From 2bb605cb566a5bed72c5d05e74d7e1a6e3aefeae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20V=C3=A9lez?= <pablovv2012@gmail.com>
Date: Thu, 12 Feb 2026 01:07:15 -0500
Subject: [PATCH] MM-66625 - Drop EnableChannelScopeAccessControl; use
 permission system only (#35232)

---
 e2e-tests/playwright/lib/src/server/default_config.ts       | 1 -
 server/config/client.go                                     | 1 -
 server/config/client_test.go                                | 5 -----
 server/public/model/config.go                               | 5 -----
 .../access_control/policy_details/policy_details.test.tsx   | 1 -
 .../channel/details/channel_level_access_rules.test.tsx     | 1 -
 .../src/selectors/entities/access_control.ts                | 6 ------
 webapp/channels/src/selectors/general.ts                    | 6 +++---
 webapp/platform/types/src/config.ts                         | 2 --
 9 files changed, 3 insertions(+), 25 deletions(-)

diff --git a/e2e-tests/playwright/lib/src/server/default_config.ts b/e2e-tests/playwright/lib/src/server/default_config.ts
index d516bca7ee0..eaeb40c7417 100644
--- a/e2e-tests/playwright/lib/src/server/default_config.ts
+++ b/e2e-tests/playwright/lib/src/server/default_config.ts
@@ -808,7 +808,6 @@ const defaultServerConfig: AdminConfig = {
     },
     AccessControlSettings: {
         EnableAttributeBasedAccessControl: false,
-        EnableChannelScopeAccessControl: true,
         EnableUserManagedAttributes: false,
     },
     ContentFlaggingSettings: {
diff --git a/server/config/client.go b/server/config/client.go
index ca30f260272..78d8337091e 100644
--- a/server/config/client.go
+++ b/server/config/client.go
@@ -159,7 +159,6 @@ func GenerateClientConfig(c *model.Config, telemetryID string, license *model.Li
 	props["UniqueEmojiReactionLimitPerPost"] = strconv.FormatInt(int64(*c.ServiceSettings.UniqueEmojiReactionLimitPerPost), 10)
 
 	props["EnableAttributeBasedAccessControl"] = strconv.FormatBool(*c.AccessControlSettings.EnableAttributeBasedAccessControl)
-	props["EnableChannelScopeAccessControl"] = strconv.FormatBool(*c.AccessControlSettings.EnableChannelScopeAccessControl)
 	props["EnableUserManagedAttributes"] = strconv.FormatBool(*c.AccessControlSettings.EnableUserManagedAttributes)
 
 	props["WranglerPermittedWranglerRoles"] = strings.Join(c.WranglerSettings.PermittedWranglerRoles, ",")
diff --git a/server/config/client_test.go b/server/config/client_test.go
index 84aef530509..31aff1f1b85 100644
--- a/server/config/client_test.go
+++ b/server/config/client_test.go
@@ -343,7 +343,6 @@ func TestGetClientConfig(t *testing.T) {
 			&model.Config{
 				AccessControlSettings: model.AccessControlSettings{
 					EnableAttributeBasedAccessControl: model.NewPointer(true),
-					EnableChannelScopeAccessControl:   model.NewPointer(true),
 					EnableUserManagedAttributes:       model.NewPointer(true),
 				},
 			},
@@ -351,7 +350,6 @@ func TestGetClientConfig(t *testing.T) {
 			nil,
 			map[string]string{
 				"EnableAttributeBasedAccessControl": "true",
-				"EnableChannelScopeAccessControl":   "true",
 				"EnableUserManagedAttributes":       "true",
 			},
 		},
@@ -360,7 +358,6 @@ func TestGetClientConfig(t *testing.T) {
 			&model.Config{
 				AccessControlSettings: model.AccessControlSettings{
 					EnableAttributeBasedAccessControl: model.NewPointer(false),
-					EnableChannelScopeAccessControl:   model.NewPointer(false),
 					EnableUserManagedAttributes:       model.NewPointer(false),
 				},
 			},
@@ -368,7 +365,6 @@ func TestGetClientConfig(t *testing.T) {
 			nil,
 			map[string]string{
 				"EnableAttributeBasedAccessControl": "false",
-				"EnableChannelScopeAccessControl":   "false",
 				"EnableUserManagedAttributes":       "false",
 			},
 		},
@@ -379,7 +375,6 @@ func TestGetClientConfig(t *testing.T) {
 			nil,
 			map[string]string{
 				"EnableAttributeBasedAccessControl": "false",
-				"EnableChannelScopeAccessControl":   "true",
 				"EnableUserManagedAttributes":       "false",
 			},
 		},
diff --git a/server/public/model/config.go b/server/public/model/config.go
index 7ad5bf7b6b1..2a703d71e1c 100644
--- a/server/public/model/config.go
+++ b/server/public/model/config.go
@@ -3894,7 +3894,6 @@ func (s *ExportSettings) SetDefaults() {
 
 type AccessControlSettings struct {
 	EnableAttributeBasedAccessControl *bool
-	EnableChannelScopeAccessControl   *bool
 	EnableUserManagedAttributes       *bool `access:"write_restrictable"`
 }
 
