1104 commits

Author	SHA1	Message	Date
Pavel Zeman	6fdef8c9cc	ci: enable fullyparallel mode for server tests (#35816) ... * ci: enable fullyparallel mode for server tests Replace os.Setenv, os.Chdir, and global state mutations with parallel-safe alternatives (t.Setenv, t.Chdir, test hooks) across 37 files. Refactor GetLogRootPath and MM_INSTALL_TYPE to use package-level test hooks instead of environment variables. This enables gotestsum --fullparallel, allowing all test packages to run with maximum parallelism within each shard. Co-authored-by: Claude <claude@anthropic.com> * ci: split fullyparallel from continue-on-error in workflow template - Add new boolean input 'allow-failure' separate from 'fullyparallel' - Change continue-on-error to use allow-failure instead of fullyparallel - Update server-ci.yml to pass allow-failure: true for test coverage job - Allows independent control of parallel execution and failure tolerance Co-authored-by: Claude <claude@anthropic.com> * fix: protect TestOverrideLogRootPath with sync.Mutex for parallel tests - Replace global var TestOverrideLogRootPath with mutex-protected functions - Add SetTestOverrideLogRootPath() and getTestOverrideLogRootPath() functions - Update GetLogRootPath() to use thread-safe getter - Update all test files to use SetTestOverrideLogRootPath() with t.Cleanup() - Fixes race condition when running tests with t.Parallel() Co-authored-by: Claude <claude@anthropic.com> * fix: configure audit settings before server setup in tests - Move ExperimentalAuditSettings from UpdateConfig() to config defaults - Pass audit config via app.Config() option in SetupWithServerOptions() - Fixes audit test setup ordering to configure BEFORE server initialization - Resolves CodeRabbit's audit config timing issue in api4 tests Co-authored-by: Claude <claude@anthropic.com> * fix: implement SetTestOverrideLogRootPath mutex in logger.go The previous commit updated test callers to use SetTestOverrideLogRootPath() but didn't actually create the function in config/logger.go, causing build failures across all CI shards. This commit: - Replaces the exported var TestOverrideLogRootPath with mutex-protected unexported state (testOverrideLogRootPath + testOverrideLogRootMu) - Adds exported SetTestOverrideLogRootPath() setter - Adds unexported getTestOverrideLogRootPath() getter - Updates GetLogRootPath() to use the thread-safe getter - Fixes log_test.go callers that were missed in the previous commit Co-authored-by: Claude <claude@anthropic.com> * fix(test): use SetupConfig for access_control feature flag registration InitAccessControlPolicy() checks FeatureFlags.AttributeBasedAccessControl at route registration time during server startup. Setting the flag via UpdateConfig after Setup() is too late — routes are never registered and API calls return 404. Use SetupConfig() to pass the feature flag in the initial config before server startup, ensuring routes are properly registered. Co-authored-by: Claude <claude@anthropic.com> * fix(test): restore BurnOnRead flag state in TestRevealPost subtest The 'feature not enabled' subtest disables BurnOnRead without restoring it via t.Cleanup. Subsequent subtests inherit the disabled state, which can cause 501 errors when they expect the feature to be available. Add t.Cleanup to restore FeatureFlags.BurnOnRead = true after the subtest completes. Co-authored-by: Claude <claude@anthropic.com> * fix(test): restore EnableSharedChannelsMemberSync flag via t.Cleanup The test disables EnableSharedChannelsMemberSync without restoring it. If the subtest exits early (e.g., require failure), later sibling subtests inherit a disabled flag and become flaky. Add t.Cleanup to restore the flag after the subtest completes. Co-authored-by: Claude <claude@anthropic.com> * Fix test parallelism: use instance-scoped overrides and init-time audit config Replace package-level test globals (TestOverrideInstallType, SetTestOverrideLogRootPath) with fields on PlatformService so each test gets its own instance without process-wide mutation. Fix three audit tests (TestUserLoginAudit, TestLogoutAuditAuthStatus, TestUpdatePasswordAudit) that configured the audit logger after server init — the audit logger only reads config at startup, so pass audit settings via app.Config() at init time instead. Also revert the Go 1.24.13 downgrade and bump mattermost-govet to v2.0.2 for Go 1.25.8 compatibility. * Fix audit unit tests * Fix MMCLOUDURL unit tests * Fixed unit tests using MM_NOTIFY_ADMIN_COOL_OFF_DAYS * Make app migrations idempotent for parallel test safety Change System().Save() to System().SaveOrUpdate() in all migration completion markers. When two parallel tests share a database pool entry, both may race through the check-then-insert migration pattern. Save() causes a duplicate key fatal crash; SaveOrUpdate() makes the