-   ##
============================================
  Coverage             ?   54.49%           
============================================
  Files                ?     2658           
  Lines                ?    49968           
  Branches             ?    11126           
============================================
  Hits                 ?    27232           
  Misses               ?    20590           
  Partials             ?     2146           

Flag	Coverage Δ
e2e	57.44% <ø> (?)
e2e-api	43.81% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

ee/packages/abac/src/index.ts (1)

169-169: Consider using spread operator for clarity.

While Object.assign(baseQuery, condition) works correctly here, using the spread operator would make the code more readable and explicit about creating a merged query object.

-		Object.assign(baseQuery, condition);
+		const finalQuery = { ...baseQuery, ...condition };

Then update line 172 to use finalQuery instead of baseQuery:

-	const { cursor, totalCount } = Rooms.findPaginated(baseQuery, {
+	const { cursor, totalCount } = Rooms.findPaginated(finalQuery, {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 820f30f and e19986a.

📒 Files selected for processing (5)

• apps/meteor/ee/server/api/abac/index.ts (2 hunks)
• apps/meteor/ee/server/api/abac/schemas.ts (2 hunks)
• apps/meteor/tests/end-to-end/api/abac.ts (1 hunks)
• ee/packages/abac/src/index.ts (1 hunks)
• packages/core-services/src/types/IAbacService.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/api/abac/schemas.ts
• apps/meteor/ee/server/api/abac/index.ts
• apps/meteor/tests/end-to-end/api/abac.ts
• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/api/abac/schemas.ts
• apps/meteor/ee/server/api/abac/index.ts
• apps/meteor/tests/end-to-end/api/abac.ts

🧬 Code graph analysis (5)

packages/core-services/src/types/IAbacService.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

apps/meteor/ee/server/api/abac/schemas.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

apps/meteor/ee/server/api/abac/index.ts (3)

apps/meteor/ee/server/api/abac/schemas.ts (2)

• GETAbacRoomsResponseValidator (256-256)
• GETAbacRoomsListQueryValidator (232-232)

packages/rest-typings/src/v1/Ajv.ts (1)

• validateUnauthorizedErrorResponse (70-70)

packages/core-services/src/index.ts (1)

• Abac (202-202)

apps/meteor/tests/end-to-end/api/abac.ts (2)

apps/meteor/tests/data/api-data.ts (2)

• request (10-10)
• credentials (39-42)

apps/meteor/tests/e2e/utils/create-target-channel.ts (1)

• deleteTeam (66-68)

ee/packages/abac/src/index.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

🔇 Additional comments (4)

packages/core-services/src/types/IAbacService.ts (1)

19-24: LGTM! Well-structured interface addition.

The new listAbacRooms method follows the same pagination and filtering pattern as listAbacAttributes, maintaining consistency across the service interface.

apps/meteor/tests/end-to-end/api/abac.ts (1)

1578-1917: LGTM! Comprehensive test coverage.

The test suite thoroughly covers the new ABAC rooms listing endpoint including:

• Baseline listing and filtering (by room name, attribute key, value, and all)
• Pagination behavior
• Edge cases (rooms without attributes, public rooms, default rooms, team rooms)
• Authorization checks
• Dynamic behavior (listing updates after attribute removal)

The nested describe block for team main rooms provides additional focused coverage without duplication.

ee/packages/abac/src/index.ts (1)

125-186: LGTM! Solid implementation with good security practices.

The listAbacRooms method correctly:

• Filters for private rooms only (t: 'p') as per learnings
• Uses escapeRegExp to prevent regex injection
• Implements flexible filtering by room name, attribute key, value, or all
• Returns paginated results with proper metadata

apps/meteor/ee/server/api/abac/index.ts (1)

286-313: LGTM! Endpoint follows established patterns.

The new GET endpoint correctly:

• Requires authentication and abac-management permission
• Uses appropriate validators for query and response
• Extracts pagination and filtering parameters properly
• Delegates to the service layer

Note: Consistent with the GET /abac/attributes endpoint, this doesn't check ABAC_Enabled, allowing administrators to list ABAC-managed rooms even when the feature is disabled (useful for cleanup/migration scenarios).

