regression: Remove abac rooms from the audition of user messages

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC-107

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• New Features

  • Audit messages by user now automatically exclude ABAC-managed private rooms from results.

• Tests

  • Added comprehensive test suite validating audit message retrieval with ABAC-managed rooms.
  • Improved error handling in audit tests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0d51487

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR prevents auditGetMessages from returning messages on ABAC-managed rooms when filtering by user type. The fix adds logic to fetch private ABAC-enabled room IDs and exclude them from the message query. A new Rooms model method is added to retrieve all private rooms with ABAC attributes, enabling this filtering behavior.

Changes

Cohort / File(s)	Summary
Rooms Model Enhancement packages/model-typings/src/models/IRoomsModel.ts, packages/models/src/models/Rooms.ts	Added new public method findAllPrivateRoomsWithAbacAttributes to retrieve all private rooms with ABAC attributes.
Audit Message ABAC Filtering apps/meteor/ee/server/lib/audit/methods.ts	Modified auditGetMessages to exclude private ABAC-enabled rooms from message query when user type filter is 'u'.
Test Suite & Utilities apps/meteor/tests/end-to-end/api/abac.ts	Added new test suite validating audit message retrieval with ABAC-managed rooms across three scenarios: user in ABAC room, user removed from ABAC management, and ABAC attribute removed.
Audit Test Safety apps/meteor/tests/end-to-end/api/audit.ts	Updated field access to use optional chaining (audition.fields?.rids?.includes(...)) for safer undefined handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Extra attention areas:
  • ABAC filtering logic in auditGetMessages method and correctness of the $nin exclusion pattern
  • Implementation of findAllPrivateRoomsWithAbacAttributes and query accuracy for private rooms with non-empty abacAttributes
  • New test suite coverage and scenario validation, especially ABAC attribute attachment/removal simulations
  • Ensure the optional chaining fix in audit.ts doesn't mask legitimate errors

Possibly related PRs

• fix: Prevent audit messages from reading abac rooms #37820: Directly related — both PRs modify auditGetMessages to prevent reading ABAC-managed rooms through ABAC-based filtering.
• feat: Prevent LDAP sync from adding users to abac rooms/teams #37299: Related — both PRs add and use private-room ABAC-aware finder methods to apply ABAC room checks in different contexts.
• feat: New endpoint for showing ABAC managed rooms  #37536: Related — both PRs modify ABAC test coverage in the same test file (apps/meteor/tests/end-to-end/api/abac.ts).

Suggested reviewers

• tassoevan
• MartinSchoeler

Poem

🐰 A rabbit hops through audit logs with care,
ABAC rooms now hidden from the snare,
Private chambers stay secure and sound,
With filtering whiskers, no leaks are found!
Hopping through tests, our checks are tight—
Rabbit-approved, the code is right! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR successfully implements the core requirement from ABAC-107: excluding ABAC rooms from auditGetMessages when type is 'u', with comprehensive test coverage validating the exclusion behavior.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the ABAC-107 objective; new model methods support ABAC room filtering, tests validate exclusion behavior, and audit logic implements the filtering requirement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title 'regression: Remove abac rooms from the audition of user messages' accurately describes the main change—filtering out ABAC rooms from user message audits—matching the core objective of the linked issue ABAC-107.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/audit-messages-by-user-abac

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	358MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	-1.3KiB
queue-worker-service	132MiB	132MiB	-2.7KiB
ddp-streamer-service	126MiB	126MiB	-1.1KiB
account-service	113MiB	113MiB	+33B
authorization-service	111MiB	111MiB	-595B
stream-hub-service	111MiB	111MiB	-1.3KiB
presence-service	111MiB	111MiB	-322B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 03:02", "12/20 03:08 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 26 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37892
• Baseline: develop
• Timestamp: 2025-12-20 03:08:51 UTC
• Historical data points: 26

---

Updated: Sat, 20 Dec 2025 03:08:51 GMT

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/meteor/ee/server/lib/audit/methods.ts (1)

163-171: Consider query efficiency for ABAC room exclusion in user audits.

When auditing messages by user (type === 'u'), the code fetches all private ABAC-enabled room IDs and excludes them via $nin. While the projection optimizes the query to { _id: 1 }, the $nin operator with a potentially large array may not be the most efficient approach if ABAC room counts grow significantly.

The current implementation is reasonable given that:

• The method is rate-limited (10 calls per 60 seconds)
• The branch only executes for user audit queries
• ABAC rooms are typically a minority of all rooms

If this becomes a bottleneck with scale, consider using $in with a positive match on non-ABAC rooms instead, or evaluating alternative filtering strategies.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cc3a99f and 1bc4b61.