second write a harmless no-op. * test: address review feedback on fullyparallel PR - Use SetLogRootPathOverride() setter instead of direct field access in platform/support_packet_test.go and platform/log_test.go (pvev) - Restore TestGetLogRootPath in config/logger_test.go to keep MM_LOG_PATH env var coverage; test uses t.Setenv so it runs serially which is fine (pvev) - Fix misleading comment in config_test.go: code uses t.Setenv, not os.Setenv (jgheithcock) Co-authored-by: Claude <claude@anthropic.com> * fix: add missing os import in post_test.go The os import was dropped during a merge conflict resolution while burn-on-read shared channel tests from master still use os.Setenv. Co-authored-by: Claude <claude@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com> Co-authored-by: wiggin77 <wiggin77@warpmail.net> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-08 20:48:36 -04:00
Jesse Hallam	71ca373de7	Generate instead of hard-coding test passwords, enforce new minimum for FIPS, shard CI, fix FIPS builds (#35905) ... * Replace hardcoded test passwords with model.NewTestPassword() Add model.NewTestPassword() utility that generates 14+ character passwords meeting complexity requirements for FIPS compliance. Replace all short hardcoded test passwords across the test suite with calls to this function. * Enforce FIPS compliance for passwords and HMAC keys FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses the password as the HMAC key internally, so short passwords cause PKCS5_PBKDF2_HMAC to fail. - Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants - Raise the password minimum length floor to 14 when compiled with requirefips, applied in SetDefaults only when unset and validated independently in IsValid - Return ErrMismatchedHashAndPassword for too-short passwords in PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error - Validate atmos/camo HMAC key length under FIPS and lengthen test keys accordingly - Adjust password validation tests to use PasswordFIPSMinimumLength so they work under both FIPS and non-FIPS builds * CI: shard FIPS test suite and extract merge template Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch name. Shard FIPS tests across 4 runners matching the normal Postgres suite. Extract the test result merge logic into a reusable workflow template to deduplicate the normal and FIPS merge jobs. * more * Fix email test helper to respect FIPS minimum password length * Fix test helpers to respect FIPS minimum password length * Remove unnecessary "disable strict password requirements" blocks from test helpers * Fix CodeRabbit review comments on PR #35905 - Add server-test-merge-template.yml to server-ci.yml pull_request.paths so changes to the reusable merge workflow trigger Server CI validation - Skip merge-postgres-fips-test-results job when test-postgres-normal-fips was skipped, preventing failures due to missing artifacts - Set guest.Password on returned guest in CreateGuestAndClient helper to keep contract consistent with CreateUserWithClient - Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength constants in NewTestPassword() to avoid drift if FIPS floor changes https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f * Rename FIPS test artifact to match server-ci-report pattern The server-ci-report job searches for artifacts matching "*-test-logs", so rename from postgres-server-test-logs-fips to postgres-server-fips-test-logs to be included in the report. --------- Co-authored-by: Claude <noreply@anthropic.com>	2026-04-08 16:49:43 -03:00
Doug Lauder	5b76fb11a5	MM-67647: Rename shared_channel_manager roles to follow system_ prefix convention (#35944) ... * Rename shared_channel_manager and secure_connection_manager roles to use system_ prefix The new roles added in PR #35354 broke the naming convention that all system-level roles stored in Users.Roles are prefixed with "system_". Client-side code (role.includes('system')) and server-side code (explicit switch cases in applyMultiRoleFilters) relied on this convention, causing users assigned to these roles to not appear in the System Console. Also adds both roles to the applyMultiRoleFilters switch statement in user_store.go, which was missing them entirely.	2026-04-08 08:01:33 -04:00
