687 commits

Author	SHA1	Message	Date
Carlos Garcia	2be57a7ec0	adds team member data sanitizing (#35562) ... * adds team member data sanitizing * assert using require * adds data sanitizing to team members for user endpoint * team admin data visibility now tests with different user	2026-04-09 16:12:15 +02:00
Pavel Zeman	d1ca297721	Revert "Strip remote_id field from user patch API requests (#35910)" (#35996) ... This reverts commit fc9d3be368 which introduced a CI regression.	2026-04-09 05:06:42 -04:00
JG Heithcock	fc9d3be368	Strip remote_id field from user patch API requests (#35910) ... * Strip remote_id from user patch API requests * Ignore remote_id in user update API endpoints Add SetUserRemoteID test helper in testlib to set remote_id via direct SQL, bypassing the now-protected store Update method. Update existing tests in app and api4 packages to use the new helper. --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-08 21:47:57 -07:00
Pavel Zeman	6fdef8c9cc	ci: enable fullyparallel mode for server tests (#35816) ... * ci: enable fullyparallel mode for server tests Replace os.Setenv, os.Chdir, and global state mutations with parallel-safe alternatives (t.Setenv, t.Chdir, test hooks) across 37 files. Refactor GetLogRootPath and MM_INSTALL_TYPE to use package-level test hooks instead of environment variables. This enables gotestsum --fullparallel, allowing all test packages to run with maximum parallelism within each shard. Co-authored-by: Claude <claude@anthropic.com> * ci: split fullyparallel from continue-on-error in workflow template - Add new boolean input 'allow-failure' separate from 'fullyparallel' - Change continue-on-error to use allow-failure instead of fullyparallel - Update server-ci.yml to pass allow-failure: true for test coverage job - Allows independent control of parallel execution and failure tolerance Co-authored-by: Claude <claude@anthropic.com> * fix: protect TestOverrideLogRootPath with sync.Mutex for parallel tests - Replace global var TestOverrideLogRootPath with mutex-protected functions - Add SetTestOverrideLogRootPath() and getTestOverrideLogRootPath() functions - Update GetLogRootPath() to use thread-safe getter - Update all test files to use SetTestOverrideLogRootPath() with t.Cleanup() - Fixes race condition when running tests with t.Parallel() Co-authored-by: Claude <claude@anthropic.com> * fix: configure audit settings before server setup in tests - Move ExperimentalAuditSettings from UpdateConfig() to config defaults - Pass audit config via app.Config() option in SetupWithServerOptions() - Fixes audit test setup ordering to configure BEFORE server initialization - Resolves CodeRabbit's audit config timing issue in api4 tests Co-authored-by: Claude <claude@anthropic.com> * fix: implement SetTestOverrideLogRootPath mutex in logger.go The previous commit updated test callers to use SetTestOverrideLogRootPath() but didn't actually create the function in config/logger.go, causing build failures across all CI shards. This commit: - Replaces the exported var TestOverrideLogRootPath with mutex-protected unexported state (testOverrideLogRootPath + testOverrideLogRootMu) - Adds exported SetTestOverrideLogRootPath() setter - Adds unexported getTestOverrideLogRootPath() getter - Updates GetLogRootPath() to use the thread-safe getter - Fixes log_test.go callers that were missed in the previous commit Co-authored-by: Claude <claude@anthropic.com> * fix(test): use SetupConfig for access_control feature flag registration InitAccessControlPolicy() checks FeatureFlags.AttributeBasedAccessControl at route registration time during server startup. Setting the flag via UpdateConfig after Setup() is too late — routes are never registered and API calls return 404. Use SetupConfig() to pass the feature flag in the initial config before server startup, ensuring routes are properly registered. Co-authored-by: Claude <claude@anthropic.com> * fix(test): restore BurnOnRead flag state in TestRevealPost subtest The 'feature not enabled' subtest disables BurnOnRead without restoring it via t.Cleanup. Subsequent subtests inherit the disabled state, which can cause 501 errors when they expect the feature to be available. Add t.Cleanup to restore FeatureFlags.BurnOnRead = true after the subtest completes. Co-authored-by: Claude <claude@anthropic.com> * fix(test): restore EnableSharedChannelsMemberSync flag via t.Cleanup The test disables EnableSharedChannelsMemberSync without restoring it. If the subtest exits early (e.g., require failure), later sibling subtests inherit a disabled flag and become flaky. Add t.Cleanup to restore the flag after the subtest completes. Co-authored-by: Claude <claude@anthropic.com> * Fix test parallelism: use instance-scoped overrides and init-time audit config Replace package-level test globals (TestOverrideInstallType, SetTestOverrideLogRootPath) with fields on PlatformService so each test gets its own instance without process-wide mutation. Fix three audit tests (TestUserLoginAudit, TestLogoutAuditAuthStatus, TestUpdatePasswordAudit) that configured the audit logger after server init — the audit logger only reads config at startup, so pass audit settings via app.Config() at init time instead. Also revert the Go 1.24.13 downgrade and bump mattermost-govet to v2.0.2 for Go 1.25.8 compatibility. * Fix audit unit tests * Fix MMCLOUDURL unit tests * Fixed unit tests using MM_NOTIFY_ADMIN_COOL_OFF_DAYS * Make app migrations idempotent for parallel test safety Change System().Save() to System().SaveOrUpdate() in all migration completion markers. When two parallel tests share a database pool entry, both may race through the check-then-insert migration pattern. Save() causes a duplicate key fatal crash; SaveOrUpdate() makes the second write a harmless no-op. * test: address review feedback on fullyparallel PR - Use SetLogRootPathOverride() setter instead of direct field access in platform/support_packet_test.go and platform/log_test.go (pvev) - Restore TestGetLogRootPath in config/logger_test.go to keep MM_LOG_PATH env var coverage; test uses t.Setenv so it runs serially which is fine (pvev) - Fix misleading comment in config_test.go: code uses t.Setenv, not os.Setenv (jgheithcock) Co-authored-by: Claude <claude@anthropic.com> * fix: add missing os import in post_test.go The os import was dropped during a merge conflict resolution while burn-on-read shared channel tests from master still use os.Setenv. Co-authored-by: Claude <claude@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com> Co-authored-by: wiggin77 <wiggin77@warpmail.net> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-08 20:48:36 -04:00
Jesse Hallam	71ca373de7	Generate instead of hard-coding test passwords, enforce new minimum for FIPS, shard CI, fix FIPS builds (#35905) ... * Replace hardcoded test passwords with model.NewTestPassword() Add model.NewTestPassword() utility that generates 14+ character passwords meeting complexity requirements for FIPS compliance. Replace all short hardcoded test passwords across the test suite with calls to this function. * Enforce FIPS compliance for passwords and HMAC keys FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses the password as the HMAC key internally, so short passwords cause PKCS5_PBKDF2_HMAC to fail. - Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants - Raise the password minimum length floor to 14 when compiled with requirefips, applied in SetDefaults only when unset and validated independently in IsValid - Return ErrMismatchedHashAndPassword for too-short passwords in PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error - Validate atmos/camo HMAC key length under FIPS and lengthen test keys accordingly - Adjust password validation tests to use PasswordFIPSMinimumLength so they work under both FIPS and non-FIPS builds * CI: shard FIPS test suite and extract merge template Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch name. Shard FIPS tests across 4 runners matching the normal Postgres suite. Extract the test result merge logic into a reusable workflow template to deduplicate the normal and FIPS merge jobs. * more * Fix email test helper to respect FIPS minimum password length * Fix test helpers to respect FIPS minimum password length * Remove unnecessary "disable strict password requirements" blocks from test helpers * Fix CodeRabbit review comments on PR #35905 - Add server-test-merge-template.yml to server-ci.yml pull_request.paths so changes to the reusable merge workflow trigger Server CI validation - Skip merge-postgres-fips-test-results job when test-postgres-normal-fips was skipped, preventing failures due to missing artifacts - Set guest.Password on returned guest in CreateGuestAndClient helper to keep contract consistent with CreateUserWithClient - Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength constants in NewTestPassword() to avoid drift if FIPS floor changes https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f * Rename FIPS test artifact to match server-ci-report pattern The server-ci-report job searches for artifacts matching "*-test-logs", so rename from postgres-server-test-logs-fips to postgres-server-fips-test-logs to be included in the report. --------- Co-authored-by: Claude <noreply@anthropic.com>	2026-04-08 16:49:43 -03:00