📒 Files selected for processing (5)

• apps/meteor/ee/server/lib/audit/methods.ts (1 hunks)
• apps/meteor/tests/end-to-end/api/abac.ts (1 hunks)
• apps/meteor/tests/end-to-end/api/audit.ts (1 hunks)
• packages/model-typings/src/models/IRoomsModel.ts (1 hunks)
• packages/models/src/models/Rooms.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/model-typings/src/models/IRoomsModel.ts
• packages/models/src/models/Rooms.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

🧠 Learnings (20)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

• packages/model-typings/src/models/IRoomsModel.ts
• packages/models/src/models/Rooms.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• packages/model-typings/src/models/IRoomsModel.ts
• packages/models/src/models/Rooms.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

Applied to files:

• packages/model-typings/src/models/IRoomsModel.ts
• packages/models/src/models/Rooms.ts
• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

Applied to files:

• packages/model-typings/src/models/IRoomsModel.ts
• packages/models/src/models/Rooms.ts
• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• packages/models/src/models/Rooms.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-09-16T13:33:49.237Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: The im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). Constructing slug-like identifiers like `user2${Users.userE2EE.data.username}` doesn't work for this endpoint.

Applied to files:

• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-10-28T16:53:42.761Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Applied to files:

• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Group related tests in the same file

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : All test files must be created in `apps/meteor/tests/e2e/` directory

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/page-objects/**/*.ts : Utilize existing page objects pattern from `apps/meteor/tests/e2e/page-objects/`

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts
• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.{ts,spec.ts} : Follow Page Object Model pattern consistently in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Prefer web-first assertions (`toBeVisible`, `toHaveText`, etc.) in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure clean state for each test execution in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `test.step()` for complex test scenarios to improve organization in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/audit.ts

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/tests/end-to-end/api/audit.ts

🧬 Code graph analysis (3)

packages/model-typings/src/models/IRoomsModel.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

packages/models/src/models/Rooms.ts (1)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

apps/meteor/tests/end-to-end/api/abac.ts (2)

apps/meteor/tests/data/users.helper.ts (1)

• createUser (45-78)

apps/meteor/tests/data/api-data.ts (3)

• request (10-10)
• credentials (39-42)
• methodCall (50-52)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (4)

packages/model-typings/src/models/IRoomsModel.ts (1)

237-237: LGTM!

The method signature follows established patterns and complements the existing findPrivateRoomsByIdsWithAbacAttributes method by retrieving all private ABAC-enabled rooms without requiring specific IDs.

packages/models/src/models/Rooms.ts (1)

1314-1321: LGTM!

The implementation correctly queries for private rooms with non-empty ABAC attributes. The query pattern is consistent with the existing findPrivateRoomsByIdsWithAbacAttributes method (lines 1304-1312), and the private-room filter aligns with the constraint that ABAC attributes can only be set on private rooms.

Based on learnings, ABAC attributes can only be set on private rooms (type 'p'), making the t: 'p' filter appropriate.

apps/meteor/tests/end-to-end/api/audit.ts (1)

139-139: LGTM!

Adding optional chaining prevents potential runtime errors if fields or rids are undefined. In the find() context, an undefined return value simply won't match, which is safe and appropriate behavior for querying audit entries.

apps/meteor/tests/end-to-end/api/abac.ts (1)

419-578: Well-structured ABAC audit test suite.

The new test suite comprehensively validates ABAC-based audit filtering across three key scenarios:

1. User in ABAC-managed room (expect no audit results)
2. User kicked from ABAC-managed room (historical messages still excluded)
3. Room loses ABAC attributes (messages become auditable)

The test setup properly creates audit users, ABAC attributes, and rooms, and teardown ensures cleanup. The test expectations correctly validate the intended behavior of excluding ABAC-managed room messages from user-type audit queries.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.67%. Comparing base (7b851e6) to head (34bfe14).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37892      +/-   ##
===========================================
- Coverage    67.70%   67.67%   -0.03%     
===========================================
  Files         3476     3476              
  Lines       113895   113895              
  Branches     20956    20956              
===========================================
- Hits         77111    77080      -31     
- Misses       34597    34626      +29     
- Partials      2187     2189       +2     

Flag	Coverage Δ
e2e	57.13% <ø> (-0.06%)	⬇️
e2e-api	43.99% <ø> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.