Doug Lauder	540ccc599b	MM-68179: Run sendLoop workers on all HA nodes (#35909) ... * MM-68179: Run sendLoop workers on all HA nodes In HA clusters, sendLoop worker goroutines only ran on the leader node. When an API request to send a channel invite landed on a non-leader node, SendMsg enqueued the task to a local in-memory channel but no goroutine consumed it, silently losing the message. Fix by starting sendLoop workers in Start() on all nodes, independent of the leader-only ping lifecycle. - Separate sendLoop lifecycle (Start/Shutdown) from ping lifecycle (pingStart/pingStop on leader change) - Rename resume/pause to pingStart/pingStop for clarity - Change Active() to mean "service started" via atomic.Bool - Remove SetActive (no longer needed; tests use Start()) * address review comment * Added idempotency guard to Start() * Start() and Shutdown(): CompareAndSwap instead of Load/Store — eliminates races where concurrent calls could both proceed. Only the winner of the CAS executes; the loser returns nil immediately. Ping test: replaced time.Sleep with assert.Never/assert.Eventually — no more brittle fixed sleeps. Uses assert.Never to verify no pings fire on non-leader, and assert.Eventually to verify pings stop after losing leadership (snapshot-then-compare pattern). * make unit tests parallel capable --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-07 18:49:54 +02:00
Andre Vasconcelos	faa7d75b4e	Improved processing of attachments (#35854)	2026-04-07 13:25:38 +03:00
Harshil Sharma	ad35eba60b	Added nil checks (#35755) ... * Added nil checks * Added test for DM and GM * Updated operation order	2026-04-06 08:47:24 +05:30
Jesse Hallam	f6d5d9e1bc	[MM-67859] Update license renewal and expiry email branding (#35701)	2026-04-04 20:30:36 -03:00
yy	38e26fbd2d	chore: fix typos in comments (#34960) ... Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-03 13:43:25 +00:00
Christopher Speller	9b01e406f4	Move password hashers from server/v8 to server/public to fix module layering violation (#35805)a ... * Move password hashers from server/v8 to server/public to fix layering violation * Revert "Move password hashers from server/v8 to server/public to fix layering violation" This reverts commit 8cad5b8dc9. * invert dependency between hashers and model * make modules-tidy --------- Co-authored-by: Jesse Hallam <jesse@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-01 15:20:12 +00:00
Ibrahim Serdar Acikgoz	d00125121e	disable burn on read posts on shared channels (#35460)	2026-04-01 11:30:35 +02:00
Nick Misasi	f4d1abe7e8	MM-68140: Validate post read access before rewrite thread context (#35864) ... Ensure thread context for message rewrite is only built when the session may read the anchor post, and surface context build failures to the client. Made-with: Cursor	2026-04-01 02:07:45 -07:00
Pavel Zeman	3e2c3f70c2	fix: prevent sql.DB connectionCleaner race and harden flaky tests (#35891) ... * fix: prevent sql.DB connectionCleaner race with testify mock diffing The previous fix (#35881) moved store.Close()/th.Shutdown() before AssertExpectations, but the race actually occurs earlier — during mock.Called() when RegisterDBCollector fires inside initConnection. Root cause: testify's Arguments.Diff() unconditionally calls fmt.Sprintf("%v", *sql.DB) on every recorded argument (mock.go:976), which uses reflect to read sql.DB internal fields. The connectionCleaner goroutine concurrently writes to those same fields, triggering a DATA RACE under Go 1.25's stricter race detector. Fix: Set ConnMaxLifetimeMilliseconds=0 and ConnMaxIdleTimeMilliseconds=0 in test SqlSettings before initConnection. This prevents the connectionCleaner goroutine from starting at all — no concurrent writer means no race. Connection pool cleanup serves no purpose in tests. For store_test.go: settings are set directly before SqlStore creation. For platform tests: settings are set in setupTestHelper's config before sqlstore.New() is called via platform.New(). Co-authored-by: Claude <claude@anthropic.com> * fix: harden flaky TestScheduleOnceSequential and TestGroupStore tests TestScheduleOnceSequential: Replace fixed 300ms sleep with require.Eventually polling (5s timeout, 50ms interval). Under the race detector, execution is significantly slower and 25+ scheduled jobs may not complete within a fixed 300ms window. TestGroupStore/GetGroups: Use unique uid-prefixed display names for test groups to avoid collisions with groups created by other parallel subtests sharing the same database. Search queries and result checks updated to use the uid prefix. Co-authored-by: Claude <claude@anthropic.com> * fix: address CodeRabbit review feedback - Restore mixed-case search coverage in TestGroupStore by using mixed-case query strings (uid + "-GrOuP-3") to verify case-insensitive matching behavior. - Strengthen exactly-once validation in TestScheduleOnceSequential by checking callback count == 1 instead of > 0, ensuring duplicate executions are caught. Co-authored-by: Claude <claude@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com>	2026-03-31 16:58:09 -04:00