Doug Lauder	5b76fb11a5	MM-67647: Rename shared_channel_manager roles to follow system_ prefix convention (#35944) ... * Rename shared_channel_manager and secure_connection_manager roles to use system_ prefix The new roles added in PR #35354 broke the naming convention that all system-level roles stored in Users.Roles are prefixed with "system_". Client-side code (role.includes('system')) and server-side code (explicit switch cases in applyMultiRoleFilters) relied on this convention, causing users assigned to these roles to not appear in the System Console. Also adds both roles to the applyMultiRoleFilters switch statement in user_store.go, which was missing them entirely.	2026-04-08 08:01:33 -04:00
JG Heithcock	8eb9863215	Redact password reset token from audit log (#35911) ... Log only a 5-character prefix of the password reset token in audit entries instead of the full 64-character bearer credential (CWE-532). Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-07 10:55:16 -07:00
Doug Lauder	540ccc599b	MM-68179: Run sendLoop workers on all HA nodes (#35909) ... * MM-68179: Run sendLoop workers on all HA nodes In HA clusters, sendLoop worker goroutines only ran on the leader node. When an API request to send a channel invite landed on a non-leader node, SendMsg enqueued the task to a local in-memory channel but no goroutine consumed it, silently losing the message. Fix by starting sendLoop workers in Start() on all nodes, independent of the leader-only ping lifecycle. - Separate sendLoop lifecycle (Start/Shutdown) from ping lifecycle (pingStart/pingStop on leader change) - Rename resume/pause to pingStart/pingStop for clarity - Change Active() to mean "service started" via atomic.Bool - Remove SetActive (no longer needed; tests use Start()) * address review comment * Added idempotency guard to Start() * Start() and Shutdown(): CompareAndSwap instead of Load/Store — eliminates races where concurrent calls could both proceed. Only the winner of the CAS executes; the loser returns nil immediately. Ping test: replaced time.Sleep with assert.Never/assert.Eventually — no more brittle fixed sleeps. Uses assert.Never to verify no pings fire on non-leader, and assert.Eventually to verify pings stop after losing leadership (snapshot-then-compare pattern). * make unit tests parallel capable --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-07 18:49:54 +02:00
Doug Lauder	3888a69479	MM-68158: Fix shared channel remote display and notify UI on invite completion (#35908) ... * MM-68158: Fix shared channel remote display and add WebSocket notification Fix getSharedChannelRemotes API handler passing ChannelId instead of RemoteId to GetRemoteCluster, which always failed the lookup. Add RemoteId to SharedChannelRemoteStatus model and store query. Add shared_channel_remote_updated WebSocket event published from the onInvite callback so the UI refreshes its cached remote names when the async invite completes, instead of showing the generic "Shared with trusted organizations" fallback. * Improved unit tests per review comments	2026-04-03 02:06:01 -04:00
Nick Misasi	f4d1abe7e8	MM-68140: Validate post read access before rewrite thread context (#35864) ... Ensure thread context for message rewrite is only built when the session may read the anchor post, and surface context build failures to the client. Made-with: Cursor	2026-04-01 02:07:45 -07:00
Nick Misasi	c81d0ddd73	Ability to E2E AI Bridge features + Initial Recaps E2E (#35541) ... * Add shared AI bridge seam Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Add AI bridge test helper API Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Add AI bridge seam test coverage Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Add Playwright AI bridge recap helpers Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix recap channel persistence test Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Restore bridge client compatibility shim Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Expand recap card in Playwright spec Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Recaps e2e test coverage (#35543) * Add Recaps Playwright page object Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Expand AI recap Playwright coverage Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Format recap Playwright coverage Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix recap regeneration test flows Co-authored-by: Nick Misasi <nick13misasi@gmail.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> * Fix AI bridge lint and OpenAPI docs Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix recap lint shadowing Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Stabilize failed recap regeneration spec Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fill AI bridge i18n strings Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix i18n * Add service completion bridge path and operation tracking fields Extend AgentsBridge with CompleteService for service-based completions, add ClientOperation/OperationSubType tracking to BridgeCompletionRequest, and propagate operation metadata through to the bridge client. Made-with: Cursor * Fill empty i18n translation strings for enterprise keys The previous "Fix i18n" commit added 145 i18n entries with empty translation strings, causing the i18n check to fail in CI. Fill in all translations based on the corresponding error messages in the enterprise and server source code. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix i18n * Fix i18n again * Rename Complete/CompleteService to AgentCompletion/ServiceCompletion Align the AgentsBridge interface method names with the underlying bridge client methods they delegate to (AgentCompletion, ServiceCompletion). Made-with: Cursor * Refactor * Add e2eAgentsBridge implementation The new file was missed from the prior refactor commit. Made-with: Cursor * Address CodeRabbit review feedback - Add 400 BadRequest response to AI bridge PUT endpoint OpenAPI spec - Add missing client_operation, operation_sub_type, service_id fields to AIBridgeTestHelperRecordedRequest schema - Deep-clone nested JSON schema values in cloneJSONOutputFormat - Populate ChannelID on recap summary bridge requests - Fix msg_count assertion to mention_count for mark-as-read verification - Make AgentCompletion/ServiceCompletion mutex usage atomic Made-with: Cursor * fix(playwright): align recaps page object with placeholder and channel menu Made-with: Cursor * fix(playwright): update recaps expectEmptyState to match RecapsList empty state After the master merge, the recaps page now renders RecapsList's "You're all caught up" empty state instead of the old placeholder. Made-with: Cursor * chore(playwright): update package-lock.json after npm install Made-with: Cursor * Revert "chore(playwright): update package-lock.json after npm install" This reverts commit 95c670863a. * style(playwright): fix prettier formatting in recaps page object Made-with: Cursor * fix(playwright): handle both recaps empty states correctly The recaps page has two distinct empty states: - Setup placeholder ("Set up your recap") when allRecaps is empty - RecapsList caught-up state ("You're all caught up") when the filtered tab list is empty Split expectEmptyState into expectSetupPlaceholder and expectCaughtUpEmptyState, used by the delete and bridge-unavailable tests respectively. Made-with: Cursor --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 16:20:47 +00:00
Scott Bishel	30837f7c4e	move error back to logging warning...as caused breaking change (#35841) ... * move error back to logging warning...as caused breaking change * remove unnecessary translation * update test expectations * revert test changes	2026-03-27 11:29:56 -06:00
Miguel de la Cruz	dad9cab483	Add guards to avoid cards being created when the integrated boards feature flag is disabled (#35836)	2026-03-27 08:51:29 -07:00
Carlos Garcia	a19cc4b909	improves time limit checks (#35638) ... * improves time limit checks * consistently check for presence of patch fields * fix variable shadowing in test * allow idempotent pinning operations with time limit expired * new utility function for post limit time check * fix style issue	2026-03-27 16:29:06 +01:00
