84 commits

Author	SHA1	Message	Date
Christopher Poile	03f2eaaa0b	[MM-68400] Four plugin hooks and ChannelGuard enforcement (#36152) ... * allow workflow_dispatch trigger for Server CI (for plugins CI) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [MM-68402] MBE Phase 2: declare four generic plugin hooks (#36291) * new hooks-only phase 2 * remove ChannelWillBeMoved * remove RecapWillBeProcessed and MessageWillBeRewrittenByAI Drop the AI/recap hooks from the new-hook surface; AI-LLM paths remain uncovered in tech preview and are documented as residuals. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * [MM-68403] MBE Phase 3: ChannelGuards primitive (storage + cache + plugin API) (#36365) * phase 3 * phase 3: register ChannelGuard mock in test setup helper NewChannels' startup-time call to reloadGuardCache invokes s.ChannelGuard().GetAll(); without an expectation on the mock store, every test that sets up the server with GetMockStoreForSetupFunctions panics during init. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * phase 3: register ChannelGuard mock in retrylayer test retrylayer.New walks every store getter to wrap it; without the mock expectation on ChannelGuard, TestRetry panics during layer construction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * use rctx properly in the store methods * phase 3: match rctx arg in testlib ChannelGuard mock GetAll now takes request.CTX, so the testify expectation must include mock.Anything; otherwise the call panics under the mocked store. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * phase 3: set api.ctx in TestChannelGuardLowercaseNormalization The test constructs PluginAPI directly without a ctx, which used to work when App.RegisterChannelGuard built its own EmptyContext. Now that the App methods take rctx from the caller, the nil ctx panics inside RequestContextWithMaster. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * [MM-68404] MBE Phase 4: App-layer plugin hook wiring (#36407) * phase 4 * Fix nil rctx in TestChannelGuardLowercaseNormalization The PluginAPI struct literal was missing ctx: rctx after a refactor moved the rctx declaration below the struct construction, leaving api.ctx as nil. This caused a nil pointer dereference in reloadGuardCache when RegisterChannelGuard called store.RequestContextWithMaster(nil). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Remove ChannelWillBeMoved hook call from MoveChannel (phase 4) The hook and its ID were removed from mbe-phase-2 but the call site in MoveChannel and its i18n string were not cleaned up during the rebase. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * remove channel will be moved test * Remove RecapWillBeProcessed and MessageWillBeRewrittenByAI hook calls (phase 4) The hooks and their IDs were removed from mbe-phase-2 but the call sites in ProcessRecapChannel and RewriteMessage, their i18n strings, and their tests were not cleaned up during the rebase. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Revert channel_id plumbing on rewrite endpoint (phase 4) The channel_id field on RewriteRequest was added in phase 4 to feed the synthetic post passed to MessageWillBeRewrittenByAI. With that hook removed from mbe-phase-2, channel_id has no consumer; revert the field, the api4 validation, the app.RewriteMessage parameter, and the corresponding webapp client + hook plumbing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * [MM-68555] MBE Phase 5: Channel-guard enforcement + two-phase dispatch (#36473) * phase 5 * Bake plugin counter-file paths into source instead of env vars t.Setenv panics when an ancestor test calls t.Parallel, so the two channel-guard tests broke under ENABLE_FULLY_PARALLEL_TESTS in CI. Build each plugin source per-subtest with its temp file path embedded as a Go literal — same pattern as TestPluginUploadsAPI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Remove guarded helpers and tests for dropped hooks (phase 5) The runGuardedRecapWillBeProcessed and runGuardedMessageWillBeRewrittenByAI helpers were never wired (their app-layer call sites were already removed in the phase-4 cleanup), and the corresponding sub-tests across panic / allow / reject / partial plugins reference hooks that no longer exist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * [MM-68405] MBE Phase 6: fire MessagesWillBeConsumed on the edit path (#36475) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * rebase onto master --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-21 18:16:05 +00:00
Ibrahim Serdar Acikgoz	deafd88fd5	MM-68762: Discoverable Private Channels — Server data layer (#36539) ... * MM-68762: Add Postgres migrations for discoverable private channels Three online-safe migrations introduce the schema that supports the Discoverable Private Channels feature (PRs 2-5 of MM-68430 will land behind it): - 000175 adds Channels.Discoverable BOOLEAN NOT NULL DEFAULT FALSE. Metadata-only on Postgres >= 11; no table rewrite. - 000176 creates a partial index on (TeamId) WHERE Discoverable AND Type='P' AND DeleteAt=0 using CREATE INDEX CONCURRENTLY (-- morph:nontransactional) so the build never blocks writes on the populated Channels table. - 000177 creates the ChannelJoinRequests table with three indexes, the important one being the partial unique index on (ChannelId, UserId) WHERE Status = 'pending'. That keeps the full audit history intact while still enforcing at-most-one active pending request per (channel, user). Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add FeatureFlagDiscoverableChannels (default false) Gates the per-channel Discoverable toggle and the channel-join-request flow. Default-OFF so all PRs in the MM-68430 series can land on master without exposing partial UX. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add Discoverable + ChannelJoinRequest models - Channel gains a Discoverable bool, ChannelPatch a *bool, both serialized as 'discoverable'. Patch() applies it, Auditable() logs it, and IsValid() rejects Discoverable=true on any non-private channel so a misconfigured patch can never produce a public discoverable channel. - New ChannelJoinRequest type captures the per-row state of a non-member's request: pending -> approved | denied | withdrawn. Rows are append-only with reviewer and timestamps so the table is also the audit trail. IsValid() enforces: * recognized status, * Message and DenialReason rune limits, * DenialReason only on denied rows (no orphan reasons), * reviewer + reviewed_at present for any terminal review (approved / denied) but not for self-service withdrawal. - Two new WebSocket event constants -- channel_join_request_created and channel_join_request_updated -- that later PRs broadcast on the admin queue and the requester's My Pending Requests panel. Unit tests cover Patch(), the new IsValid() rule on Discoverable, the PreSave/PreUpdate timestamp behavior on ChannelJoinRequest, and every IsValid branch including the reviewer-required-on-review invariant. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add discoverable-channel permissions Two new channel-scoped permissions, each independently rebindable from the System Console: - manage_private_channel_discoverability gates the per-channel toggle so admins can restrict who can flip discoverability without also handing out manage_private_channel_properties. - manage_channel_join_requests gates the queue list / approve / deny / count endpoints (added in PR 2). Both are added to the channel_admin role bootstrap so new deployments get them by default, and a new permissions migration (add_discoverable_channel_permissions) grants them to channel_admin, team_admin and system_admin scheme roles on existing deployments. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add ChannelJoinRequestStore and wire Discoverable into channel store - channelSliceColumns / channelToSlice / updateChannelT now include the new Discoverable column so Save() and Update() round-trip the field. Existing select paths inherit the column automatically because every read goes through channelSliceColumns. - New ChannelJoinRequestStore interface and SQL implementation: Save / Get / GetPendingForChannelAndUser / GetForChannel / GetForUser / Update / CountPending. Save translates the idx_channeljoinrequests_pending_unique partial unique index violation into store.ErrConflict so the app layer (PR 2) can return 409 without re-parsing pq errors. - Storetest suite at storetest/channel_join_request_store.go is invoked from sqlstore via the existing StoreTest harness; covers insert / partial-unique conflict / re-insert after withdrawal / NotFound / status filtering / pagination with TotalCount / Update / CountPending. - Mocks and retrylayer / timerlayer are regenerated via make store-mocks and go generate ./channels/store -- no hand-written generator output. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add TS types for Discoverable channels + join requests webapp/platform/types: - Channel.discoverable?: boolean alongside existing policy_enforced / policy_is_active so the web client sees the same wire shape the server emits. - ChannelJoinRequest, ChannelJoinRequestStatus, ChannelJoinRequestList, GetChannelJoinRequestsOptions for the API contract surfaced in PR 2. webapp/platform/client: - WebSocketEvents enum gains ChannelJoinRequestCreated and ChannelJoinRequestUpdated so PR 3 can hang WS handlers off them without redeclaring constants. These are model-only updates with no UI consumer yet; PR 3 introduces the toggle, request flow, and admin queue surfaces. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Split ChannelJoinRequests indexes into concurrent migrations The mattermost-govet concurrentIndex lint check enforces CREATE INDEX CONCURRENTLY on every CREATE INDEX statement, even on an empty freshly-created table where it would be a no-op. The original 000177 file inlined three CREATE INDEX statements; that failed check-style. Mirror the convention used by 000166_create_views + 000167_create_views_channel_id_delete_at_index: keep the CREATE TABLE in its own (transactional) file, and move each index into a separate nontransactional file that runs CREATE INDEX CONCURRENTLY. Verified locally against Postgres 15 that all four new migrations apply in order and the storetest suite (partial unique constraint + paged list + count) still passes. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Wire new permission migration into test fixtures Two CI test surfaces missed when the channel_admin role and the permission-migration list gained the new manage_private_channel_discoverability and manage_channel_join_requests entries: - testlib/store.go: the shared mocked SystemStore used by SetupWithStoreMock / SetupEnterpriseWithStoreMock needs an explicit GetByName expectation for every migration key (because the mock panics on unexpected calls). Add the new MigrationKeyAddDiscoverableChannelPermissions key so TestCreateOrUpdateAccessControlPolicy, the elasticsearch aggregation_job_test, and every other mock-store test stop panicking on server bootstrap. - cmd/mmctl/commands/permissions_test.go: TestResetPermissionsCmd hard-codes the channel_admin default permission list and expects PatchRole to be called with exactly that slice. Extend the expected slice with the two new permission ids so the mmctl reset path stays in sync with the role bootstrap. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Register new idx_channels_discoverable_team in TestGetSchemaDefinition The schema-dump test asserts an exact index count and definition map for the channels table. Migration 000176 added idx_channels_discoverable_team — a partial btree on (teamid) gated by discoverable=true AND type='P' AND deleteat=0. Bump the expected count from 12 to 13 and add the index's CREATE INDEX definition as produced by pg_indexes (note: type is cast to channel_type, the existing domain). Verified locally against Postgres 15. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Fix golangci-lint findings in ChannelJoinRequest store Two golangci-lint findings on the freshly-added files: - sqlstore/channel_join_request_store.go:133 (modernize): collapse the 'if page < 0 { page = 0 }' clamp into max(opts.Page, 0). - storetest/channel_join_request_store.go:243 (govet shadow): the inner Save loop redeclared err with :=, shadowing the outer err captured from the first CountPending call. Switch to plain assignment so the same err is reused. Verified locally with golangci-lint v2.11.4 across public/..., channels/app/..., channels/store/..., channels/testlib/... and cmd/mmctl/commands/... — 0 issues. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Sync channel_admin bootstrap with TestDoAdvancedPermissionsMigration app_test.go pins the exact list of permissions the channel_admin role is expected to hold after DoAdvancedPermissionsMigration completes. The role bootstrap in role.go grew two entries (manage_private_channel_discoverability and manage_channel_join_requests), so the test's expected slice needs the same two entries appended in the same order, otherwise assert.Equal fails on slice ordering. This is the same class of fix as the mmctl/permissions_test.go change in a previous commit -- two parallel test fixtures encode the channel_admin defaults and have to be updated in lockstep with the bootstrap. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add English translations for new model error keys 12 keys were emitted by the new Discoverable + ChannelJoinRequest validation paths but had no en.json entry, which trips i18n-check on CI. Add the missing entries with one-line English copy that mirrors adjacent model errors (Invalid <field>., Create at must be a valid time., etc.). The new entries are: - model.channel.is_valid.discoverable.app_error - model.channel_join_request.is_valid.channel_id.app_error - model.channel_join_request.is_valid.create_at.app_error - model.channel_join_request.is_valid.denial_reason.app_error - model.channel_join_request.is_valid.denial_reason_status.app_error - model.channel_join_request.is_valid.id.app_error - model.channel_join_request.is_valid.message.app_error - model.channel_join_request.is_valid.reviewed_by.app_error - model.channel_join_request.is_valid.reviewer.app_error - model.channel_join_request.is_valid.status.app_error - model.channel_join_request.is_valid.update_at.app_error - model.channel_join_request.is_valid.user_id.app_error Generated through 'make i18n-extract'; verified clean with 'make i18n-check'. Per the workspace rule, only en.json was modified -- no other locale files. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Address CodeRabbit review: stable pagination + redact denial reason from audit log Two production-code findings from CodeRabbit on the freshly-added ChannelJoinRequest server code: - sqlstore/channel_join_request_store.go (GetForChannel / GetForUser): OrderBy("CreateAt DESC") alone is unstable when two rows share a millisecond (NewId is monotonic-ish but CreateAt is millisecond resolution), so offset paging could duplicate or skip rows between pages. Add Id DESC as a deterministic tie-breaker on both list queries. - model/channel_join_request.Auditable: the denial reason is admin-typed free text and could carry sensitive content. Mirror the existing has_message pattern by emitting has_denial_reason as a boolean presence flag instead of the raw value. Reviewer id, review timestamp, and status are still logged, so the audit trail keeps every piece needed for compliance review. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Tighten model tests per CodeRabbit review Two test-only findings from CodeRabbit: - TestChannelJoinRequestPreUpdateAdvancesUpdateAt previously asserted GreaterOrEqual(r.UpdateAt, originalCreate). Because validRequest initialises UpdateAt to GetMillis() (same call site as CreateAt), a no-op PreUpdate would still pass that check. Seed r.UpdateAt = 1 before calling PreUpdate() and assert Greater(r.UpdateAt, int64(1)) so any regression that drops the GetMillis assignment fails the test. - TestChannelIsValidDiscoverable did not cover ChannelTypeGroup. Add the case alongside ChannelTypeOpen and ChannelTypeDirect so the contract that 'only ChannelTypePrivate accepts Discoverable=true' is fully pinned across all four channel types. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Mock ChannelJoinRequest accessor in retrylayer test retrylayer_test.go's genStore() helper mocks every Store() accessor because retrylayer.New() wraps the entire surface. The new ChannelJoinRequest() method I added on Store was missing from the mock, so TestRetry/on_regular_error_should_not_retry panicked with 'Unexpected Method Call ChannelJoinRequest()' on Postgres shard 0. Add the mock alongside the other accessors. No production code change. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com>	2026-05-15 21:04:32 +02:00
David Krauser	9f1fe90b69	Migrate CPA to the v2 Property System (#36180)	2026-05-14 12:46:07 -04:00
Julien Tant	323841e9c5	Add board channel types (BO/BP) for Integrated Boards (#35887) ... * Add board channel types (BO/BP) with POST /boards API Introduces board channel types as a new channel variant that reuses the Channels table but is fully isolated from all /channels endpoints. Model: - Add ChannelTypeOpenBoard ("BO") and ChannelTypePrivateBoard ("BP") - Add IsBoard(), IsOpenBoard(), IsPrivateBoard() helpers - Add board-specific websocket events (board_created/updated/deleted/restored) Store: - SaveBoardChannel: atomic channel + view creation in a single transaction - Save() rejects board types (forces use of SaveBoardChannel) - Exclude boards from all channel listing/search queries (GetTeamChannels, GetAll, GetChannels, GetChannelsByUser, GetDeleted, autocomplete, search) API: - POST /boards: create board channel (feature-flagged behind IntegratedBoards) - All /channels write endpoints reject board types with 400 - All /channels read endpoints reject or exclude board types - Open boards get same public-read semantics as open channels Tests: - 15 rejection tests covering every /channels write + read endpoint - 9 exclusion tests covering every listing/search endpoint - 8 store tests for SaveBoardChannel + Save rejection - 4 board creation API tests (create, private, flag off, sidebar exclusion) - 3 authorization tests for board permission semantics Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update generated files: i18n, go.mod, migrations list Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add i18n translations for board channel error strings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix board guard ordering in getChannelMembers and getChannelStats Move the board rejection check after the permission check so that nonexistent channel IDs still return 403 (not 404) matching the original behavior expected by TestGetChannelMembers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Filter boards at store level instead of API guards Store.Get() now excludes board types via WHERE clause, making boards invisible to all /channels endpoints. Added GetBoardChannel() for /boards endpoints. Removed redundant API-level rejectBoardChannel guards from 10 handlers that already call GetChannel(). Kept explicit guards only on 3 handlers that don't fetch the channel. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix empty i18n translation for app.channel.save_member.app_error Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add board system properties, kanban column config, and audit logging Migration: - Register "boards" property group with system-wide Assignee (user) and Status (select: Todo/In Progress/Complete) fields, both protected - Idempotent migration following content flagging pattern Board creation: - Look up boards fields by name, set board:linked_properties on channel - Build kanban view props with group_by mapping status options to columns - Add typed KanbanProps/KanbanColumn/KanbanGroupBy structs with ToProps()/KanbanPropsFromProps() for round-tripping - Add audit record logging for POST /boards - Add early team_id validation in API handler - Error on missing status options instead of silent empty columns Tests: - Migration test: field creation + idempotent re-run - Board creation test: verify kanban props + linked_properties - Fix updateChannelMemberRoles test to use valid role string Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add boards migration mock to testlib store setup The boards property migration calls System().GetByName() which needs a matching mock expectation, same pattern as content_flagging_setup_done. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add kanban view props validation and tests Validate kanban View.Props in IsValid(): group_by required with valid field_id, 1-100 columns, each column needs id, name, and at least one option_id. Update all test helpers to produce valid kanban props. 11 dedicated validation tests + round-trip test for KanbanProps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Validate board display name is not empty Add early DisplayName validation in CreateBoardChannel with a clear error. Add tests for empty and whitespace-only display names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Exclude boards from GetMany and getChannelsMemberCount Add board type exclusion to Store.GetMany() and use filtered channel IDs in getChannelsMemberCount handler so board channels don't leak into member count results. Add test covering the endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix review issues: drop search indexing for boards, use request context - Remove search layer indexing of board channels so they stay invisible to Elasticsearch/Bleve-powered search and autocomplete - Replace context.Background() with rctx.Context() for proper cancellation and tracing in CreateBoardChannel Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix gofmt alignment in websocket_message.go after merge Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Regenerate server i18n after merge * Restore translation for permission_policy.app_error * Filter board channels in name lookups, autocomplete, and indexing The store-layer board exclusion filter was missing from getByName, getByNames, GetDeletedByName, the global Autocomplete, and GetChannelsBatchForIndexing — leaving boards reachable via name lookups, the no-team-filter search path, and admin reindex jobs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Reject boards in id-batch lookups, unread, and member-mutation endpoints - GetChannelsByIds, GetChannelsWithTeamDataByIds, and GetChannelUnread now exclude BO/BP at the store layer so boards can't slip through if callers stop filtering first. - updateChannelMemberNotifyProps, updateChannelMemberAutotranslation, and viewChannel now reject board IDs explicitly via the existing rejectBoardChannelByID helper, matching the other write endpoints. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Gate boards properties setup on the IntegratedBoards feature flag doSetupBoardsProperties registered the boards property group and fields at every server boot regardless of the IntegratedBoards feature flag. Skip the migration when the flag is disabled so the property metadata only appears once boards are actually enabled. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use App accessors for boards property lookups CreateBoardChannel reached into a.Srv().PropertyService() directly instead of going through the App-level GetPropertyGroup and GetPropertyFieldByName methods that already wrap the service. Switch to the standard App accessors so the calls match the rest of the codebase. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Log full channel input on createBoard audit record createBoard only captured team_id and type on the audit record, so failed creations lost most of the request payload. Use AddEventParameterAuditableToAuditRec with the full channel struct, matching createChannel. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use allow-list of message channel types in store filters Inverted every sq.NotEq{[BO, BP]} filter into sq.Eq{messageChannelTypes} (or teamMessageChannelTypes for queries that also exclude direct channels) so that any future non-message channel type — wikis, etc. — is excluded by default rather than requiring every existing call site to be updated. Also rewrote GetChannelUnread on top of the squirrel builder so the same allow-list slice can be reused. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * go.mod: promote prometheus/common to direct after merge Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use model.NewPointer for boards property permission field Drops the local permNone variable in doSetupBoardsProperties and uses model.NewPointer(model.PermissionLevelNone) inline, matching the surrounding ContentFlagging/ManagedCategory code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Extract saveViewT to share Views insert between Save and SaveBoardChannel ViewStore.Save and SaveBoardChannel both built the same INSERT INTO Views statement, so a future column addition would need updates in two places. Extract the insert (plus PreSave/IsValid) into a private saveViewT method that accepts any sqlxExecutor — the regular master handle for ViewStore.Save, and the channel transaction for SaveBoardChannel. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add IsMessageChannel helper on model.Channel Mirrors IsBoard for the positive case: returns true for Open, Private, Direct, and Group channel types. Lets future filtering code be expressed against the allow-list rather than enumerating board types, so newly introduced non-message channel types are excluded by default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Move board input validation into Channel.IsValidBoard CreateBoardChannel inlined four guards for type, team, and display name. Move the type/team_id/display_name checks into a new Channel.IsValidBoard method so the rules live with the model and return the AppError directly. The TrimSpace on DisplayName stays at the call site to match how CreateChannel sanitizes before validating. Drops the now-unused app.channel.create_board_channel.{invalid_type, no_team,no_display_name} translations and adds matching model.channel.is_valid_board.* keys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Extract buildBoardKanbanView from CreateBoardChannel The kanban view construction (read status options, build columns, serialize props, assemble *model.View) only depends on the status property field and the creator id. Pulling it into its own helper shrinks CreateBoardChannel and makes the column-building logic testable in isolation. Adds board_test.go with coverage for the empty-options error path, the standard happy path, and the option-skipping branches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Test Channel.IsValidBoard Cover the four reject cases (wrong type, missing team_id, empty display name) plus the open and private board accept cases. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * gofmt board_test.go Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Document POST /api/v4/boards in OpenAPI spec * Add valid kanban props to api4 makeTestViewForAPI helper * Assert kanban.ToProps error in makeTestViewForAPI helper The helper used to swallow the error from kanban.ToProps. Take *testing.T and require.NoError so a serialization failure surfaces immediately at the call site instead of producing a malformed view. * Run boards properties setup unconditionally The feature-flag gate added in 6298e15e86 made the test suite impossible: test infra applies FeatureFlags overrides only after app.NewServer returns, but doAppMigrations runs during NewServer, so the flag was always false at migration time. The migration short-circuited, the boards property group was never registered, and every CreateBoardChannel test 500'd with "boards property group not found." Drop the gate. The migration is idempotent (keyed in System) and benign — matches doSetupContentFlaggingProperties and doSetupManagedCategoryProperties. IntegratedBoards still gates route registration (api4/board.go) and the CreateBoardChannel runtime entry (app/board.go), so the property group sits unused until the feature is enabled. * Add Client4.CreateBoard and use it in tests Adds boardsRoute() and CreateBoard(ctx, channel) on Client4 mirroring CreateChannel/CreateView. Refactors api4 board tests off the raw DoAPIPost("/boards", ...) calls and the SaveBoardChannel store inserts that predated the API; both now exercise the public client method, drop the makeTestBoardView helper and the manual SaveMember follow-ups, and route through setupBoardTest so IntegratedBoards is enabled where needed. * make modules-tidy --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 16:25:08 -07:00
Devin Binnie	69fbaeced9	[MM-68496] Feature flag Managed Categories, expose Default Category Name to UI for channel creation and settings (#36289) ... * [MM-68496] Feature flag Managed Categories, expose Default Category Name to UI for Channels * PR feedback * PR feedback * Fix i18n * Fix test * Fix E2E * Merge'd * Add tests * Re-add old tests (skipped) * Add IncrementVersion to PropertyGroup store, increment version on managed category group * Fix lint * Fix mock * Fix prettier * Add tests * Fixed issue when moving from existing category to existing category * Fix e2e --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-07 09:37:53 -04:00
Harshil Sharma	9e955bf683	Edit attachment permission (#36227) ... * Implemented edit file permission * lint fixes * Updated snapshot * Updated tests * Updated test * CI * Permission reordering and tooltip text update * Made a geneeric function	2026-05-05 08:31:19 +05:30
Maria A Nunez	724c5b7191	CPA Display Name Support (#36247) ... * Phase 1: CPA display_name + CEL-safe name validation (server) - Add typed DisplayName field to CPAAttrs + display_name attr key constant. - Add ValidateCPAFieldName helper enforcing CEL IDENTIFIER + reserved-word blacklist. - Wire validation into App.CreateCPAField (always) and App.PatchCPAField (lenient grandfather: skip when Name unchanged). - Trim + 255-rune cap DisplayName in CPAField.SanitizeAndValidate. - Developer-facing godoc note documenting rule, sources of truth, and Option C scoping. - Asserting test for documented Option C plugin-API bypass (closed by PR #36173). Spec: planner/projects/property-display-name/ideas/001-cpa-display-name/spec.md Plan: .planning/phase-1/PLAN.md Made-with: Cursor * Phase 1 (review): address Reza's Major + Minor findings - Rename misleading subtest "empty DisplayName is omitted from attrs" to "empty DisplayName round-trips as empty string" (Major #1). - Add TestCPAAttrs_JSONOmitEmpty pinning the omitempty wire-format contract that PR #36173's typed-attrs strategy relies on (Major #1). - Extend TestValidateCPAFieldName: case-sensitivity (IN/In ok), single-character names (a/_/A ok), missing "as" reserved word (Minor #2). Add whitespace-only DisplayName case (Minor #2). - Document PropertyFieldNameMaxRunes reuse in SanitizeAndValidate to prevent drift (Minor #3). - Replace broken PLAN-server.md reference in bypass-test docstring with in-tree CPAAttrs godoc reference (Minor #4). - Document omitempty semantics on CPAAttrs.DisplayName field to prevent the same misreading caught in review (Minor #5). - Document grouping intent above CPAFieldNameReservedWords (Minor #8). Review: .planning/phase-1/REVIEW.md Made-with: Cursor * Phase 2: in-app backfill migration for CPA display_name - Add cpaDisplayNameBackfillKey + cpaDisplayNameBackfillVersion constants. - Implement (*Server).doSetupCPADisplayNameBackfill: idempotent, cursor-paged scan over CPA group fields; backfill attrs.display_name = name when empty. - Register in m1 migration slice in doAppMigrations (mlog.Fatal on error, matching existing convention). - Three migration tests: NoExistingFields, BackfillsMissing, Idempotent. System-key idempotency + per-field DisplayName-empty check together provide HA-safe behavior on rolling deploys (last-write-wins on the System key; data-level idempotency from the per-field check). Spec: planner/projects/property-display-name/ideas/001-cpa-display-name/spec.md Plan: .planning/phase-2/PLAN.md Made-with: Cursor * Phase 2 (review): document race + harden idempotency test - Document SearchPropertyFields→UpdatePropertyFields rolling-deploy race: stale snapshot can revert concurrent admin CPA rename. Pre- existing systemic shape (no UpdateAt optimistic-lock); narrow window; bounded blast radius (admin re-rename, ABAC ID-keyed). Accepted limitation per spec Out of Scope (Major #1, Option C). - Tighten TestCPADisplayNameBackfill_Idempotent: snapshot UpdateAt before second run; assert no DB write on the System key or the field row (Major #2). - Extract clearCPABackfillMarker helper with explanatory godoc to centralize the 3x-repeated test precondition (Minor #1). - Comment fieldA seed as the "key-present-as-empty-string" idempotency boundary case (Minor #6). - Add godoc to doSetupCPADisplayNameBackfill (Minor #10). Review: .planning/phase-2/REVIEW.md Made-with: Cursor * Linting * Removing unnecessary comments * Clean up tests * Linting * Fix tests * Updated API doc * Fix tests * PR Feedback * Move migration to PropertyService * Linting * Linting * Removed pagination --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-04 10:33:05 -04:00
Miguel de la Cruz	9c684e6313	Property System v2 Generic APIs blacklist (#36171) ... * Adds version to the property group model * Ensures that the REST API rejects v1 group calls * Ensures field version and group version match * Simplify property groups on app layer tests * Add GetByID to PropertyGroupStore and enforce field/group version match on update * Simplify bits of the code * Fix i18n and add generic errors * Fix PropertyGroupStore mock to return stable IDs and default zero version to V1 * Fix tests that were using nonexistent group IDs * Fix rigidness on valid group names * Update group not found slug * Temporary allow to use tempaltes with v1 * Explicitly including tempaltes in the IsPSAv1 check for conflict check * Return 404 on group not found and template explicit inclusion on patch API endpoint * Fix CPA test that would use fields from unregistered groups --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2026-04-24 11:51:02 +02:00
David Krauser	e8c9e525e1	Fix silent test discovery failure in sharded CI (#36222)	2026-04-22 22:25:56 -04:00
David Krauser	3fa8776095	[MM-68100] Implement Linked Properties for the Property System (#35808)	2026-04-21 18:59:12 +00:00
Pablo Vélez	80b977807a	Feature mm 64509 team admin abac channels (#36061) ... * MM-67592 - be changes for team admin abac channels (#35353) * MM-67592 - be changes for team admin abac channels * Revert team-scoped API routes, keep app layer business logic * move from config to permission; Add cluster-aware LRU cache for policy team scope lookup * remove unnecessary references to config value * local/remote cache invalidation consistency for policy scope * Replace policy scope cache with store-level team scope query * rename functions and add comments to query --------- Co-authored-by: Mattermost Build <build@mattermost.com> * MM 67594 - policies CUD operations to team settings modal channels ABAC (#35590) * MM-67592 - be changes for team admin abac channels * Revert team-scoped API routes, keep app layer business logic * move from config to permission; Add cluster-aware LRU cache for policy team scope lookup * remove unnecessary references to config value * local/remote cache invalidation consistency for policy scope * Replace policy scope cache with store-level team scope query * format files correctly * fix mock expectations for store-query approach in tests * rename functions and add comments to query * revert error ids to original to prevent break tests * adjust translations * MM-67669 - add tab to team settings modal and basic listing * adjust tests and fix linter * use existing search api logic * fix style and adjust flaky test to clean up and restore orinals * address ai corabbit feedback and fix linter * fix unit tests * MM-67592 - be changes for team admin abac channels (#35353) * MM-67592 - be changes for team admin abac channels * fix linter * fix ts linter for playwright * Revert team-scoped API routes, keep app layer business logic * move from config to permission; Add cluster-aware LRU cache for policy team scope lookup * remove unnecessary references to config value * local/remote cache invalidation consistency for policy scope * Replace policy scope cache with store-level team scope query * format files correctly * fix mock expectations for store-query approach in tests * rename functions and add comments to query * revert error ids to original to prevent break tests * adjust translations --------- Co-authored-by: Mattermost Build <build@mattermost.com> * MM-67594 - support cud operations for team abac BE changes * create the team settings policy edit section, reuse most components, add basic e2e * move optional refresh policy list button to list component * temp get team admins cud policies and sync job * enhance validation and adjust e2e * Fix testExpression permission; fix