@@ -3903,10 +3902,6 @@ func (s *AccessControlSettings) SetDefaults() {
 		s.EnableAttributeBasedAccessControl = NewPointer(false)
 	}
 
-	if s.EnableChannelScopeAccessControl == nil {
-		s.EnableChannelScopeAccessControl = NewPointer(true)
-	}
-
 	if s.EnableUserManagedAttributes == nil {
 		s.EnableUserManagedAttributes = NewPointer(false)
 	}
diff --git a/webapp/channels/src/components/admin_console/access_control/policy_details/policy_details.test.tsx b/webapp/channels/src/components/admin_console/access_control/policy_details/policy_details.test.tsx
index c1afeab5fef..1030f06d5bc 100644
--- a/webapp/channels/src/components/admin_console/access_control/policy_details/policy_details.test.tsx
+++ b/webapp/channels/src/components/admin_console/access_control/policy_details/policy_details.test.tsx
@@ -48,7 +48,6 @@ describe('components/admin_console/access_control/policy_details/PolicyDetails',
         policyId: 'policy1',
         accessControlSettings: {
             EnableAttributeBasedAccessControl: true,
-            EnableChannelScopeAccessControl: true,
             EnableUserManagedAttributes: false,
         },
         channels: [
diff --git a/webapp/channels/src/components/admin_console/team_channel_settings/channel/details/channel_level_access_rules.test.tsx b/webapp/channels/src/components/admin_console/team_channel_settings/channel/details/channel_level_access_rules.test.tsx
index 4c063169f73..895f833a892 100644
--- a/webapp/channels/src/components/admin_console/team_channel_settings/channel/details/channel_level_access_rules.test.tsx
+++ b/webapp/channels/src/components/admin_console/team_channel_settings/channel/details/channel_level_access_rules.test.tsx
@@ -37,7 +37,6 @@ jest.mock('../../../../channel_settings_modal/channel_access_rules_confirm_modal
 // Mock Redux selectors with stable references
 const mockAccessControlSettings = {
     EnableAttributeBasedAccessControl: true,
-    EnableChannelScopeAccessControl: true,
     EnableUserManagedAttributes: true,
 };
 
diff --git a/webapp/channels/src/packages/mattermost-redux/src/selectors/entities/access_control.ts b/webapp/channels/src/packages/mattermost-redux/src/selectors/entities/access_control.ts
index f63b16bb1cb..8ef2e32a3b8 100644
--- a/webapp/channels/src/packages/mattermost-redux/src/selectors/entities/access_control.ts
+++ b/webapp/channels/src/packages/mattermost-redux/src/selectors/entities/access_control.ts
@@ -25,17 +25,11 @@ export const getAccessControlSettings = createSelector(
         // Otherwise, build from client config (for regular users/channel admins)
         return {
             EnableAttributeBasedAccessControl: config?.EnableAttributeBasedAccessControl === 'true',
-            EnableChannelScopeAccessControl: config?.EnableChannelScopeAccessControl === 'true',
             EnableUserManagedAttributes: config?.EnableUserManagedAttributes === 'true',
         } as AccessControlSettings;
     },
 );
 
-export function isChannelScopeAccessControlEnabled(state: GlobalState): boolean {
-    const settings = getAccessControlSettings(state);
-    return settings?.EnableChannelScopeAccessControl || false;
-}
-
 export function getAccessControlPolicy(state: GlobalState, id: string) {
     return state.entities.admin.accessControlPolicies[id];
 }
diff --git a/webapp/channels/src/selectors/general.ts b/webapp/channels/src/selectors/general.ts
index a4b142aa096..d0d4287b7d3 100644
--- a/webapp/channels/src/selectors/general.ts
+++ b/webapp/channels/src/selectors/general.ts
@@ -35,7 +35,7 @@ export function isDevModeEnabled(state: GlobalState) {
 export function isChannelAccessControlEnabled(state: GlobalState): boolean {
     const accessControlSettings = getAccessControlSettings(state);
 
-    // Channel-level access control requires both main ABAC and channel scope
-    return accessControlSettings.EnableAttributeBasedAccessControl &&
-           accessControlSettings.EnableChannelScopeAccessControl;
+    // Channel-level access control requires main ABAC toggle
+    // Permission system (MANAGE_CHANNEL_ACCESS_RULES) handles granular access
+    return accessControlSettings.EnableAttributeBasedAccessControl;
 }
diff --git a/webapp/platform/types/src/config.ts b/webapp/platform/types/src/config.ts
index 3b8b720e395..019ef7719b7 100644
--- a/webapp/platform/types/src/config.ts
+++ b/webapp/platform/types/src/config.ts
@@ -236,7 +236,6 @@ export type ClientConfig = {
 
     // Access Control Settings
     EnableAttributeBasedAccessControl: string;
-    EnableChannelScopeAccessControl: string;
     EnableUserManagedAttributes: string;
 
     // Auto Translation Settings
@@ -1016,7 +1015,6 @@ export type ExportSettings = {
 
 export type AccessControlSettings = {
     EnableAttributeBasedAccessControl: boolean;
-    EnableChannelScopeAccessControl: boolean;
     EnableUserManagedAttributes: boolean;
 };