Miguel de la Cruz	48f2fd0873	Merge the Integrated Boards MVP feature branch (#35796) ... * Add CreatedBy and UpdatedBy to the properties fields and values (#34485) * Add CreatedBy and UpdatedBy to the properties fields and values * Fix types --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds ObjectType to the property fields table (#34908) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Update ObjectType migration setting an empty value and marking the column as not null (#34915) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds uniqueness mechanisms to the property fields (#35058) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Fixing retrylayer mocks * Remove retrylayer duplication * Address review comments * Fix comment to avoid linter issues * Address PR comments * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.down.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.up.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.up.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update field validation to check only for valid target types * Update migrations to avoid concurrent index creation within a transaction * Update migrations to make all index ops concurrent * Update tests to use valid PSAv2 property fields * Adds a helper for valid PSAv2 TargetTypes --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Fix property tests (#35388) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds Integrated Boards feature flag (#35378) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds Integrated Boards MVP API changes (#34822) This PR includes the necessary changes for channels and posts endpoints and adds a set of generic endpoints to retrieve and manage property fields and values following the new Property System approach. Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com> * Property System Architecture permissions for v2 (#35113) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Fix i18n sorting --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Add Views store and app layer (#35361) * Add Views store and app layer for Integrated Boards Implements the View entity (model, SQL store, service, app) as described in the Integrated Boards tech spec. Views are channel-scoped board configurations with typed props (board, kanban subviews) and soft-delete. - public/model: View, ViewBoardProps, Subview, ViewPatch types with PreSave/PreUpdate/IsValid/Patch/Clone/Auditable - Migration 158: Views table with jsonb Props column and indexes - SqlViewStore: CRUD with nil-safe Props marshaling (AppendBinaryFlag) - ViewService: CreateView seeds default kanban subview and links the boards property field; caches boardPropertyFieldID at startup - App layer: CreateView/GetView/GetViewsForChannel/UpdateView/DeleteView with channel-membership permission checks and WebSocket events (view_created, view_updated, view_deleted) - doSetupBoardsPropertyField: registers the Boards property group and board field in NewServer() before ViewService construction - GetFieldByName now returns store.ErrNotFound instead of raw sql.ErrNoRows * Move permission checks out of App layer for views - Remove HasPermissionToChannel calls from all App view methods - Drop userID params from GetView, GetViewsForChannel, UpdateView, DeleteView - Fix doSetupBoardsPropertyField to include required TargetType for PSAv2 field * Make View service generic and enforce board validation in model - Remove board-specific auto-setup from service and server startup - Enforce that board views require Props, at least one subview, and at least one linked property in IsValid() - Move default subview seeding out of app layer; callers must provide valid props - Call PreSave on subviews during PreUpdate to assign IDs to new subviews - Update all tests to reflect the new validation requirements * Restore migrations files to match base branch * Distinguish ErrNotFound from other errors in view store Get * Use CONCURRENTLY and nontransactional for index operations in views migration * Split views index creation into separate nontransactional migrations * Update migrations.list * Update i18n translations for views * Fix makeView helper to include required Props for board view validation * Rename ctx parameter from c to rctx in OAuthProvider mock * Remove views service layer, call store directly from app * Return 500 for unexpected DB errors in GetView, 404 only for not-found * Harden View model: deep-copy Props, validate linked property IDs - Add ViewBoardProps.Clone() to deep-copy LinkedProperties and Subviews - Use it in View.Clone() and View.Patch() to prevent shared-slice aliasing - Iterate over LinkedProperties in View.IsValid() and reject invalid IDs with a dedicated i18n key - Register ViewStore in storetest AssertExpectations so mock expectations are enforced - Add tests covering all new behaviours * Restore autotranslation worker_stopped i18n translation * Fix view store test IDs and improve error handling in app layer - Use model.NewId() for linked property IDs in testUpdateView to fix validation failure (IsValid rejects non-UUID strings) - Fix import grouping in app/view.go (stdlib imports in one block) - Return 404 instead of 500 when Update/Delete store calls return ErrNotFound (e.g. concurrent deletion TOCTOU race) * Add View store mock to retrylayer test genStore helper The View store was added to the store interface but the genStore() helper in retrylayer_test.go was not updated, causing TestRetry to panic. Also removes the duplicate Recap mock registration. * Refactor view deletion and websocket event handling; update SQL store methods to use query builder * revert property field store * Remove useless migrations * Add cursor-based pagination to View store GetForChannel - Add ViewQueryCursor and ViewQueryOpts types with validation - Return (views, cursor, error) for caller-driven pagination - PerPage clamping: <=0 defaults to 20, >200 clamps to 200 - Support IncludeDeleted filter - Add comprehensive store tests for pagination, cursor edge cases, PerPage clamping, and invalid input rejection - Add app layer test for empty channelID → 400 - Update interface, retrylayer, timerlayer, and mock signatures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Refactor test loops in ViewStore tests for improved readability * change pagination to limit/offset * Add upper-bound limits on View Subviews and LinkedProperties Defense-in-depth validation: cap Subviews at 50 and LinkedProperties at 500 to prevent abuse below the 300KB payload limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * MM-67388, MM-66528, MM-67750: Add View REST API endpoints, websocket events, and sort order (#35442) * Add Views store and app layer for Integrated Boards Implements the View entity (model, SQL store, service, app) as described in the Integrated Boards tech spec. Views are channel-scoped board configurations with typed props (board, kanban subviews) and soft-delete. - public/model: View, ViewBoardProps, Subview, ViewPatch types with PreSave/PreUpdate/IsValid/Patch/Clone/Auditable - Migration 158: Views table with jsonb Props column and indexes - SqlViewStore: CRUD with nil-safe Props marshaling (AppendBinaryFlag) - ViewService: CreateView seeds default kanban subview and links the boards property field; caches boardPropertyFieldID at startup - App layer: CreateView/GetView/GetViewsForChannel/UpdateView/DeleteView with channel-membership permission checks and WebSocket events (view_created, view_updated, view_deleted) - doSetupBoardsPropertyField: registers the Boards property group and board field in NewServer() before ViewService construction - GetFieldByName now returns store.ErrNotFound instead of raw sql.ErrNoRows * Move permission checks out of App layer for views - Remove HasPermissionToChannel calls from all App view methods - Drop userID params from GetView, GetViewsForChannel, UpdateView, DeleteView - Fix doSetupBoardsPropertyField to include required TargetType for PSAv2 field * Make View service generic and enforce board validation in model - Remove board-specific auto-setup from service and server startup - Enforce that board views require Props, at least one subview, and at least one linked property in IsValid() - Move default subview seeding out of app layer; callers must provide valid props - Call PreSave on subviews during PreUpdate to assign IDs to new subviews - Update all tests to reflect the new validation requirements * Restore migrations files to match base branch * Distinguish ErrNotFound from other errors in view store Get * Use CONCURRENTLY and nontransactional for index operations in views migration * Split views index creation into separate nontransactional migrations * Update migrations.list * Update i18n translations for views * Fix makeView helper to include required Props for board view validation * Rename ctx parameter from c to rctx in OAuthProvider mock * Remove views service layer, call store directly from app * Return 500 for unexpected DB errors in GetView, 404 only for not-found * Harden View model: deep-copy Props, validate linked property IDs - Add ViewBoardProps.Clone() to deep-copy LinkedProperties and Subviews - Use it in View.Clone() and View.Patch() to prevent shared-slice aliasing - Iterate over LinkedProperties in View.IsValid() and reject invalid IDs with a dedicated i18n key - Register ViewStore in storetest AssertExpectations so mock expectations are enforced - Add tests covering all new behaviours * Restore autotranslation worker_stopped i18n translation * Fix view store test IDs and improve error handling in app layer - Use model.NewId() for linked property IDs in testUpdateView to fix validation failure (IsValid rejects non-UUID strings) - Fix import grouping in app/view.go (stdlib imports in one block) - Return 404 instead of 500 when Update/Delete store calls return ErrNotFound (e.g. concurrent deletion TOCTOU race) * Add View store mock to retrylayer test genStore helper The View store was added to the store interface but the genStore() helper in retrylayer_test.go was not updated, causing TestRetry to panic. Also removes the duplicate Recap mock registration. * Refactor view deletion and websocket event handling; update SQL store methods to use query builder * revert property field store * Add View API endpoints with OpenAPI spec, client methods, and i18n Implement REST API for channel views (board-type) behind the IntegratedBoards feature flag. Adds CRUD endpoints under /api/v4/channels/{channel_id}/views with permission checks matching the channel bookmark pattern. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove useless migrations * Add cursor-based pagination to View store GetForChannel - Add ViewQueryCursor and ViewQueryOpts types with validation - Return (views, cursor, error) for caller-driven pagination - PerPage clamping: <=0 defaults to 20, >200 clamps to 200 - Support IncludeDeleted filter - Add comprehensive store tests for pagination, cursor edge cases, PerPage clamping, and invalid input rejection - Add app layer test for empty channelID → 400 - Update interface, retrylayer, timerlayer, and mock signatures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add cursor-based pagination to View API for channel views * Enhance cursor handling in getViewsForChannel and update tests for pagination * Refactor test loops in ViewStore tests for improved readability * Refactor loop in TestGetViewsForChannel for improved readability * change pagination to limit/offset * switch to limit/offset pagination * Add upper-bound limits on View Subviews and LinkedProperties Defense-in-depth validation: cap Subviews at 50 and LinkedProperties at 500 to prevent abuse below the 300KB payload limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add view sort order API endpoint Add POST /api/v4/channels/{channel_id}/views/{view_id}/sort_order endpoint following the channel bookmarks reorder pattern. Includes store, app, and API layers with full test coverage at each layer. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add connectionId to view WebSocket events and sort_order API spec Thread connectionId from request header through all view handlers (create, update, delete, sort_order) to WebSocket events, matching the channel bookmarks pattern. Add sort_order endpoint to OpenAPI spec. Update minimum server version to 11.6. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove duplicate View/ViewPatch definitions from definitions.yaml The merge from integrated-boards-mvp introduced duplicate View and ViewPatch schema definitions that were already defined earlier in the file with more detail (including ViewBoardProps ref and enums). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update minimum server version to 11.6 in views API spec Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add missing translations for view sort order error messages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Merge integrated-boards-mvp into ibmvp_api-views; remove spec files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix flaky TestViewStore timestamp test on CI Add sleep before UpdateSortOrder to ensure timestamps differ, preventing same-millisecond comparisons on fast CI machines. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * remove duplicate views.yaml imclude * Use c.boolString() for include_deleted query param in GetViewsForChannel Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix views.yaml sort order schema: use integer type and require body Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Refactor view sort order tests to use named IDs instead of array indices Extract idA/idB/idC from views slice and add BEFORE/AFTER comments to make stateful subtest ordering easier to follow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Return 404 instead of 403 for view operations on deleted channels Deleted channels should appear non-existent to callers rather than revealing their existence via a 403. Detailed error text explains the context for debugging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * add missing channel deleteat checks * Use c.Params.Page instead of manual page query param parsing in getViewsForChannel c.Params already validates and defaults page/per_page, so the manual parsing was redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add support for total count in views retrieval * Add tests for handling deleted views in GetViewsForChannel and GetView * Short-circuit negative newIndex in UpdateSortOrder before opening transaction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add per-channel limit on views to bound UpdateSortOrder cost Without a cap, unbounded view creation makes sort-order updates increasingly expensive (CASE WHEN per view, row locks). Adds MaxViewsPerChannel=50 constant and enforces it in the app layer before saving. Includes API and app layer tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove include_deleted support from views API Soft-deleted views are structural metadata with low risk, but no other similar endpoint (e.g. channel bookmarks) exposes deleted records without an admin gate. Rather than adding an admin-only permission check for consistency, remove the feature entirely since there is no current use case. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update view permissions to require `create_post` instead of channel management permissions * Remove obsolete view management error messages for direct and group messages --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * feat(migrations): add user tracking and object type to property fields - Introduced user tracking columns (CreatedBy, UpdatedBy) to PropertyFields and PropertyValues. - Added ObjectType column to PropertyFields with associated unique indexes for legacy and typed properties. - Created new migration scripts for adding and dropping these features, including necessary indexes for data integrity. - Established views for managing property fields with new attributes. This update enhances the schema to support better tracking and categorization of property fields. * Add Property System Architecture v2 API endpoints (#35583) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Adds the Property System Architecture v2 API endpoints * Adds permission checks to the create field endpoint * Add target access checks to value endpoints * Add default branches for object_type and target_type and extra guards for cursor client4 methods * Fix vet API mismatch * Fix error checks * Fix linter * Add merge semantics for property patch logic and API endpoint * Fix i18n * Fix duplicated patch elements and early return on bad cursor * Update docs to use enums * Fix i18n sorting * Update app layer to return model.AppError * Adds a limit to the number of property values that can be patched in the same request * Require target_type filter when searching property fields * Add objectType validation as part of field.IsValid() * Fix linter * Fix test with bad objecttpye * Fix test grouping --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * MM-67968: Flatten view model — remove icon, subviews, typed board props (#35726) * feat(views): flatten view model by removing icon, subview, and board props Simplifies the View data model as part of MM-67968: removes Icon, Subview, and ViewBoardProps types; renames ViewTypeBoard to ViewTypeKanban; replaces typed Props with StringInterface (map[string]any); adds migration 000167 to drop the Icon column from the Views table. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * feat(api): update views OpenAPI spec to reflect flattened model Removes ViewBoardProps, Subview, and icon from the View and ViewPatch schemas. Changes type enum from board to kanban. Replaces typed props with a free-form StringInterface object. Aligns with MM-67968. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * refactor(views): simplify store by dropping dbView and marshalViewProps StringInterface already implements driver.Valuer and sql.Scanner, so the manual JSON marshal/unmarshal and the dbView intermediate struct were redundant. model.View now scans directly from the database. Also removes the dead ViewMaxLinkedProperties constant and wraps the Commit() error in UpdateSortOrder. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(api): allow arbitrary JSON in view props OpenAPI schema The props field was restricted to string values via additionalProperties: { type: string }, conflicting with the Go model's StringInterface (map[string]any). Changed to additionalProperties: true in View, ViewPatch, and inline POST schemas. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Adds basic implementation of the generic redux store for PSAv2 (#35512) * Adds basic implementation of the generic redux store for PSAv2 * Add created_by and updated_by to the test fixtures * Make target_id, target_type and object_type mandatory * Wrap getPropertyFieldsByIds and getPropertyValuesForTargetByFieldIds with createSelector * Address PR comments --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds websocket messages for the PSAv2 API events (#35696) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Adds the Property System Architecture v2 API endpoints * Adds permission checks to the create field endpoint * Add target access checks to value endpoints * Add default branches for object_type and target_type and extra guards for cursor client4 methods * Fix vet API mismatch * Fix error checks * Fix linter * Add merge semantics for property patch logic and API endpoint * Fix i18n * Fix duplicated patch elements and early return on bad cursor * Update docs to use enums * Fix i18n sorting * Update app layer to return model.AppError * Adds a limit to the number of property values that can be patched in the same request * Adds websocket messages for the PSAv2 API events * Add IsPSAv2 helper to the property field for clarity * Add guard against nil returns on field deletion * Add docs to the websocket endpoints --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * migrations: consolidate views migrations and reorder after master - Merged 000165 (create Views) with 000167 (drop Icon) since Icon was never needed - Renumbered branch migrations 159-166 → 160-167 so master's 000159 (deduplicate_policy_names) runs first - Regenerated migrations.list Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add API endpoint to retrieve posts for a specific view (#35604) Automatic Merge * Apply fixes after merge * Return a more specific error from getting multiple fields * Prevent getting broadcast params on field deletion if not needed * Remove duplicated migration code * Update property conflict code to always use master * Adds nil guard when iterating on property fields * Check that permission level is valid before getting rejected by the database * Validate correctness on TargetID for PSAv2 fields * Avoid PSAv1 using permissions or protected * Fix test data after validation change * Fix flaky search test * Adds more posts for filter use cases to properly test exclusions --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> Co-authored-by: Julien Tant <julien@craftyx.fr> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Julien Tant <785518+JulienTant@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-27 10:36:35 +01:00
Pablo Vélez	7a339a6438	MM-68001 - enforce X-Requested-With header validation on BoR reveal endpoint (#35793) ... * MM-68001 - enforce X-Requested-With header validation on BoR reveal endpoint * adjust message --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-26 19:17:45 -05:00
Adam Schildkraut	656a0248eb	Fix datetime MinDate/MaxDate validation and add sub-day relative patterns (#35327) ... * Add H/M/S sub-day units to validateRelativePattern * Fix datetime MinDate/MaxDate to use validateDateTimeFormat * Add H/M/S sub-day resolution to resolveRelativeDateToMoment * Add minDateTime/maxDateTime props to DateTimeInput * Wire min_date/max_date resolution in AppsFormDateTimeField * Align client relative pattern bounds with server validation * Fix allowPastDates when minDateTime is in the past	2026-03-26 17:19:15 -06:00
Miguel de la Cruz	58dd9e1bb4	Add property system app layer architecture (#35157) ... * Refactor property system with app layer routing and access control separation Establish the app layer as the primary entry point for property operations with intelligent routing based on group type. This architecture separates access-controlled operations (CPA groups) from standard operations, improving performance and code clarity. Architecture Changes: - App layer now routes operations based on group type: - CPA groups -> PropertyAccessService (enforces access control) - Non-CPA groups -> PropertyService (direct, no access control) - PropertyAccessService simplified to handle only CPA operations - Eliminated redundant group type checks throughout the codebase * Move access control routing into PropertyService This change makes the PropertyService the main entrypoint for property related operations, and adds a routing mechanism to decide if extra behaviors or checks should run for each operation, in this case, the property access service logic. To add specific payloads that pluggable checks and operations may need, we use the request context. When the request comes from the API, the endpoints are in charge of adding the caller ID to the payload, and in the case of the plugin API, on receiving a request, the server automatically tags the context with the plugin ID so the property service can react accordingly. Finally, the new design enforces all these checks migrating the actual property logic to internal, non-exposed methods, so any caller from the App layer needs to go through the service checks that decide if pluggable logic is needed, avoiding any possibility of a bypass. * Fix i18n * Fix bad error string * Added nil guards to property methods * Add check for multiple group IDs on value operations * Add nil guard to the plugin checker * Fix build error * Update value tests * Fix linter * Adds early return when content flaggin a thread with no replies * Fix mocks * Clean the state of plugin property tests before each run * Do not wrap appErr on API response and fix i18n * Fix create property field test * Remove the need to cache cpaGroupID as part of the property service * Split the property.go file into multiple * Not found group doesn't bypass access control check * Unexport SetPluginCheckerForTests * Rename plugin context getter to be more PSA specific --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2026-03-26 07:54:50 +00:00
Christopher Poile	e738016c59	[MM-67143] Fix for custom slash command response URL (#34922) ... * require siteURL for external-facing slash cmds, use that as host * warn when rewriting the SiteURL of a custom slash command; test	2026-03-25 12:06:34 -04:00
Alejandro García Montoro	4f16a29cb5	MM-67793: Remove dependency on blang/semver/v4 (#35742) ... * Remove dependency on blang/semver/v4 Instead, consolidate on the usage of Masterminds/semver/v3 * Remove empty line * make modules-tidy	2026-03-25 13:41:33 +00:00
Ben Schumacher	76b8e3f5f7	[MM-66838] Update throttled library to v2.15.0 with Go modules support (#34657) ... Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-19 11:36:19 +01:00
Miguel de la Cruz	e39be2b7e5	Improves the Property System Architecture groups (#35395) ... * Improves the Property System Architecture groups The group creation for builtin property groups is moved from behaving like a singleton in the app layer (first call creates the group) to register groups and making sure they're present at server startup time. At the same time, it adds a groups cache as a sync map in the property service, to avoid having individual caches per feature as package variables, making the group caching part of the system. * Fix i18n * Fix test and calls after updating the branch * Avoid panics by controlling the errors * Adjust translations after merge --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-16 22:03:43 +01:00
David Krauser	090408f09f	[MM-67809] Check create post permission when editing posts (#35558)	2026-03-16 13:17:43 -04:00
Carlos Garcia	c9a4092ac0	keeps plugin config on reenablement (#35545) ... * keeps plugin config on reenablement * fixes local config patch on plugin reenablement	2026-03-12 19:36:05 +01:00