pagination of team policies; add isValidId validation * adjust styles, handling renaming and add permission migrations * update the permissions names, use the simple confirmation modal, define the delete modal * fix policy deletion flow * fix some linter issues and adjust helper tests * remove delete from list and fix e2e * code comments clean up * remove CEL editor for now, clean styles, enhance e2e * fix linter, adjust unit test * fix linter and add missing translation * fix policy deletion ownership and sanitize test expression * fixed e2e tests * rollback orphaned policy on failed channel assignment * enforce channelless check before last_team_id fallback * enforce channelless guard on assign fallback too * add translations missing * add teamId to audit payload when present * fix refresh button pagination reset * fix null safety in channel selector loadChannels * use responsive width cap for team settings modal and adjust header size * remove redundant raw term from channel search URL, add showRefreshButton prop to PolicyList component * handle error when stamping last team ID on channelless policy * replace Props-based ownership with in-memory LRU cache, disable save on zero channels * make e2e tests more reliable in CI * test skip if no license valid found * add childCount guard to cache-hit paths and reduce TTL to 5s * fix e2e, adjust translation * address review feedback: flatten permission checks and separate error types - Flatten nested permission branching in deleteAccessControlPolicy using early returns to reduce indentation (review: isacikgoz) - Validate teamID as input (400) before using it for permission checks (403) in testExpression and validateExpressionAgainstRequester handlers - Remove redundant hasSystemPermission check in searchAccessControlPolicies since system_admin role already includes manage_team_access_rules - Refactor ValidateTeamAdminPolicyOwnership to return (bool, *model.AppError) separating "not owned" from "internal error" across all 8 call sites - Update tests to assert on both return values Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * add persistent team scope to access control policies, replace in-memory cache * fix translation * fix case-insensitive policy search and sanitize search term input * make policies tests have a unique name * decouple scope/scopeID filter from TeamID in policy store * Fix authZ bypass searchChannelsForAccessControlPolicy by forcing TeamIds to authorized team * show unsaved changes on navigator back, and list all private channels on load * filter already applied channels to a policy * adjust the styles to dark mode; do not show added channels to the policy in the add channels modal * fix linter * MM-67967 add sync status footer to team settings (#35729) * MM-67967 add sync status footer to team settings * remove magic numbers and strings and polish the code * fix linter * fix linter: replace interface{} with any per gofmt rewrite rule Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refine getJobsByType team-scoped filtering and permissions * fix sync footer stuck in syncing state on job creation error * fix team-scoped job pagination in getJobsByType * Fix authZ bypass searchChannelsForAccessControlPolicy by forcing TeamIds to authorized team * implement ux feedback, change titles font, fix marging and scroll view jump * MM-68135 - migrate add channels to policy modal to generic modal (#35907) * MM-67920 unify e2e team settings tests (#35867) * MM-67920 - extract duplicated policy editor helpers * remove duplicate team icon test file * rename Access Control to Membership Policies in e2e * replace networkidle with explicit element waits * fix attribute loading issue --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix playwright feedback issues and persist filters to the store layer in the no systemconsole path * Improve policy scope validation and team admin security checks * Renamed public channels to "AAA Public Channel %03d" and private ones to "ZZZ Private..." so the 55 public channels now fill the 50-result cap * fix e2e tests and add new unit tests to improve coverage * Improve e2e test stability: race condition handling and timeout adjustments * Improve team-scoped ABAC policies: scope preservation, input validation, shared exclusion * Add comprehensive ABAC test coverage: team admin ops and security validation to reduce flakyness * Fix team policy editor back button: preserve navigation intent through Undo * style: format import statements for better readability * Enhance access control policy creation for team admins: enforce scope stamping from query parameters to prevent unauthorized team assignments --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 00:48:43 +02:00
Nick Misasi	d4d65c8cfb	Add manage_own_agent and manage_others_agent permissions (#35924) ... * Add PermissionCreateAgent server-side permission definition Define PermissionCreateAgent in the model layer with system scope, add to SystemScopedPermissionsMinusSysconsole (feeds AllPermissions), grant to system_user in MakeDefaultRoles(), and register a permissions migration for existing installations (system_admin + system_user). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add exhaustive tests for PermissionCreateAgent permission Model tests: verify create_agent is in AllPermissions, has system scope, correct i18n fields, present in system_admin and system_user default roles, and absent from system_guest. Migration test: verify getAddCreateAgentPermissionMigration adds create_agent to both system_admin and system_user, and is idempotent on re-run. Also register the migration key in testlib mock store so server initialization skips it during test setup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add webapp permission constants and i18n for create_agent Add CREATE_AGENT constant to permissions.ts, display strings with defineMessages in permissions.tsx, and i18n entries in en.json so the permission appears in System Console Permission Schemes UI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Clean up tests and minor fixups for create_agent permission Consolidate role_test.go into table-driven tests, remove redundant comments in permissions_migrations_test.go, add .planning/ to .gitignore, and refresh webapp/package-lock.json. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Split create_agent into manage_own_agent and manage_others_agent Replace PermissionCreateAgent with system-scoped own/others permissions, update migration and defaults, and wire System Scheme UI for integrations. Made-with: Cursor * fixes * Stabilize autotranslation E2E by pinning mock source language Set LibreTranslate mock to English before the pre-enable post and Spanish before the post-enable message so parallel tests cannot leave the mock in a state where the new message is not translated. Made-with: Cursor * Revert package-lock, add more chnages * Revert "Revert package-lock, add more chnages" This reverts commit 7f6752c2e0. * Drop unrelated autotranslation E2E tweak; restore package-lock The Playwright autotranslation change was not caused by MM-65671. Revert that test edit and restore webapp/package-lock.json after an accidental revert of the prior package-lock update. Made-with: Cursor * Put package-lock back again * fixes * Fix migration tests for manage_own_agent on system_user role Made-with: Cursor --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-15 14:57:46 +00:00
Ibrahim Serdar Acikgoz	c66bb0ecdb	[MM-68109] Introduce new policy version v0.3 (#35904)	2026-04-15 11:22:41 +02:00
Devin Binnie	01219efbf4	[MM-68037] Managed Sidebar Categories (MVF) (#35935) ... * [MM-68037] Managed Sidebar Categories (MVF) * PR feedback * PR feedback * Fix test issue again * Fixed a few things * Fix again * PR feedback * Update server/i18n/en.json Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update server/i18n/en.json Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update webapp/channels/src/packages/mattermost-redux/src/actions/channel_categories.ts Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * PR feedback * PR feedback * More PR feedback * Test fixes * This one too * PR feedback * more * More feedback * More * more * Yup * More * PR feedback * Update webapp/channels/src/components/channel_settings_modal/managed_category_selector.scss Co-authored-by: Matthew Birtch <mattbirtch@gmail.com> * Block setting behind Enterprise license * Update webapp/channels/src/packages/mattermost-redux/src/selectors/entities/channel_categories.ts Co-authored-by: Harrison Healey <harrisonmhealey@gmail.com> * Update webapp/channels/src/packages/mattermost-redux/src/actions/channel_categories.ts Co-authored-by: Harrison Healey <harrisonmhealey@gmail.com> * PR feedback * Don't await for the initial managed category check * Turn into its own action --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Matthew Birtch <mattbirtch@gmail.com> Co-authored-by: Harrison Healey <harrisonmhealey@gmail.com>	2026-04-14 09:00:59 -04:00
Doug Lauder	73c6e6a7cf	MM-68258 Remove system_secure_connection_manager role (#36009) ... * Remove system_secure_connection_manager role The dedicated role for delegating secure connection management is no longer needed. The manage_secure_connections permission remains and continues to be granted to system admins via AllPermissions. Removes the role definition, migration, permissions migration, UI components, i18n strings, and all associated tests across server, webapp, and e2e-tests.	2026-04-10 10:49:04 -04:00
Pavel Zeman	d1ca297721	Revert "Strip remote_id field from user patch API requests (#35910)" (#35996) ... This reverts commit fc9d3be368 which introduced a CI regression.	2026-04-09 05:06:42 -04:00
JG Heithcock	fc9d3be368	Strip remote_id field from user patch API requests (#35910) ... * Strip remote_id from user patch API requests * Ignore remote_id in user update API endpoints Add SetUserRemoteID test helper in testlib to set remote_id via direct SQL, bypassing the now-protected store Update method. Update existing tests in app and api4 packages to use the new helper. --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-08 21:47:57 -07:00
Doug Lauder	5b76fb11a5	MM-67647: Rename shared_channel_manager roles to follow system_ prefix convention (#35944) ... * Rename shared_channel_manager and secure_connection_manager roles to use system_ prefix The new roles added in PR #35354 broke the naming convention that all system-level roles stored in Users.Roles are prefixed with "system_". Client-side code (role.includes('system')) and server-side code (explicit switch cases in applyMultiRoleFilters) relied on this convention, causing users assigned to these roles to not appear in the System Console. Also adds both roles to the applyMultiRoleFilters switch statement in user_store.go, which was missing them entirely.	2026-04-08 08:01:33 -04:00
