fix: Add name to object being audited on access grant

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Refactor
  • Updated internal access control mechanisms to handle room information more comprehensively, improving data consistency in system audits.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: ad9aa80

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR updates the ABAC service's checkUsernamesMatchAttributes method signature to accept an IRoom object instead of just a room ID string. Call sites and tests are updated accordingly, enabling richer audit logging with both room ID and name.

Changes

Cohort / File(s)	Summary
ABAC Service Interface and Implementation packages/core-services/src/types/IAbacService.ts, ee/packages/abac/src/index.ts	Updated checkUsernamesMatchAttributes method signature to accept object: IRoom instead of objectId: string. Audit payload now includes both object._id and object.name instead of just the ID.
Hook Call Site apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts	Updated invocation of checkUsernamesMatchAttributes to pass the entire room object instead of room._id.
Tests ee/packages/abac/src/service.spec.ts	Updated test expectations and assertions to pass room object instead of string ID to checkUsernamesMatchAttributes calls.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify that all call sites of checkUsernamesMatchAttributes have been updated consistently across the codebase
• Confirm that audit payload enrichment (addition of object.name) is correct and consistent with audit logging requirements
• Check test coverage for both successful matches and error cases with the new object parameter

Possibly related PRs

• #37837: Modifies ABAC auditing and room payloads in ee/packages/abac/src/index.ts, including room name in audit records
• #37506: Updates AbacService implementation with method signature and object handling changes
• #37576: Adds abacAttributes to adminRooms projection, ensuring room data is available for the updated service method

Suggested reviewers

• MartinSchoeler
• d-gubert

Poem

🐰 A room, not just an ID we send,
Rich context where the checks extend,
Audit logs now bloom and shine,
With names and IDs in perfect line!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding the name field to the audited object during access grant operations, which aligns with all file modifications across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/name-on-granted-access

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	358MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	-2.6KiB
queue-worker-service	132MiB	132MiB	+3.1KiB
ddp-streamer-service	126MiB	126MiB	-2.2KiB
account-service	113MiB	113MiB	-5.1KiB
authorization-service	111MiB	110MiB	+55KiB
stream-hub-service	110MiB	110MiB	-8.8KiB
presence-service	110MiB	110MiB	-7.7KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 16:13", "12/17 17:48 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 23 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37856
• Baseline: develop
• Timestamp: 2025-12-17 17:48:54 UTC
• Historical data points: 23

---

Updated: Wed, 17 Dec 2025 17:48:54 GMT

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

ee/packages/abac/src/index.ts (1)

487-490: Remove the obsolete TODO comment.

The TODO comment on line 488 is now obsolete since the room name is being added to the audit payload on line 489.

Apply this diff to remove the TODO comment:

-		usernames.forEach((username) => {
-			// TODO: Add room name
+		usernames.forEach((username) => {
 			void Audit.actionPerformed({ username }, { _id: object._id, name: object.name }, 'system', 'granted-object-access');
 		});

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7ace894 and ad9aa80.

📒 Files selected for processing (4)

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts (1 hunks)
• ee/packages/abac/src/index.ts (2 hunks)
• ee/packages/abac/src/service.spec.ts (5 hunks)
• packages/core-services/src/types/IAbacService.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-services/src/types/IAbacService.ts
• ee/packages/abac/src/service.spec.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• ee/packages/abac/src/service.spec.ts

🧠 Learnings (13)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-services/src/types/IAbacService.ts
• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-services/src/types/IAbacService.ts

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-services/src/types/IAbacService.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts

📚 Learning: 2025-10-28T16:53:42.761Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: UserBridge.doGetUserRoomIds in packages/apps-engine/src/server/bridges/UserBridge.ts has a bug where it implicitly returns undefined when the app lacks read permission (missing return statement in the else case of the permission check).

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-12-10T21:00:43.645Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:43.645Z
Learning: Adopt the monorepo-wide Jest testMatch pattern: <rootDir>/src/**/*.spec.{ts,js,mjs} (represented here as '**/src/**/*.spec.{ts,js,mjs}') to ensure spec files under any package's src directory are picked up consistently across all packages in the Rocket.Chat monorepo. Apply this pattern in jest.config.ts for all relevant packages to maintain uniform test discovery.

Applied to files:

• ee/packages/abac/src/service.spec.ts

🧬 Code graph analysis (2)

apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts (1)

packages/core-services/src/index.ts (1)

• Abac (202-202)

ee/packages/abac/src/index.ts (3)

packages/core-typings/src/IAbacAttribute.ts (1)

• IAbacAttributeDefinition (3-14)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

ee/packages/abac/src/audit.ts (1)

• Audit (30-148)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: 🔨 Test API (EE) / MongoDB 8.2 coverage (1/1)

🔇 Additional comments (4)

packages/core-services/src/types/IAbacService.ts (1)

41-41: LGTM! Interface signature updated to support richer audit logging.

The signature change from objectId: string to object: IRoom enables the method to access room properties like name for audit logging, which aligns with the PR objective. The change is coordinated across all implementations and call sites.

apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts (1)

21-21: LGTM! Call site updated to match the new signature.

The invocation now passes the entire room object instead of just room._id, enabling richer audit logging with the room name included.

ee/packages/abac/src/service.spec.ts (1)

1040-1042: LGTM! Test calls updated to match the new signature.

All test invocations now pass a structured object { _id: 'xxxxx', name: 'name' } instead of a plain string, which aligns with the updated method signature and enables testing of the audit payload that now includes the room name.

Also applies to: 1047-1047, 1059-1061, 1092-1094, 1108-1110, 1127-1129

ee/packages/abac/src/index.ts (1)

466-466: LGTM! Method signature updated to accept room object.

The signature change from objectId: string to object: IRoom matches the interface definition and enables access to room properties for audit logging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (feat/abac@7ace894). Learn more about missing BASE report.

Additional details and impacted files

@@             Coverage Diff              @@
##             feat/abac   #37856   +/-   ##
============================================
  Coverage             ?   54.38%           
============================================
  Files                ?     2639           
  Lines                ?    50102           
  Branches             ?    11212           
============================================
  Hits                 ?    27248           
  Misses               ?    20679           
  Partials             ?     2175           

Flag	Coverage Δ
e2e	57.38% <ø> (?)
e2e-api	43.72% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.