chore: Add name prop to object's audit

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores
  • Audit records now include room names alongside identifiers for improved traceability.
  • ABAC room operations now return room names in their visible payloads so actions reference both room ID and name.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 18564ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The PR adds the room name to ABAC room projections and includes name in audit identity objects; it also updates the MinimalRoom type to include name.

Changes

Cohort / File(s)	Summary
ABAC service room projections & audits ee/packages/abac/src/index.ts	Added name to the picked IRoom projection (e.g., Pick<IRoom, ... 'name'>) and to projection objects; audit calls updated to pass room identity as { _id: room._id, name: room.name } instead of { _id: room._id }.
ABAC audit typings packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts	Updated MinimalRoom from Pick<IRoom, '_id'> to Pick<IRoom, '_id' | 'name'> to reflect inclusion of room name in audit payloads.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Repetitive, consistent edits: projection fields and audit payloads
• Check: all audit call sites and projections uniformly include name

Possibly related PRs

• chore: Add name prop to object's audit #37655 — touches the same ABAC room projections and audit payloads to include room.name.
• feat: New endpoint for showing ABAC managed rooms  #37536 — adds ABAC APIs and schemas that rely on IRoom including name.
• feat: Update add/join methods to use abac rules #37339 — modifies ABAC enforcement/hooks within the same module that interact with room projections.

Suggested reviewers

• tassoevan

Poem

🐰 I hopped through code with a nibble and grin,
Found room names missing — I added them in!
Audits now hum with identity bright,
Projections refreshed — everything's right. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding the room name property to audit payloads and type definitions across ABAC-related operations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 508b8ee and 18564ca.

📒 Files selected for processing (1)

• ee/packages/abac/src/index.ts (12 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	359MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+9.4KiB
queue-worker-service	132MiB	132MiB	+13KiB
ddp-streamer-service	127MiB	127MiB	+9.7KiB
account-service	114MiB	114MiB	+8.9KiB
authorization-service	111MiB	111MiB	+60KiB
stream-hub-service	111MiB	111MiB	+8.4KiB
presence-service	111MiB	111MiB	+12KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 15:59", "12/01 16:35 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 10 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37655
• Baseline: develop
• Timestamp: 2025-12-01 16:35:56 UTC
• Historical data points: 10

---

Updated: Mon, 01 Dec 2025 16:35:56 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (feat/abac@abdc79e). Learn more about missing BASE report.

Additional details and impacted files

@@             Coverage Diff              @@
##             feat/abac   #37655   +/-   ##
============================================
  Coverage             ?   54.31%           
============================================
  Files                ?     2657           
  Lines                ?    50112           
  Branches             ?    11207           
============================================
  Hits                 ?    27219           
  Misses               ?    20718           
  Partials             ?     2175           

Flag	Coverage Δ
e2e	57.30% <ø> (?)
e2e-api	43.66% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

ee/packages/abac/src/index.ts (3)

285-315: Adding name to room projection and audits for setRoomAbacAttributes looks good

Fetching name in the findOneByIdAndType projection and passing { _id: room._id, name: room.name } into Audit.objectAttributesRemoved / Audit.objectAttributeChanged cleanly enriches object identity in ABAC audits without changing behavior.

If you want to reduce repetition, consider a small alias for this recurring room shape (and maybe a shared projection constant) reused across these ABAC methods, but this is purely optional.

---

387-439: Include name in the key-updated audit for consistency

In updateRoomAbacAttributeValues, the key-added path already sends { _id: room._id, name: room.name } to Audit.objectAttributeChanged, but the key-updated path still sends only { _id: room._id }. This makes audit payloads inconsistent even though name is available from the projection.

Suggest aligning the key-updated branch:

-		await Rooms.updateAbacAttributeValuesArrayFilteredById(rid, key, values);
-		void Audit.objectAttributeChanged({ _id: room._id }, room.abacAttributes || [], [{ key, values }], 'key-updated', actor);
+		await Rooms.updateAbacAttributeValuesArrayFilteredById(rid, key, values);
+		void Audit.objectAttributeChanged(
+			{ _id: room._id, name: room.name },
+			room.abacAttributes || [],
+			[{ key, values }],
+			'key-updated',
+			actor,
+		);

---

446-480: Also attach name when removing the last ABAC attribute from a room

In removeRoomAbacAttribute, the non-last-attribute path correctly calls Audit.objectAttributeRemoved({ _id: room._id, name: room.name }, ...), but the “last attribute” path still uses { _id: room._id } with Audit.objectAttributesRemoved, so some object-removal audits will have name while others will not.

Since name is now projected, you can make this consistent:

-		// if is the last attribute, just remove all
+		// if is the last attribute, just remove all
 		if (previous.length === 1) {
 			await Rooms.unsetAbacAttributesById(rid);
-			void Audit.objectAttributesRemoved({ _id: room._id }, previous, actor);
+			void Audit.objectAttributesRemoved({ _id: room._id, name: room.name }, previous, actor);
 
 			return;
 		}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between abdc79e and 508b8ee.

📒 Files selected for processing (2)

• ee/packages/abac/src/index.ts (11 hunks)
• packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
• ee/packages/abac/src/index.ts

🧠 Learnings (5)

📓 Common learnings

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

• packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• ee/packages/abac/src/index.ts

📚 Learning: 2025-10-28T16:53:42.761Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Applied to files:

• ee/packages/abac/src/index.ts

🧬 Code graph analysis (2)

packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

ee/packages/abac/src/index.ts (4)

packages/models/src/index.ts (1)

• Rooms (207-207)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

ee/packages/abac/src/audit.ts (1)

• Audit (29-142)

packages/core-services/src/types/IAbacService.ts (1)

• AbacActor (11-11)

🔇 Additional comments (3)

packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (1)

3-4: MinimalRoom including name aligns with updated ABAC audits

Extending MinimalRoom to include name matches the new audit payloads and remains type-safe since IRoom.name is optional; this should be a non-breaking, useful enhancement for consumers of ABAC audit events.

ee/packages/abac/src/index.ts (2)

485-513: addRoomAbacAttributeByKey room projection and audits are consistent

The updated findOneByIdAndType projection (including name) and the Audit.objectAttributeChanged({ _id: room._id, name: room.name }, ...) call are consistent with the new MinimalRoom shape and with other ABAC methods; behavior and typing both look correct.

---

515-565: replaceRoomAbacAttributeByKey correctly enriches all object audits with room name

Both the key-updated and key-added branches now pass { _id: room._id, name: room.name } to Audit.objectAttributeChanged, matching the new room projection and ensuring these audits always include room name when available. No functional or typing issues here.