Miguel de la Cruz	48f2fd0873	Merge the Integrated Boards MVP feature branch (#35796) ... * Add CreatedBy and UpdatedBy to the properties fields and values (#34485) * Add CreatedBy and UpdatedBy to the properties fields and values * Fix types --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds ObjectType to the property fields table (#34908) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Update ObjectType migration setting an empty value and marking the column as not null (#34915) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds uniqueness mechanisms to the property fields (#35058) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Fixing retrylayer mocks * Remove retrylayer duplication * Address review comments * Fix comment to avoid linter issues * Address PR comments * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.down.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.up.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.up.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update field validation to check only for valid target types * Update migrations to avoid concurrent index creation within a transaction * Update migrations to make all index ops concurrent * Update tests to use valid PSAv2 property fields * Adds a helper for valid PSAv2 TargetTypes --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Fix property tests (#35388) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds Integrated Boards feature flag (#35378) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds Integrated Boards MVP API changes (#34822) This PR includes the necessary changes for channels and posts endpoints and adds a set of generic endpoints to retrieve and manage property fields and values following the new Property System approach. Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com> * Property System Architecture permissions for v2 (#35113) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Fix i18n sorting --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Add Views store and app layer (#35361) * Add Views store and app layer for Integrated Boards Implements the View entity (model, SQL store, service, app) as described in the Integrated Boards tech spec. Views are channel-scoped board configurations with typed props (board, kanban subviews) and soft-delete. - public/model: View, ViewBoardProps, Subview, ViewPatch types with PreSave/PreUpdate/IsValid/Patch/Clone/Auditable - Migration 158: Views table with jsonb Props column and indexes - SqlViewStore: CRUD with nil-safe Props marshaling (AppendBinaryFlag) - ViewService: CreateView seeds default kanban subview and links the boards property field; caches boardPropertyFieldID at startup - App layer: CreateView/GetView/GetViewsForChannel/UpdateView/DeleteView with channel-membership permission checks and WebSocket events (view_created, view_updated, view_deleted) - doSetupBoardsPropertyField: registers the Boards property group and board field in NewServer() before ViewService construction - GetFieldByName now returns store.ErrNotFound instead of raw sql.ErrNoRows * Move permission checks out of App layer for views - Remove HasPermissionToChannel calls from all App view methods - Drop userID params from GetView, GetViewsForChannel, UpdateView, DeleteView - Fix doSetupBoardsPropertyField to include required TargetType for PSAv2 field * Make View service generic and enforce board validation in model - Remove board-specific auto-setup from service and server startup - Enforce that board views require Props, at least one subview, and at least one linked property in IsValid() - Move default subview seeding out of app layer; callers must provide valid props - Call PreSave on subviews during PreUpdate to assign IDs to new subviews - Update all tests to reflect the new validation requirements * Restore migrations files to match base branch * Distinguish ErrNotFound from other errors in view store Get * Use CONCURRENTLY and nontransactional for index operations in views migration * Split views index creation into separate nontransactional migrations * Update migrations.list * Update i18n translations for views * Fix makeView helper to include required Props for board view validation * Rename ctx parameter from c to rctx in OAuthProvider mock * Remove views service layer, call store directly from app * Return 500 for unexpected DB errors in GetView, 404 only for not-found * Harden View model: deep-copy Props, validate linked property IDs - Add ViewBoardProps.Clone() to deep-copy LinkedProperties and Subviews - Use it in View.Clone() and View.Patch() to prevent shared-slice aliasing - Iterate over LinkedProperties in View.IsValid() and reject invalid IDs with a dedicated i18n key - Register ViewStore in storetest AssertExpectations so mock expectations are enforced - Add tests covering all new behaviours * Restore autotranslation worker_stopped i18n translation * Fix view store test IDs and improve error handling in app layer - Use model.NewId() for linked property IDs in testUpdateView to fix validation failure (IsValid rejects non-UUID strings) - Fix import grouping in app/view.go (stdlib imports in one block) - Return 404 instead of 500 when Update/Delete store calls return ErrNotFound (e.g. concurrent deletion TOCTOU race) * Add View store mock to retrylayer test genStore helper The View store was added to the store interface but the genStore() helper in retrylayer_test.go was not updated, causing TestRetry to panic. Also removes the duplicate Recap mock registration. * Refactor view deletion and websocket event handling; update SQL store methods to use query builder * revert property field store * Remove useless migrations * Add cursor-based pagination to View store GetForChannel - Add ViewQueryCursor and ViewQueryOpts types with validation - Return (views, cursor, error) for caller-driven pagination - PerPage clamping: <=0 defaults to 20, >200 clamps to 200 - Support IncludeDeleted filter - Add comprehensive store tests for pagination, cursor edge cases, PerPage clamping, and invalid input rejection - Add app layer test for empty channelID → 400 - Update interface, retrylayer, timerlayer, and mock signatures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Refactor test loops in ViewStore tests for improved readability * change pagination to limit/offset * Add upper-bound limits on View Subviews and LinkedProperties Defense-in-depth validation: cap Subviews at 50 and LinkedProperties at 500 to prevent abuse below the 300KB payload limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * MM-67388, MM-66528, MM-67750: Add View REST API endpoints, websocket events, and sort order (#35442) * Add Views store and app layer for Integrated Boards Implements the View entity (model, SQL store, service, app) as described in the Integrated Boards tech spec. Views are channel-scoped board configurations with typed props (board, kanban subviews) and soft-delete. - public/model: View, ViewBoardProps, Subview, ViewPatch types with PreSave/PreUpdate/IsValid/Patch/Clone/Auditable - Migration 158: Views table with jsonb Props column and indexes - SqlViewStore: CRUD with nil-safe Props marshaling (AppendBinaryFlag) - ViewService: CreateView seeds default kanban subview and links the boards property field; caches boardPropertyFieldID at startup - App layer: CreateView/GetView/GetViewsForChannel/UpdateView/DeleteView with channel-membership permission checks and WebSocket events (view_created, view_updated, view_deleted) - doSetupBoardsPropertyField: registers the Boards property group and board field in NewServer() before ViewService construction - GetFieldByName now returns store.ErrNotFound instead of raw sql.ErrNoRows * Move permission checks out of App layer for views - Remove HasPermissionToChannel calls from all App view methods - Drop userID params from GetView, GetViewsForChannel, UpdateView, DeleteView - Fix doSetupBoardsPropertyField to include required TargetType for PSAv2 field * Make View service generic and enforce board validation in model - Remove board-specific auto-setup from service and server startup - Enforce that board views require Props, at least one subview, and at least one linked property in IsValid() - Move default subview seeding out of app layer; callers must provide valid props - Call PreSave on subviews during PreUpdate to assign IDs to new subviews - Update all tests to reflect the new validation requirements * Restore migrations files to match base branch * Distinguish ErrNotFound from other errors in view store Get * Use CONCURRENTLY and nontransactional for index operations in views migration * Split views index creation into separate nontransactional migrations * Update migrations.list * Update i18n translations for views * Fix makeView helper to include required Props for board view validation * Rename ctx parameter from c to rctx in OAuthProvider mock * Remove views service layer, call store directly from app * Return 500 for unexpected DB errors in GetView, 404 only for not-found * Harden View model: deep-copy Props, validate linked property IDs - Add ViewBoardProps.Clone() to deep-copy LinkedProperties and Subviews - Use it in View.Clone() and View.Patch() to prevent shared-slice aliasing - Iterate over LinkedProperties in View.IsValid() and reject invalid IDs with a dedicated i18n key - Register ViewStore in storetest AssertExpectations so mock expectations are enforced - Add tests covering all new behaviours * Restore autotranslation worker_stopped i18n translation * Fix view store test IDs and improve error handling in app layer - Use model.NewId() for linked property IDs in testUpdateView to fix validation failure (IsValid rejects non-UUID strings) - Fix import grouping in app/view.go (stdlib imports in one block) - Return 404 instead of 500 when Update/Delete store calls return ErrNotFound (e.g. concurrent deletion TOCTOU race) * Add View store mock to retrylayer test genStore helper The View store was added to the store interface but the genStore() helper in retrylayer_test.go was not updated, causing TestRetry to panic. Also removes the duplicate Recap mock registration. * Refactor view deletion and websocket event handling; update SQL store methods to use query builder * revert property field store * Add View API endpoints with OpenAPI spec, client methods, and i18n Implement REST API for channel views (board-type) behind the IntegratedBoards feature flag. Adds CRUD endpoints under /api/v4/channels/{channel_id}/views with permission checks matching the channel bookmark pattern. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove useless migrations * Add cursor-based pagination to View store GetForChannel - Add ViewQueryCursor and ViewQueryOpts types with validation - Return (views, cursor, error) for caller-driven pagination - PerPage clamping: <=0 defaults to 20, >200 clamps to 200 - Support IncludeDeleted filter - Add comprehensive store tests for pagination, cursor edge cases, PerPage clamping, and invalid input rejection - Add app layer test for empty channelID → 400 - Update interface, retrylayer, timerlayer, and mock signatures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add cursor-based pagination to View API for channel views * Enhance cursor handling in getViewsForChannel and update tests for pagination * Refactor test loops in ViewStore tests for improved readability * Refactor loop in TestGetViewsForChannel for improved readability * change pagination to limit/offset * switch to limit/offset pagination * Add upper-bound limits on View Subviews and LinkedProperties Defense-in-depth validation: cap Subviews at 50 and LinkedProperties at 500 to prevent abuse below the 300KB payload limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add view sort order API endpoint Add POST /api/v4/channels/{channel_id}/views/{view_id}/sort_order endpoint following the channel bookmarks reorder pattern. Includes store, app, and API layers with full test coverage at each layer. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add connectionId to view WebSocket events and sort_order API spec Thread connectionId from request header through all view handlers (create, update, delete, sort_order) to WebSocket events, matching the channel bookmarks pattern. Add sort_order endpoint to OpenAPI spec. Update minimum server version to 11.6. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove duplicate View/ViewPatch definitions from definitions.yaml The merge from integrated-boards-mvp introduced duplicate View and ViewPatch schema definitions that were already defined earlier in the file with more detail (including ViewBoardProps ref and enums). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update minimum server version to 11.6 in views API spec Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add missing translations for view sort order error messages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Merge integrated-boards-mvp into ibmvp_api-views; remove spec files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix flaky TestViewStore timestamp test on CI Add sleep before UpdateSortOrder to ensure timestamps differ, preventing same-millisecond comparisons on fast CI machines. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * remove duplicate views.yaml imclude * Use c.boolString() for include_deleted query param in GetViewsForChannel Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix views.yaml sort order schema: use integer type and require body Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Refactor view sort order tests to use named IDs instead of array indices Extract idA/idB/idC from views slice and add BEFORE/AFTER comments to make stateful subtest ordering easier to follow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Return 404 instead of 403 for view operations on deleted channels Deleted channels should appear non-existent to callers rather than revealing their existence via a 403. Detailed error text explains the context for debugging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * add missing channel deleteat checks * Use c.Params.Page instead of manual page query param parsing in getViewsForChannel c.Params already validates and defaults page/per_page, so the manual parsing was redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add support for total count in views retrieval * Add tests for handling deleted views in GetViewsForChannel and GetView * Short-circuit negative newIndex in UpdateSortOrder before opening transaction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add per-channel limit on views to bound UpdateSortOrder cost Without a cap, unbounded view creation makes sort-order updates increasingly expensive (CASE WHEN per view, row locks). Adds MaxViewsPerChannel=50 constant and enforces it in the app layer before saving. Includes API and app layer tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove include_deleted support from views API Soft-deleted views are structural metadata with low risk, but no other similar endpoint (e.g. channel bookmarks) exposes deleted records without an admin gate. Rather than adding an admin-only permission check for consistency, remove the feature entirely since there is no current use case. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update view permissions to require `create_post` instead of channel management permissions * Remove obsolete view management error messages for direct and group messages --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * feat(migrations): add user tracking and object type to property fields - Introduced user tracking columns (CreatedBy, UpdatedBy) to PropertyFields and PropertyValues. - Added ObjectType column to PropertyFields with associated unique indexes for legacy and typed properties. - Created new migration scripts for adding and dropping these features, including necessary indexes for data integrity. - Established views for managing property fields with new attributes. This update enhances the schema to support better tracking and categorization of property fields. * Add Property System Architecture v2 API endpoints (#35583) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Adds the Property System Architecture v2 API endpoints * Adds permission checks to the create field endpoint * Add target access checks to value endpoints * Add default branches for object_type and target_type and extra guards for cursor client4 methods * Fix vet API mismatch * Fix error checks * Fix linter * Add merge semantics for property patch logic and API endpoint * Fix i18n * Fix duplicated patch elements and early return on bad cursor * Update docs to use enums * Fix i18n sorting * Update app layer to return model.AppError * Adds a limit to the number of property values that can be patched in the same request * Require target_type filter when searching property fields * Add objectType validation as part of field.IsValid() * Fix linter * Fix test with bad objecttpye * Fix test grouping --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * MM-67968: Flatten view model — remove icon, subviews, typed board props (#35726) * feat(views): flatten view model by removing icon, subview, and board props Simplifies the View data model as part of MM-67968: removes Icon, Subview, and ViewBoardProps types; renames ViewTypeBoard to ViewTypeKanban; replaces typed Props with StringInterface (map[string]any); adds migration 000167 to drop the Icon column from the Views table. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * feat(api): update views OpenAPI spec to reflect flattened model Removes ViewBoardProps, Subview, and icon from the View and ViewPatch schemas. Changes type enum from board to kanban. Replaces typed props with a free-form StringInterface object. Aligns with MM-67968. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * refactor(views): simplify store by dropping dbView and marshalViewProps StringInterface already implements driver.Valuer and sql.Scanner, so the manual JSON marshal/unmarshal and the dbView intermediate struct were redundant. model.View now scans directly from the database. Also removes the dead ViewMaxLinkedProperties constant and wraps the Commit() error in UpdateSortOrder. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(api): allow arbitrary JSON in view props OpenAPI schema The props field was restricted to string values via additionalProperties: { type: string }, conflicting with the Go model's StringInterface (map[string]any). Changed to additionalProperties: true in View, ViewPatch, and inline POST schemas. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Adds basic implementation of the generic redux store for PSAv2 (#35512) * Adds basic implementation of the generic redux store for PSAv2 * Add created_by and updated_by to the test fixtures * Make target_id, target_type and object_type mandatory * Wrap getPropertyFieldsByIds and getPropertyValuesForTargetByFieldIds with createSelector * Address PR comments --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds websocket messages for the PSAv2 API events (#35696) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Adds the Property System Architecture v2 API endpoints * Adds permission checks to the create field endpoint * Add target access checks to value endpoints * Add default branches for object_type and target_type and extra guards for cursor client4 methods * Fix vet API mismatch * Fix error checks * Fix linter * Add merge semantics for property patch logic and API endpoint * Fix i18n * Fix duplicated patch elements and early return on bad cursor * Update docs to use enums * Fix i18n sorting * Update app layer to return model.AppError * Adds a limit to the number of property values that can be patched in the same request * Adds websocket messages for the PSAv2 API events * Add IsPSAv2 helper to the property field for clarity * Add guard against nil returns on field deletion * Add docs to the websocket endpoints --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * migrations: consolidate views migrations and reorder after master - Merged 000165 (create Views) with 000167 (drop Icon) since Icon was never needed - Renumbered branch migrations 159-166 → 160-167 so master's 000159 (deduplicate_policy_names) runs first - Regenerated migrations.list Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add API endpoint to retrieve posts for a specific view (#35604) Automatic Merge * Apply fixes after merge * Return a more specific error from getting multiple fields * Prevent getting broadcast params on field deletion if not needed * Remove duplicated migration code * Update property conflict code to always use master * Adds nil guard when iterating on property fields * Check that permission level is valid before getting rejected by the database * Validate correctness on TargetID for PSAv2 fields * Avoid PSAv1 using permissions or protected * Fix test data after validation change * Fix flaky search test * Adds more posts for filter use cases to properly test exclusions --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> Co-authored-by: Julien Tant <julien@craftyx.fr> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Julien Tant <785518+JulienTant@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-27 10:36:35 +01:00
Miguel de la Cruz	58dd9e1bb4	Add property system app layer architecture (#35157) ... * Refactor property system with app layer routing and access control separation Establish the app layer as the primary entry point for property operations with intelligent routing based on group type. This architecture separates access-controlled operations (CPA groups) from standard operations, improving performance and code clarity. Architecture Changes: - App layer now routes operations based on group type: - CPA groups -> PropertyAccessService (enforces access control) - Non-CPA groups -> PropertyService (direct, no access control) - PropertyAccessService simplified to handle only CPA operations - Eliminated redundant group type checks throughout the codebase * Move access control routing into PropertyService This change makes the PropertyService the main entrypoint for property related operations, and adds a routing mechanism to decide if extra behaviors or checks should run for each operation, in this case, the property access service logic. To add specific payloads that pluggable checks and operations may need, we use the request context. When the request comes from the API, the endpoints are in charge of adding the caller ID to the payload, and in the case of the plugin API, on receiving a request, the server automatically tags the context with the plugin ID so the property service can react accordingly. Finally, the new design enforces all these checks migrating the actual property logic to internal, non-exposed methods, so any caller from the App layer needs to go through the service checks that decide if pluggable logic is needed, avoiding any possibility of a bypass. * Fix i18n * Fix bad error string * Added nil guards to property methods * Add check for multiple group IDs on value operations * Add nil guard to the plugin checker * Fix build error * Update value tests * Fix linter * Adds early return when content flaggin a thread with no replies * Fix mocks * Clean the state of plugin property tests before each run * Do not wrap appErr on API response and fix i18n * Fix create property field test * Remove the need to cache cpaGroupID as part of the property service * Split the property.go file into multiple * Not found group doesn't bypass access control check * Unexport SetPluginCheckerForTests * Rename plugin context getter to be more PSA specific --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2026-03-26 07:54:50 +00:00
Nick Misasi	0192d529ed	PermissionManageOauth removal impact (#35554) ... * Restore manage oauth permission Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix migration test lint assertion Co-authored-by: Nick Misasi <nick13misasi@gmail.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>	2026-03-15 12:05:29 -04:00
Doug Lauder	e31f471498	MM-67647 Add roles for shared channels management (#35354) ... * Add shared_channel_manager and secure_connection_manager built-in roles Introduce two new delegated admin roles for granular Shared Channels permission management, allowing admins to assign shared channel and secure connection management to specific non-admin users without granting full System Admin or System Manager access. - shared_channel_manager: grants manage_shared_channels permission - secure_connection_manager: grants manage_secure_connections permission Includes server role definitions, app migrations, permissions migrations, System Console UI support, and API permission tests.	2026-03-06 10:51:21 -05:00
David Krauser	1cfe3d92b6	[MM-66836] Integrate PropertyAccessService into API and app layers (#34818) ... Updates all Custom Profile Attribute endpoints and app layer methods to pass caller user IDs through to the PropertyAccessService. This connects the access control service introduced in #34812 to the REST API, Plugin API, and internal app operations. Also updates the OpenAPI spec to document the new field attributes (protected, source_plugin_id, access_mode) and adds notes about protected field restrictions.	2026-02-06 18:06:51 -05:00
Daniel Espino García	2bd29c0359	Add the ability to patch channel autotranslations (#35078) ... * Add the ability to patch channel autotranslations * Fix lint * Update docs * Fix CI * Fix CI * Fix mmctl test * Check whether the channel is translated for the user when checking user enabled * Fix wrong uses of patch acrros e2e and frontend * Fix test * Fix wording * Fix tests and column name * Move group constrained test so they don't mess with the basic entities * Fix patch sending too much information	2026-02-06 18:19:06 +01:00