Maria A Nunez	2efee7ec28	Add single-channel guests filter and channel count column to System Console Users (#35517) ... * Add single-channel guests filter and channel count column to System Console Users - Add guest_filter query parameter to Reports API with store-level filtering by guest channel membership count (all, single_channel, multi_channel) - Add channel_count field to user report responses and CSV exports - Add grouped guest role filter options in the filter popover - Add toggleable Channel count column to the users table - Add GuestFilter and SearchTerm to Go client GetUsersForReporting - Add tests: API parsing, API integration, app job dedup, webapp utils, E2E column data rendering Made-with: Cursor * Fix gofmt alignment and isolate guest store tests - Align GuestFilter constants to satisfy gofmt - Move guest user/channel setup into a nested sub-test to avoid breaking existing ordering and role filter assertions Made-with: Cursor * Exclude archived channels from guest filter queries and ChannelCount The ChannelMembers subqueries for guest_filter (single/multi channel) and the ChannelCount column did not join with Channels to check DeleteAt = 0. Since channel archival soft-deletes (sets DeleteAt) but leaves ChannelMembers rows intact, archived channel memberships were incorrectly counted, potentially misclassifying guests between single-channel and multi-channel filters and inflating ChannelCount. - Join ChannelMembers with Channels (DeleteAt = 0) in all three subqueries in applyUserReportFilter and GetUserReport - Add store test covering archived channel exclusion - Tighten existing guest filter test assertions with found-flags and exact count checks Made-with: Cursor * Exclude DM/GM from guest channel counts, validate GuestFilter, fix dropdown divider - Scope ChannelCount and guest filter subqueries to Open/Private channel types only (exclude DM and GM), so a guest with one team channel plus a DM is correctly classified as single-channel - Add GuestFilter validation in UserReportOptions.IsValid with AllowedGuestFilters whitelist - Add API test for invalid guest_filter rejection (400) - Add store regression test for DM/GM exclusion - Fix role filter dropdown: hide the divider above the first group heading via CSS rule on DropDown__group:first-child - Update E2E test label to match "Guests in a single channel" wording Made-with: Cursor * Add store test coverage for private and GM channel types Private channels (type P) should be counted in ChannelCount and guest filters, while GM channels (type G) should not. Add a test that creates a guest with memberships in an open channel, a private channel, and a GM, then asserts ChannelCount = 2, multi-channel filter includes the guest, and single-channel filter excludes them. Made-with: Cursor * Add server i18n translation for invalid_guest_filter error The new error ID model.user_report_options.is_valid.invalid_guest_filter was missing from server/i18n/en.json, causing CI to fail. Made-with: Cursor * Make filter dropdown dividers full width Remove the horizontal inset from grouped dropdown separators so the system user role filter dividers span edge to edge across the menu. Leave the unrelated webapp/package-lock.json change uncommitted. Made-with: Cursor * Optimize guest channel report filters. Use per-user channel count subqueries for the single- and multi-channel guest filters so the report avoids aggregating all channel memberships before filtering guests.	2026-03-12 12:50:53 -04:00
Harshil Sharma	52858082fe	Anonymous URLs (#35493) ... * COmposing messages with redacted URLs * Handled non member channels * Some refinements * Optimizations * lint fixes * cleaned up hasObfuscatedSlug test * Fixed a test * Added system console setting * WIP * fixed channel seelection double selection bug * LInt fixes * i18n fixes * fixed test * CI * renamed setting * lint fixes * lint fixes * WIP * Combined TeamSignupDisplayNamePage and TeamUrl component into a single CreateTeamForm component * Converted CreateTeamForm to functional component * Refactored to mnake code cleaner * Handle team creation with setting enabled * Skipped team URL step if secure URL feature is enabled * Managed button text and steps in team creation flow * lint fixes * Don't register team URL path when using secure URL * Display team display name instead of name in system console top nav bar * Fixed tests * Fixed coderabbit issues * Fixed type errors * Optimization * improvements * Handled API errors during team creation when using secure URL setting * Some refinements * Added test * Updaetd tests, and trimming when reading instead of writing * Added tests for new components * Added BackstageNavbar tests * Restored package lock * lint fix * Updaetd plugin API * Updated team creation tests * Added tests for ChannelNameFormField * Added plugin API tests * Updated API terst * Review fixes * Added test for ConvertGmToChannelModal component * Added EA license check for secure urls feature * restored package lock * Fixed GM conversion test * Fixed team creation tests * remove message composition changes * remove message composition changes * remove message composition changes * restored a file * lint fix * renamed feature * used model.SafeDereference * Added E2E tests * add secure URL Playwright coverage Expand the secure URLs Playwright coverage to validate creation, routing, rename flows, system console configuration, and search/navigation behavior while adding the page objects needed to keep the tests maintainable. Made-with: Cursor * rename secure URLs copy to anonymous URLs Align the admin console and Playwright coverage with the Anonymous URLs feature name while preserving the existing UseAnonymousURLs config behavior and validating the renamed test surfaces. Made-with: Cursor * Update team creation CTA for anonymous URLs Show Create in the single-step anonymous URL flow while preserving Next and Finish in the standard team creation flow. Update unit and Playwright coverage to match the revised create-team UX. Made-with: Cursor --------- Co-authored-by: maria.nunez <maria.nunez@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-12 10:32:29 -04:00
Doug Lauder	162ed1bacd	MM-67684 Separate shared channel permissions from secure connection permissions (#35409) ... * Channel sharing operations (invite, uninvite, list shared channel remotes) now require ManageSharedChannels instead of ManageSecureConnections, allowing customers to delegate channel sharing without granting full connection management access. Endpoints serving both roles (getRemoteClusters, getSharedChannelRemotesByRemoteCluster) accept either permission. Also adds RequirePermission helpers on Context to reduce boilerplate across all remote cluster and shared channel handlers, and fixes a bug where invite/uninvite checked ManageSecureConnections but reported ManageSharedChannels in the error.	2026-03-11 15:53:06 -04:00
Ben Schumacher	b6e5264731	[MM-67739] Rename SlackAttachment to MessageAttachment across the codebase (#35445) ... Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-10 16:37:21 +01:00
Maria A Nunez	461db71178	Add single-channel guest tracking and reporting (#35451) ... * Add single-channel guest tracking and reporting - Add AnalyticsGetSingleChannelGuestCount store method to count guests in exactly one channel - Exclude single-channel guests from active user seat count in GetServerLimits - Add single-channel guest count to standard analytics response - Add Single-channel Guests card to System Statistics page with overage warning - Add Single-channel guests row to Edition and License page with overage styling - Add dismissible admin-only banner when single-channel guest limit is exceeded - Gate feature behind non-Entry SKU and guest accounts enabled checks - Re-fetch server limits on config changes for reactive UI updates - Fix label alignment in license details panel Made-with: Cursor * Refine single-channel guest tracking - Remove license GuestAccounts feature check from shouldTrackSingleChannelGuests (only config matters) - Re-add getServerLimits calls on page mount for fresh data - Remove config-change reactivity code (componentDidUpdate, useEffect) - Add server i18n translations for error strings - Sync webapp i18n via extract - Add inline comments for business logic - Restore struct field comments in ServerLimits model - Add Playwright E2E tests for single-channel guest feature - Fix label alignment in license details panel Made-with: Cursor * Guests over limit fixes and PR feedback * Fix linter issues and code quality improvements - Use max() builtin to clamp adjusted user count instead of if-statement (modernize linter) - Change banner type from ADVISOR to CRITICAL for proper red color styling Made-with: Cursor * Fix overage warnings incorrectly counting single-channel guests Single-channel guests are free and should not trigger license seat overage warnings. Update all overage checks to use serverLimits.activeUserCount (seat-adjusted, excluding SCG) instead of the raw total_users_count or TOTAL_USERS analytics stat. - UserSeatAlertBanner on License page: use serverLimits.activeUserCount - UserSeatAlertBanner on Site Statistics page: use serverLimits.activeUserCount - ActivatedUserCard display and overage check: use serverLimits.activeUserCount - OverageUsersBanner: use serverLimits.activeUserCount Made-with: Cursor * Use license.Users as fallback for singleChannelGuestLimit before limits load This prevents the SingleChannelGuestsCard from showing a false overage state before serverLimits has been fetched, while still rendering the card immediately on page load. Made-with: Cursor * Fix invite modal overage banner incorrectly counting single-channel guests Made-with: Cursor * Fix invitation modal tests missing limits entity in mock state Made-with: Cursor * Fix tests * Add E2E test for single-channel guest exceeded limit scenario Made-with: Cursor * Fix TypeScript errors in single channel guests E2E test Made-with: Cursor * Fix channel name validation error caused by unawaited async getRandomId() Made-with: Cursor * Add contextual tooltips to stat cards when guest accounts are enabled Made-with: Cursor * Code review feedback: query builder, readability, tooltips, and alignment fixes Made-with: Cursor * Fix license page tooltip alignment, width, and SaveLicense SCG exclusion Made-with: Cursor * Fix banner dismiss, license spacing, and add dismiss test Made-with: Cursor * Exclude DM/GM channels from single-channel guest count and fix E2E tests Filter the AnalyticsGetSingleChannelGuestCount query to only count memberships in public/private channels, excluding DMs and GMs. Update store tests with DM-only, GM-only, and mixed membership cases. Fix E2E overage test to mock the server limits API instead of skipping, and correct banner locator to use data-testid. Made-with: Cursor	2026-03-10 10:31:10 -04:00