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/meteor/tests/end-to-end/api/abac.ts (1)

1577-1917: ABAC rooms listing tests are thorough and aligned with ABAC invariants

This suite does a good job validating the new /abac/rooms endpoint:

• Baseline visibility: only private rooms with abacAttributes (including team main rooms) are listed; public rooms, default rooms, and non-ABAC private/team rooms are excluded.
• Attribute lifecycle: rooms disappear after attributes are removed and reappear when re‑added.
• Filtering: filterType variants (roomName, attribute, value, all) behave as expected.
• Pagination and unauthorized access are exercised.
• Setup/teardown look correct; created rooms and teams are cleaned up.

Optional: consider adding a small test that omits filterType entirely to lock in the “default = all” behavior end‑to‑end.

Based on learnings

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e19986a and 61716e0.

📒 Files selected for processing (5)

• apps/meteor/ee/server/api/abac/index.ts (2 hunks)
• apps/meteor/ee/server/api/abac/schemas.ts (2 hunks)
• apps/meteor/tests/end-to-end/api/abac.ts (1 hunks)
• ee/packages/abac/src/index.ts (1 hunks)
• packages/core-services/src/types/IAbacService.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/api/abac/schemas.ts
• apps/meteor/ee/server/api/abac/index.ts
• apps/meteor/tests/end-to-end/api/abac.ts
• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/api/abac/schemas.ts
• apps/meteor/ee/server/api/abac/index.ts
• apps/meteor/tests/end-to-end/api/abac.ts

🧬 Code graph analysis (5)

packages/core-services/src/types/IAbacService.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

apps/meteor/ee/server/api/abac/schemas.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

apps/meteor/ee/server/api/abac/index.ts (3)

apps/meteor/ee/server/api/abac/schemas.ts (3)

• GETAbacRoomsResponseValidator (262-262)
• GenericErrorSchema (220-220)
• GETAbacRoomsListQueryValidator (235-235)

packages/rest-typings/src/v1/Ajv.ts (1)

• validateUnauthorizedErrorResponse (70-70)

packages/core-services/src/index.ts (1)

• Abac (202-202)

apps/meteor/tests/end-to-end/api/abac.ts (2)

apps/meteor/tests/data/api-data.ts (2)

• request (10-10)
• credentials (39-42)

apps/meteor/tests/e2e/utils/create-target-channel.ts (1)

• deleteTeam (66-68)

ee/packages/abac/src/index.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: 🔨 Test Storybook / Test Storybook
• GitHub Check: 🔨 Test Unit / Unit Tests
• GitHub Check: 🔎 Code Check / TypeScript
• GitHub Check: 🔎 Code Check / Code Lint
• GitHub Check: 📦 Meteor Build (coverage)
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (3)

packages/core-services/src/types/IAbacService.ts (1)

19-24: listAbacRooms signature is consistent with service and API usage

The method shape (filters, pagination, return payload) aligns with AbacService.listAbacRooms and the /abac/rooms endpoint; the filterType union also matches the tests and AJV schema. No changes needed.

ee/packages/abac/src/index.ts (1)

125-186: listAbacRooms implementation correctly targets private ABAC‑managed rooms

The query restriction (t: 'p' plus non‑empty abacAttributes) and the filter modes (roomName/attribute/value/all) are consistent with the ABAC model (only private rooms and team main rooms can be ABAC‑managed). Pagination via Rooms.findPaginated mirrors the attributes listing and returns a clean { rooms, offset, count, total } payload. Looks solid.

Based on learnings

apps/meteor/ee/server/api/abac/index.ts (1)

16-18: GET /abac/rooms endpoint is correctly wired to the service and validators

The new route:

• Enforces auth and abac-management permission.
• Uses GETAbacRoomsListQueryValidator and getPaginationItems for pagination and filters.
• Delegates to Abac.listAbacRooms({ offset, count, filter, filterType }).
• Returns via API.v1.success(result), matching the service payload.

Once GETAbacRoomsResponseSchema is updated to allow the success property (see schemas.ts comment), this endpoint should validate and behave as intended.

Also applies to: 286-312