Doug Lauder	7f6a98fd7a	MM-66789 Restrict log downloads to a root path for support packets (#35014) ... * [MM-66789] Fix arbitrary file read vulnerability in advanced logging Add path validation to prevent reading files outside the logging root directory via GetAdvancedLogs (used in support packet generation). Security controls: - Validate file paths are within logging root before reading - Support MM_LOG_PATH environment variable to allow system admins to configure a custom logging root directory - Resolve symlinks to prevent bypass attacks - Detect and block path traversal attempts Also adds: - Audit logging for support packet generation - Config-time validation that logs errors for paths outside logging root (will become blocking in future version) - Comprehensive test coverage for path validation * Update server/channels/app/platform/log_test.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix linter errors * Update server/channels/api4/system.go Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com> * Simplify unit tests for platform/log_test.go by moving some test logic to config/logger_test.go * Fix unit tests requiring logging root to be set * enforce LogSettings.FileLocation path validation; simplify path checking * fix linter errors * use dir in logging root for all unit test logging * MM_LOG_PATH is set once, centrally, for all tests * fix flaky test * fix flaky test --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>	2026-01-29 13:29:55 -05:00
Jesse Hallam	41e5c7286b	Remove vestigial MySQL support (#34865) ... * Remove legacy quoteColumnName() utility Since Mattermost only supports PostgreSQL, the quoteColumnName() helper that was designed to handle database-specific column quoting is no longer needed. The function was a no-op that simply returned the column name unchanged. Remove the function from utils.go and update status_store.go to use the "Manual" column name directly. * Remove legacy driver checks from store.go Since Mattermost only supports PostgreSQL, remove conditional checks for different database drivers: - Simplify specialSearchChars() to always return PostgreSQL-compatible chars - Remove driver check from computeBinaryParam() - Remove driver check from computeDefaultTextSearchConfig() - Simplify GetDbVersion() to use PostgreSQL syntax directly - Remove switch statement from ensureMinimumDBVersion() - Remove unused driver parameter from versionString() * Remove MySQL alternatives for batch delete operations Since Mattermost only supports PostgreSQL, remove the MySQL-specific DELETE...LIMIT syntax and keep only the PostgreSQL array-based approach: - reaction_store.go: Use PostgreSQL array syntax for PermanentDeleteBatch - file_info_store.go: Use PostgreSQL array syntax for PermanentDeleteBatch - preference_store.go: Use PostgreSQL tuple IN subquery for DeleteInvalidVisibleDmsGms * Remove MySQL alternatives for UPDATE...FROM syntax Since Mattermost only supports PostgreSQL, remove the MySQL-specific UPDATE syntax that joins tables differently: - thread_store.go: Use PostgreSQL UPDATE...FROM syntax in MarkAllAsReadByChannels and MarkAllAsReadByTeam - post_store.go: Use PostgreSQL UPDATE...FROM syntax in deleteThreadFiles * Remove MySQL alternatives for JSON and subquery operations Since Mattermost only supports PostgreSQL, remove the MySQL-specific JSON and subquery syntax: - thread_store.go: Use PostgreSQL JSONB operators for updating participants - access_control_policy_store.go: Use PostgreSQL JSONB @> operator for querying JSON imports - session_store.go: Use PostgreSQL subquery syntax for Cleanup - job_store.go: Use PostgreSQL subquery syntax for Cleanup * Remove MySQL alternatives for CTE queries Since Mattermost only supports PostgreSQL, simplify code that uses CTEs (Common Table Expressions): - channel_store.go: Remove MySQL CASE-based fallback in UpdateLastViewedAt and use PostgreSQL CTE exclusively - draft_store.go: Remove driver checks in DeleteEmptyDraftsByCreateAtAndUserId, DeleteOrphanDraftsByCreateAtAndUserId, and determineMaxDraftSize * Remove driver checks in migrate.go and schema_dump.go Simplify migration code to use PostgreSQL driver directly since PostgreSQL is the only supported database. * Remove driver checks in sqlx_wrapper.go Always apply lowercase named parameter transformation since PostgreSQL is the only supported database. * Remove driver checks in user_store.go Simplify user store functions to use PostgreSQL-only code paths: - Remove isPostgreSQL parameter from helper functions - Use LEFT JOIN pattern instead of subqueries for bot filtering - Always use case-insensitive LIKE with lower() for search - Remove MySQL-specific role filtering alternatives * Remove driver checks in post_store.go Simplify post_store.go to use PostgreSQL-only code paths: - Inline getParentsPostsPostgreSQL into getParentsPosts - Use PostgreSQL TO_CHAR/TO_TIMESTAMP for date formatting in analytics - Use PostgreSQL array syntax for batch deletes - Simplify determineMaxPostSize to always use information_schema - Use PostgreSQL jsonb subtraction for thread participants - Always execute RefreshPostStats (PostgreSQL materialized views) - Use materialized views for AnalyticsPostCountsByDay - Simplify AnalyticsPostCountByTeam to always use countByTeam * Remove driver checks in channel_store.go Simplify channel_store.go to use PostgreSQL-only code paths: - Always use sq.Dollar.ReplacePlaceholders for UNION queries - Use PostgreSQL LEFT JOIN for retention policy exclusion - Use PostgreSQL jsonb @> operator for access control policy imports - Simplify buildLIKEClause to always use LOWER() for case-insensitive search - Simplify buildFulltextClauseX to always use PostgreSQL to_tsvector/to_tsquery - Simplify searchGroupChannelsQuery to use ARRAY_TO_STRING/ARRAY_AGG * Remove driver checks in file_info_store.go Simplify file_info_store.go to use PostgreSQL-only code paths: - Always use PostgreSQL to_tsvector/to_tsquery for file search - Use file_stats materialized view for CountAll() - Use file_stats materialized view for GetStorageUsage() when not including deleted - Always execute RefreshFileStats() for materialized view refresh * Remove driver checks in attributes_store.go Simplify attributes_store.go to use PostgreSQL-only code paths: - Always execute RefreshAttributes() for materialized view refresh - Remove isPostgreSQL parameter from generateSearchQueryForExpression - Always use PostgreSQL LOWER() LIKE LOWER() syntax for case-insensitive search * Remove driver checks in retention_policy_store.go Simplify retention_policy_store.go to use PostgreSQL-only code paths: - Remove isPostgres parameter from scanRetentionIdsForDeletion - Always use pq.Array for scanning retention IDs - Always use pq.Array for inserting retention IDs - Remove unused json import * Remove driver checks in property stores Simplify property_field_store.go and property_value_store.go to use PostgreSQL-only code paths: - Always use PostgreSQL type casts (::text, ::jsonb, ::bigint, etc.) - Remove isPostgres variable and conditionals * Remove driver checks in channel_member_history_store.go Simplify PermanentDeleteBatch to use PostgreSQL-only code path: - Always use ctid-based subquery for DELETE with LIMIT * Remove remaining driver checks in user_store.go Simplify user_store.go to use PostgreSQL-only code paths: - Use LEFT JOIN for bot exclusion in AnalyticsActiveCountForPeriod - Use LEFT JOIN for bot exclusion in IsEmpty * Simplify fulltext search by consolidating buildFulltextClause functions Remove convertMySQLFullTextColumnsToPostgres and consolidate buildFulltextClause and buildFulltextClauseX into a single function that takes variadic column arguments and returns sq.Sqlizer. * Simplify SQL stores leveraging PostgreSQL-only support - Simplify UpdateMembersRole in channel_store.go and team_store.go to use UPDATE...RETURNING instead of SELECT + UPDATE - Simplify GetPostReminders in post_store.go to use DELETE...RETURNING - Simplify DeleteOrphanedRows queries by removing MySQL workarounds for subquery locking issues - Simplify UpdateUserLastSyncAt to use UPDATE...FROM...RETURNING instead of fetching user first then updating - Remove MySQL index hint workarounds in ORDER BY clauses - Update outdated comments referencing MySQL - Consolidate buildFulltextClause and remove convertMySQLFullTextColumnsToPostgres * Remove MySQL-specific test artifacts - Delete unused MySQLStopWords variable and stop_word.go file - Remove redundant testSearchEmailAddressesWithQuotes test (already covered by testSearchEmailAddresses) - Update comment that referenced MySQL query planning * Remove MySQL references from server code outside sqlstore - Update config example and DSN parsing docs to reflect PostgreSQL-only support - Remove mysql:// scheme check from IsDatabaseDSN - Simplify SanitizeDataSource to only handle PostgreSQL - Remove outdated MySQL comments from model and plugin code * Remove MySQL references from test files - Update test DSNs to use PostgreSQL format - Remove dead mysql-replica flag and replicaFlag variable - Simplify tests that had MySQL/PostgreSQL branches * Update docs and test config to use PostgreSQL - Update mmctl config set example to use postgres driver - Update test-config.json to use PostgreSQL DSN format * Remove MySQL migration scripts, test data, and docker image Delete MySQL-related files that are no longer needed: - ESR upgrade scripts (esr.*.mysql.*.sql) - MySQL schema dumps (mattermost-mysql-*.sql) - MySQL replication test scripts (replica-*.sh, mysql-migration-test.sh) - MySQL test warmup data (mysql_migration_warmup.sql) - MySQL docker image reference from mirror-docker-images.json * Remove MySQL references from webapp - Simplify minimumHashtagLength description to remove MySQL-specific configuration note - Remove unused HIDE_MYSQL_STATS_NOTIFICATION preference constant - Update en.json i18n source file * clean up e2e-tests * rm server/tests/template.load * Use teamMemberSliceColumns() in UpdateMembersRole RETURNING clause Refactor to use the existing helper function instead of hardcoding the column names, ensuring consistency if the columns are updated. * u.id -> u.Id * address code review feedback --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-20 21:01:59 +00:00
Jesse Hallam	6ef73af2cc	MM-65960: Avoid replica race lag when accessing TelemetryID (#34586) ... * avoid replica race lag when remembering ServerID In an HA environment, with a master and read replica, querying the server id from the store runs the risk of returning a value saved to master but not yet replicated. Avoid this by using the telemetry service value directly when available. Fixes: MM-65960 * Add Get(ByName)WithContext * explicitly use master for ServerId * mock GetByNameWithContext * more mocking * more mocks	2025-12-11 17:34:36 -04:00
Jesse Hallam	219530c82c	Add fast test hasher to speed up CI tests (#34707) ... The production password hasher uses PBKDF2 with 600,000 iterations, which is slow especially when combined with race detection. This adds a fast test hasher (work factor 1) that can be used during tests to speed up user creation. The fast hasher is only available in non-production builds via build tags, ensuring it cannot be used in production.	2025-12-11 09:46:21 -04:00
Nick Misasi	91dfcbbdd1	Integration permission management changes (#34421) ... * Support for permissions allowing end users to create and manage their own integrations if sysadmin deems necessary * Adjustments based on new understanding * remove extra functions now that we've consolidated * Fix webapp i18n * Update snapshots * Fix test * Fix some tests, refactor some more, and add a few extra * fix linter * Update snapshots * Fix test * Missed some cleanup * Fix e2e * Fi * Fix * Fixes from PR feedback * Update snapshots * Fix tests * Fix slash command list endpoint per PR feedback. Remove changes around OAuth Apps * Further reversions of oauth stuff * Update tests * Small changes to fix when customOnly=false * Remove extra perm from cypress * Fixes from Eva's feedback * Fix i18n * More fixing * More fixing	2025-11-13 11:12:30 +00:00