Maria A Nunez	f1b9aa052e	Rename Content Flagging to Data Spillage Handling (#35407) ... * Rename Content Flagging to Data Spillage Handling Update all user-facing text to use "Data Spillage Handling" and "Quarantine for Review" terminology. Rename i18n keys that referenced content flagging. Auto-patch bot display name on pre-existing servers. Co-authored-by: Cursor <cursoragent@cursor.com> * Fixed searchable stringgs * Revert unintended package-lock.json changes Co-authored-by: Cursor <cursoragent@cursor.com> * Fix i18n extract check: correct typo and key ordering Fix "posed" -> "posted" typo in keep/remove quarantine modal defaultMessages. Move admin.contentFlagging.title to correct alphabetical position in en.json. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix webapp tests for Data Spillage Handling rename Update test assertions to match renamed i18n strings: notification settings, content reviewers, and additional settings tests now expect the new quarantine terminology. Co-authored-by: Cursor <cursoragent@cursor.com> * Use translatable i18n strings for notification messages Replace hardcoded "flagged for review" notification templates with i18n.T() calls using "quarantined for review" terminology. Add six new server i18n keys for author, reporter, and reviewer notifications. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix server i18n key mismatches and update test assertions Rename remaining app.content_flagging.* keys to app.data_spillage.* in server/i18n/en.json to match Go code references. Fix the quarantine_post_confirmation key name. Update test assertions to match new "quarantined for review" terminology. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix gofmt formatting in content_flagging.go Co-authored-by: Cursor <cursoragent@cursor.com> * Prevent nil bot on PatchBot failure in getContentReviewBot Use a separate variable for PatchBot result so the original bot is preserved if the display name update fails. Co-authored-by: Cursor <cursoragent@cursor.com> * Reorder server i18n keys after extract Run mmgotool i18n extract to sort entries into correct alphabetical order. Co-authored-by: Cursor <cursoragent@cursor.com> * Replace i18n.T() with fmt.Sprintf for notification messages and fix test assertions Use direct string formatting for bot notification messages instead of i18n translation keys, which were being removed by mmgotool i18n extract due to indirect key references. Also update test expectations for renamed error keys (content_flagging -> data_spillage). Co-authored-by: Cursor <cursoragent@cursor.com> * Update default quarantine reasons to DISC-aligned terminology Replace generic content moderation reasons with defense/intelligence sector terminology: Classification mismatch, Need-to-know violation, PII exposure, OPSEC concern, CUI violation, Unauthorized disclosure, and Other. Updated across model, API tests, webapp tests, and e2e tests. Co-authored-by: Cursor <cursoragent@cursor.com> * Adding a string missing from bad merge * Update remaining flagged terminology and icon for data spillage rename - Change post menu icon from flag-outline to alert-outline - Update reviewer notification: "quarantined" -> "submitted" a message - Update action notifications: "flagged message" -> "quarantined message" - Update modal errors: "flagging" -> "quarantining" this message - Update report title: "flagged" -> "submitted" a message for review - Update e2e page object locator for renamed menu item Made-with: Cursor * Fix tests * Fix quarantine icon alignment in post dot menu Use AlertOutlineIcon React component with size={18} instead of raw <i> tag to match the sizing of all other menu item icons. Made-with: Cursor * Fixed E2E tests * Missing test fix * Fix E2E tests --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-06 21:15:01 -05:00
Doug Lauder	e31f471498	MM-67647 Add roles for shared channels management (#35354) ... * Add shared_channel_manager and secure_connection_manager built-in roles Introduce two new delegated admin roles for granular Shared Channels permission management, allowing admins to assign shared channel and secure connection management to specific non-admin users without granting full System Admin or System Manager access. - shared_channel_manager: grants manage_shared_channels permission - secure_connection_manager: grants manage_secure_connections permission Includes server role definitions, app migrations, permissions migrations, System Console UI support, and API permission tests.	2026-03-06 10:51:21 -05:00
Guillermo Vayá	f5fe8ded6b	[MM-67377] Fix (#35336) ... fix MM-67377	2026-03-06 13:39:48 +01:00
Eva Sarafianou	56f51d7df2	Use standard session handler for updateUserAuth endpoint (#35488) ... Change the /api/v4/users/{user_id}/auth endpoint to use APISessionRequired instead of APISessionRequiredTrustRequester. This endpoint is a JSON API called via XHR and does not need the TrustRequester flag which is intended for directly-requested resources like images and file downloads. Made-with: Cursor	2026-03-06 08:14:22 +02:00
Miguel de la Cruz	062abe90bd	Includes deleted remote cluster infos to correctly show shared user information (#35192) ... * Includes deleted remote cluster infos to correctly show shared user information * Addressing review comments --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-04 14:46:10 +01:00
Jesse Hallam	c462720186	[MM-65822] Add directory conflict checks for plugin and import uploads (#34681) ... * [MM-66789] Add directory conflict checks for plugin and import uploads Prevent security issues where plugin uploads could write into the import directory (or subdirectories) and vice versa by adding validation checks at the REST API level when uploading plugins or creating import uploads. * improved handling of root directories --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-03 16:31:05 -04:00
Doug Lauder	8a4632e330	Fix flaky unit tests for TestClientCreateOutgoingOAuthConnection (#35152)	2026-03-01 18:28:42 +01:00
Harshil Sharma	b96f7c1a8d	Content flagging actions implementation tests (#35035) ... * Added tests for TestGetFlaggingConfiguration * added tests for RemoveFlaggedPost * added tests for KeepFlaggedPost * Added tests for scrubPost and keep flagged post APp layer functions * Added tests for DeleteAllForPost * added tests for DeleteAllPostRemindersForPost * Added tests for DataSpillageFooter * Added tests for KeepRemoveFlaggedMessageConfirmationModal * Added tests for KeepRemoveFlaggedMessageConfirmationModal * Fixed lint errors * lint fix * Fixed query param * fixed tests * Used middleware to check for content flagging basic checks * Added TestRequireContentFlaggingEnabled * Updated tests * refactoring to reduce code duplication * review fixes --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-23 06:15:40 +05:30
Nick Misasi	5d3a04760b	[MM-67605] Add DCR redirect URI allowlist for OAuth DCR (#35291) ... * [MM-67605] Add DCR redirect URI allowlist enforcement Introduce ServiceSettings.DCRRedirectURIAllowlist with glob-based validation and enforce it during OAuth dynamic client registration to block unapproved redirect URIs. Add System Console wiring and tests for config validation, wildcard matching semantics, API error behavior, and localhost wildcard support. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix pre-commit checks: TypeScript type assertion, gofmt, and regenerate CI artifacts - admin_definition_dcr_allowlist.test.tsx: Add AdminDefinitionSettingInput type assertion for 'multiple' property - oauth_dcr_test.go: Fix comment spacing (gofmt) - Regenerate mocks, go.sum, gen-serialized, mmctl-docs per CI requirements Co-authored-by: Cursor <cursoragent@cursor.com> * Revert unnecessary pre-commit regenerations Revert mmctl docs, mocks, go.sum, and gen-serialized to master. Keep only the TypeScript and gofmt fixes from the previous commit. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix import order in admin_definition_dcr_allowlist.test.tsx Co-authored-by: Cursor <cursoragent@cursor.com> * Fix i18n * Update server/public/model/oauth_dcr.go Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> * Fix --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-19 01:06:08 +00:00