Jesse Hallam	8cace74692	MM-64486: Remove telemetry (#33606) ... * MM-64486: Remove telemetry Remove telemetry from Mattermost. We're no longer relying on Rudder upstream, and no longer making use of this information. * recover mock for SystemStore.Get * Fix TestClearPushNotificationSync by adding missing SystemStore mock The test was failing because the SystemStore mock was missing the Get() method that's required by the ServerId() function. Added the missing mock to return a StringMap with SystemServerId. * fix mocking issue * Remove now-unused telemetry and constants * Remove "Disable telemetry events" debug setting * Remove empty functions * Remove most "Telemetry tracking removed" comments * Remove remains of DataPrefetch telemetry * Remove now-unused prop from InviteMembersButton * Remove trackDotMenuEvent * Remove some more leftover comments * Remove lingering logic related to trackingLocation * Remove now-unused argument from useCopyText * Remove lingering telemetry references from PreparingWorkspace * fixup Remove trackDotMenuEvent * Remove lingering telemetry references from signup page and password check * Update snapshots and fix test broken by my changes * Fix unintended behavior change in thread list filtering Remove handleSetFilter wrapper that was accidentally modified during telemetry removal. The function was calling clear() when switching to unread filter, which was not the original behavior. Use setFilter directly instead, restoring the original functionality. * Remove unused useOpenDowngradeModal hook The useOpenDowngradeModal hook was not being used anywhere in the codebase. * Remove unused expandableLink from useExpandOverageUsersCheck The expandableLink return value was not being used by any components. * Re-add missing TeamLinkClicked performance telemetry The mark(Mark.TeamLinkClicked) call was accidentally removed from the handleSwitch function. This telemetry is needed for Looker-based performance tracking. * drop LogSettings.VerboseDiagnostics --------- Co-authored-by: Harrison Healey <harrisonmhealey@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-04 18:46:18 +00:00
Harshil Sharma	bcfd7eff86	Post properties (#33395) ... * WIP * Added post flagging properties setup * Added tests * Removed error in app startup when content flaghging setup fails * Updated sync condition: * WIP * MOved to data migration * lint fix * CI * added new migration mocks * Used setup for tests * some comment * removed empty files * Added another property field * WIP * Updated test * Stored version in system key * fixed tests	2025-08-20 12:22:13 +05:30
Ben Schumacher	ac90cdbb97	[MM-63805] Don't throw a MFA warning for unauthenticated plugin requests (#30795) ... * Don't throw a MFA warning for unauthenticated requests * Always clean Authorization header * Remove log message from GetSession * Rewrite ServePluginPublicRequest for clarity * Move CSRF validation into seperate method * Update test * linter * Fix logger access * Add log message if check fails * Improve error messanges for internal errors * linter fixes * Add comprehensive tests * Cleanup tests and token parser * Add case-insensitive authentication header tests Tests authentication with lowercase 'bearer' and uppercase 'TOKEN' prefixes to ensure header parsing is case-insensitive. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * casing * Update server/channels/app/plugin_requests.go Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> --------- Co-authored-by: Claude <noreply@anthropic.com>	2025-08-18 11:17:33 +02:00
Agniva De Sarker	41e88b74ac	MM-61407: Remove Bleve (#33430) ... https://mattermost.atlassian.net/browse/MM-61407 ```release-note NONE ``` * webapp i18n ```release-note NONE ``` * Fix e2e tests ```release-note NONE ``` * fix roles in e2e tests ```release-note NONE ``` * some review comments ```release-note NONE ``` * add back permissions to deprecated list ```release-note NONE ```	2025-07-31 09:35:29 +05:30
Pablo Vélez	206c741226	Mm 64495 manage access rules permissions (#31658) ... * MM-6449 - manage channel access rules permissions backend part * add the system console changes to show the new permission --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-07-25 12:30:10 +02:00
Agniva De Sarker	9dd8c056e7	MM-63368: Remove MySQL (#33458) ... https://mattermost.atlassian.net/browse/MM-63368 ```release-note Remove MySQL support from the codebase entirely. ```	2025-07-22 20:40:55 +05:30
Claudio Costa	611b2a8e79	[MM-62408] Server Code Coverage with Fully Parallel Tests (#30078) ... * TestPool * Store infra * Store tests updates * Bump maximum concurrent postgres connections * More infra * channels/jobs * channels/app * channels/api4 * Protect i18n from concurrent access * Replace some use of os.Setenv * Remove debug * Lint fixes * Fix more linting * Fix test * Remove use of Setenv in drafts tests * Fix flaky TestWebHubCloseConnOnDBFail * Fix merge * [MM-62408] Add CI job to generate test coverage (#30284) * Add CI job to generate test coverage * Remove use of Setenv in drafts tests * Fix flaky TestWebHubCloseConnOnDBFail * Fix more Setenv usage * Fix more potential flakyness * Remove parallelism from flaky test * Remove conflicting env var * Fix * Disable parallelism * Test atomic covermode * Disable parallelism * Enable parallelism * Add upload coverage step * Fix codecov.yml * Add codecov.yml * Remove redundant workspace field * Add Parallel() util methods and refactor * Fix formatting * More formatting fixes * Fix reporting	2025-05-30 13:58:26 +02:00
Jesse Hallam	31a8047973	Disable morph logging during TestMain (#30948) ... * rm "No TEST_DATABASE... override" log message Let's only log if this value is actually overridden. * rm "(Created|Dropped) temporary database" message * only log "Pinging SQL" on subsequent attempts * disable morph logging from TestMain * Fix style issues in store test files - Add missing parameter to migrate() function calls in tests - Remove unused log function in settings.go - Fix formatting with go fmt 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * within sqlstore, use "enable" vs "disable" for clarity * remove trailing newline from morph logs --------- Co-authored-by: Claude <noreply@anthropic.com>	2025-05-21 17:31:18 +00:00
David Krauser	4b64eb0e39	Handle error returned by GetClusterInfos() (#30919) ... A recent change to the enterprise cluster code introduced a change to the enterprise API interface. GetClusterInfos() can now return an error. This commit introduces code to handle that error.	2025-05-12 13:37:58 -04:00
Harshil Sharma	a5e68639c2	Channel banner permissions (#30917) ... * Fixed save state panel for channel banner * Defined default background color * Updated test * WIP * wip * removed unused param * Updated tests * CI * Fixed mmctl test * Fixed TestDoAdvancedPermissionsMigration test * Test update * lint fix * lint fix --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-05-06 14:03:35 +05:30
Daniel Espino García	7999239ccf	Add system console settings for mobile security (#30456) ... * Add config settings for additional security features on mobile * Add system console settings for mobile security * Update svg and link * Fix strings * Add test for the discovery feature * Fix tests * Add permission migrations * Add relevant e2e tests * Fix key alignment * fix tests * Fix lint * Mock new migration * Fix playwright prettier * Add new section to delegated permissions * Update snapshots * Fix flakyness in playwright test --------- Co-authored-by: Elias Nahum <nahumhbl@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-03-27 13:13:20 +01:00
Scott Bishel	b26c43e716	Permission changes (#29570) ... * update permission mistakes * add getAnalytics to TeamStatistics * add PermissionGetAnalytics to ReadTeamStatistics * add mocks for migrations --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-01-27 16:28:27 +00:00
Julien Tant	b41b968eb8	restrict access to channel converstion to public for non team admin+ (#29819)	2025-01-23 09:42:20 -07:00
Agniva De Sarker	cb75a20c54	MM-61904: Make reliable websockets work in HA (#29489) ... We do a cluster request to get the active and dead queues from other nodes in the cluster to sync any missing information. We check the dead queue in the other nodes to see if there's been any message loss or not. Accordingly, we send just the active queue or both active and dead queues. There's still an edge case that is left out where a client could have potentially connected and reconnected to multiple nodes leaving multiple active queues in multiple nodes. We don't handle this scenario because then potentially we need to create a slice of sendQueueSize * number_of_nodes. And then this can happen again, leading to an infinite increase in sendQueueSize. We leave this edge-case to Redis, acknowledging a limitation in our architecture. In this PR, when there's no message loss, we just take the active queue from the last node it connected to. And if there's message loss where the client's seqNum is within the last node's dead queue, we also handle that. But if there's severe message loss where the client's seqNum falls within the dead queue of another node, then we just send the data from that node to reconstruct the data as much as possible. It could be possible to set a new connection ID in this case, but this involves more data transfer always from all nodes and recomputing the state in the requestor node. https://mattermost.atlassian.net/browse/MM-61904 ```release-note NONE ``` Co-authored-by: Mattermost Build <build@mattermost.com>	2025-01-17 11:11:32 +05:30
Miguel de la Cruz	ecdce71fc4	Adds the main Property System Architecture components (#29644) ... * Adds the main Property System Architecture components This change adds the necessary migrations for the Property Groups, Fields and Values tables to be created, the store layer and a Property Service that can be used from the app layer. * Update property field type to use user instead of person * Update PropertyFields to allow for unique nondeleted fields and remove redundant indexes * Update PropertyValues to allow for unique nondeleted fields and remove redundant indexes * Use StringMap instead of the map[string]any on property fields * Add i18n strings * Revert "Use StringMap instead of the map[string]any on property fields" This reverts commit e2735ab0f8. * Cast JSON binary data to string and add todo note for StringMap use * Add mocks to the retrylayer tests * Cast JSON binary data to string in property value store * Check for binary parameter instead of casting to string for JSON data * Check property field type is one of the allowed ones * Avoid reusing err variable to be explicit about the returned value * Merge Property System Migrations into one file * Adds NOT NULL to timestamps at the DB level * Update stores to use tableSelectQuery instead of a slice var * Update PropertyField model translations to be more explicit and avoid repetition * Update PropertyValue model translations to be more explicit and avoid repetition * Use ExecBuilder instead of ToSql&Exec * Update property field errors to add context * Ensure PerPage is greater than zero * Update store errors to give more context * Use ExecBuilder in the property stores where possible * Add an on conflict suffix to the group register to avoid race conditions * Remove badly used translation string * Remove unused get in register group method --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-01-13 11:41:44 +00:00
Jesse Hallam	5369f8b36b	s/Get(Master|Replica)X/Get\1/g (#29520) ... Drop the legacy `X` suffix from `GetMasterX` and `GetReplicaX`. The presence of the suffix suggests there's a `non-X` version: but in fact we migrated these away a long time ago, so remove the cognitive overhead. As an aside, this additionally helps avoid trip up LLMs that interpret this as "something to fix".	2024-12-10 09:57:19 -04:00
Agniva De Sarker	a6d37fa14c	MM-61887: Log the userID if a metric exceeds the last histogram bucket (#29448) ... We create a custom histogram metric that logs the userID when the observed value is greater or equal to the last bucket value. This allows us to start tracking the slowest users of a system while at the same time not polluting the Prometheus metrics by storing a userID for every observation. https://mattermost.atlassian.net/browse/MM-61887 ```release-note NONE ```	2024-12-05 09:12:54 +05:30
Agniva De Sarker	7f032b0b39	MM-61524: Fix flaky test RedisPubSub (#29311) ... - We refactor some of the testlib assertion code and add a new function to just return true or false. https://mattermost.atlassian.net/browse/MM-61524 ```release-note NONE ```	2024-11-18 14:55:34 +05:30
mas-who	f48fd7b791	GH-28752 fix errcheck lint issues in server/channels/testlib/helper.go (#29260)	2024-11-14 13:13:45 +01:00
Ben Schumacher	2b426573cd	[MM-60619] Annotate cluster logs messages (#28268)	2024-09-27 09:17:16 +02:00
Scott Bishel	0c585bdac6	MM-59529 Set Channel/Team Admin permissions if All members get set (#28104) ... * initial fix * cleanup code * move struct back * fix unit test * add unit tests * add comments * add manage_bookmark permissions * revert package-lock.json --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2024-09-10 11:26:55 -06:00