Felipe Martin	1be8a68dd7	feat: pluginapi: filewillbedownloaded / sendtoastmessage (#34596) ... * feat: filewillbedonwloaded hook * feat: error popup * chore: make generated pluginapi * tests * feat: different errors for different download types * feat: allow toast positions * fix: avoid using deprecated i18n function * feat: add plugin API to show toasts * feat: downloadType parameter * tests: updated tests * chore: make check-style * chore: i18n * chore: missing fields in tests * chore: sorted i18n for webapp * chore: run mmjstool * test: fixed webapp tests with new changes * test: missing mocks * fix: ensure one-file attachments (previews) are handler properly as thumbnails * chore: lint * test: added new logic to tests * chore: lint * Add SendToastMessage API and FileWillBeDownloaded hook - Introduced SendToastMessage method for sending toast notifications to users with customizable options. - Added FileWillBeDownloaded hook to handle file download requests, allowing plugins to control access to files. - Updated related types and constants for file download handling. - Enhanced PluginSettings to include HookTimeoutSeconds for better timeout management. * Update webapp/channels/src/components/single_image_view/single_image_view.tsx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * chore: copilot reviews * test: head requests * chore: linted the webapp * tests: fixed path * test: fixed mocked args * allow sending message to a connection directly * fix: hook thread safety * chore: formatting * chore: remove configuration from system console * chore: release version * chore: update signature * chore: update release version * chore: addressed comments * fix: update file rejection handling to use 403 Forbidden status and include rejection reason header * Fix nil pointer panic in runFileWillBeDownloadedHook The atomic.Value in runFileWillBeDownloadedHook can be nil if no plugins implement the FileWillBeDownloaded hook. This causes a panic when trying to assert the nil interface to string. This fix adds a nil check before the type assertion, defaulting to an empty string (which allows the download) when no hooks have run. Fixes: - TestUploadDataMultipart/success panic - TestUploadDataMultipart/resume_success panic * test: move the logout test last * chore: restored accidential deletion * chore: lint * chore: make generated * refactor: move websocket events to new package * chore: go vet * chore: missing mock * chore: revert incorrect fmt * chore: import ordering * chore: npm i18n-extract * chore: update constants.tsx from master * chore: make i18n-extract * revert: conflict merge * fix: add missing isFileRejected prop to SingleImageView tests * fix: mock fetch in SingleImageView tests for async thumbnail check The component now performs an async fetch to check thumbnail availability before rendering. Tests need to mock fetch and use waitFor to handle the async state updates. * refactor: move hook logic to app layer * chore: update version to 11.5 * Scope file download rejection toast to the requesting connection Thread the Connection-Id header through RunFileWillBeDownloadedHook and sendFileDownloadRejectedEvent so the WebSocket event is sent only to the connection that initiated the download, instead of all connections for the user. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-02-16 17:10:39 +01:00
Pablo Vélez	37a9a30f40	Mm 66813 sso callback metadata (#34955) ... * MM-66813 - Add server origin verification to mobile SSO callbacks * Enhance mobile SSO security and deprecate code-exchange * Update code-exchange deprecation to follow MM standards * Use config SiteURL for srv param, fix flow terminology --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-16 11:07:02 -05:00
Julien Tant	aab258a9f0	MM-66886 Add rate limiting to login endpoint (#34943) ... * MM-66886 Add rate limiting to login endpoint * respect ratelimit settings --------- Co-authored-by: Julien TANT <julientant@Juliens-MacBook-Pro.local> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-13 10:16:24 -08:00
Pablo Vélez	e46bea673d	MM-67312: Restrict Burn-on-Read for self DMs and bot users (#35116) ... * MM-67312: Restrict Burn-on-Read for self DMs and bot users * fix lint issues * use utility function to make code more reliable * add test case for deleted user and handle restrictively that scenario * fix i18n * Allow bots to send BoR; block only self-DMs & DMs with bots * Refactor BoR validation to API layer with individual params * adjust comment * Fix BoR validation to fail-closed when context unavailable * Fix variable shadowing in CreatePost burn-on-read validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * remove translation entry * fix linter --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Claude <noreply@anthropic.com>	2026-02-12 14:10:05 -05:00
Christopher Poile	1ac14a9dfb	[MM-67140] Added session validation on logout (#34959) ... * add authentication status to audit log for logouts * improve audit log testing for other tests --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-10 15:12:14 -05:00
Ben Schumacher	cbc9406815	[MM-67114] Add mmctl license get command (#34878) ... Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-10 08:26:59 +01:00
Alejandro García Montoro	139ff4ded2	Fix permissions in GetGroupsByNames (#35119) ... The reliance on ViewUsersRestrictions was causing a SQL bug, since the original query did not join with the Users table. Instead, use model.GroupSearchOpts to rely on AllowReference, which should be used to filter the results in all cases, except when the user is a sysadmin (has the PermissionSysconsoleReadUserManagementGroups permission). Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-09 10:13:48 +00:00
David Krauser	1cfe3d92b6	[MM-66836] Integrate PropertyAccessService into API and app layers (#34818) ... Updates all Custom Profile Attribute endpoints and app layer methods to pass caller user IDs through to the PropertyAccessService. This connects the access control service introduced in #34812 to the REST API, Plugin API, and internal app operations. Also updates the OpenAPI spec to document the new field attributes (protected, source_plugin_id, access_mode) and adds notes about protected field restrictions.	2026-02-06 18:06:51 -05:00
Daniel Espino García	2bd29c0359	Add the ability to patch channel autotranslations (#35078) ... * Add the ability to patch channel autotranslations * Fix lint * Update docs * Fix CI * Fix CI * Fix mmctl test * Check whether the channel is translated for the user when checking user enabled * Fix wrong uses of patch acrros e2e and frontend * Fix test * Fix wording * Fix tests and column name * Move group constrained test so they don't mess with the basic entities * Fix patch sending too much information	2026-02-06 18:19:06 +01:00
Ibrahim Serdar Acikgoz	197fa160b4	[MM-67126] harden checks (#35171)	2026-02-05 21:48:36 +01:00
Daniel Espino García	1273632d1a	Add endpoint to update channel member autotranslations (#35072) ... * Add endpoint to update channel member autotranslations * Add several improvements and remove unneeded functions * Add user id to audit record * Ensure autotranslation is defined * Update texts * Fix merge * Add new column for channel member autotranslations (#35111) * Minor renamings --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ben Cooke <benkcooke@gmail.com>	2026-02-05 13:43:50 +01:00
Jesse Hallam	70a50edcf2	[MM-67021] Fix 500 errors on check-cws-connection in non-Cloud environments (#34786) ... * Fix 500 errors on check-cws-connection in non-Cloud environments The check-cws-connection endpoint was returning 500 errors in self-hosted enterprise environments because: 1. The client only checked BuildEnterpriseReady before making the request, which is true for all enterprise builds 2. The server handler didn't check for a Cloud license before attempting to connect to CWS 3. The CWS URL is not configured in non-Cloud environments, causing the connection check to fail This fix: - Server: Add IsCloud() license check to match other cloud endpoints, returning 403 instead of 500 for non-Cloud licenses - Client: Add Cloud license check to skip the request entirely in non-Cloud environments * Add unit tests for check-cws-connection license check * Return JSON status from check-cws-connection endpoint Change the check-cws-connection endpoint to return 200 with a JSON body containing status (available/unavailable) instead of using HTTP error codes. This allows the endpoint to be used for air-gap detection on self-hosted instances, not just Cloud deployments. * i18n --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-02-02 13:41:14 +00:00