Pavel Zeman	4b8a4ae2b3	fix: resolve DATA RACE in TestReplicaLagQuery, TestInvalidReplicaLagDataSource, and TestMetrics (#35881) ... These three tests have been failing deterministically on every master build since Go 1.25.8 was merged (PR #35817, March 27). The failures only manifest on master because PR CI does not run with the -race flag. ## Root Cause The race is between Go's database/sql connection pool and testify's mock assertion logic: 1. When a *sql.DB connection pool is opened, Go spawns a background connectionCleaner goroutine that periodically runs connectionCleanerRunLocked(), which acquires the DB's internal mutex via atomic.CompareAndSwapInt32. 2. The tests pass a *sql.DB argument to mock expectations via RegisterDBCollector(). When testify's AssertExpectations() runs, it uses reflect to diff the recorded call arguments, which reads the internal fields of the *sql.DB struct (including the mutex state and connection pool fields) via reflect.Value.Int() and reflect.typedmemmove(). 3. Go 1.25 ships a stricter race detector that catches this concurrent read (reflect in the test goroutine) vs write (atomic CAS in the connectionCleaner goroutine) on the same memory. Go 1.24's race detector did not flag this pattern. The race existed latently in the code for a long time. Go 1.25 simply made it detectable. ## Fix Close/shut down the store (and all its background goroutines, including the sql.DB connection cleaner) BEFORE calling AssertExpectations. This ensures there is no concurrent writer when testify uses reflect to inspect the *sql.DB arguments. - TestReplicaLagQuery: move store.Close() before AssertExpectations (was previously deferred, running after AssertExpectations) - TestInvalidReplicaLagDataSource: replace defer store.Close() with explicit store.Close() at end of test - TestMetrics/ensure_advanced_metrics_have_database_metrics: call th.Shutdown(t) before AssertExpectations (Shutdown was previously registered via t.Cleanup, running after the test function returns) Co-authored-by: Claude <claude@anthropic.com>	2026-03-31 11:32:37 -04:00
Doug Lauder	96e4d7a769	MM-68076 Chunk bulk INSERTs to respect PostgreSQL parameter limit (#35767) ... * MM-68076 Chunk bulk INSERTs to respect PostgreSQL 65,535 parameter limit (#35761) PostgreSQL's wire protocol uses a 16-bit integer for parameter count, causing bulk imports to fail when multi-row INSERTs exceed 65,535 parameters. Add a generic chunkSlice helper that splits rows into sub-batches capped at 50,000 parameters, and apply it to saveMultipleMembers (channel), SaveMultipleMembers (team), and SaveMultipleMemberships (thread). Normal operations (< 3,333 rows) remain a single INSERT with negligible overhead. Wrap all chunked INSERT loops in transactions so multi-chunk batches are atomic — previously channel and team member inserts could leave partial data if a later chunk failed. Add threadMembershipSliceColumns helper so thread membership chunk size is derived dynamically. Includes integration tests for multi-chunk insertion and rollback verification for channel members, team members, posts, and groups.	2026-03-30 22:40:40 -04:00
Jesse Hallam	f7f2d944e8	upgrade golangci-lint (#35845)	2026-03-30 13:41:32 -03:00
Nick Misasi	c81d0ddd73	Ability to E2E AI Bridge features + Initial Recaps E2E (#35541) ... * Add shared AI bridge seam Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Add AI bridge test helper API Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Add AI bridge seam test coverage Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Add Playwright AI bridge recap helpers Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix recap channel persistence test Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Restore bridge client compatibility shim Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Expand recap card in Playwright spec Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Recaps e2e test coverage (#35543) * Add Recaps Playwright page object Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Expand AI recap Playwright coverage Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Format recap Playwright coverage Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix recap regeneration test flows Co-authored-by: Nick Misasi <nick13misasi@gmail.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> * Fix AI bridge lint and OpenAPI docs Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix recap lint shadowing Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Stabilize failed recap regeneration spec Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fill AI bridge i18n strings Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix i18n * Add service completion bridge path and operation tracking fields Extend AgentsBridge with CompleteService for service-based completions, add ClientOperation/OperationSubType tracking to BridgeCompletionRequest, and propagate operation metadata through to the bridge client. Made-with: Cursor * Fill empty i18n translation strings for enterprise keys The previous "Fix i18n" commit added 145 i18n entries with empty translation strings, causing the i18n check to fail in CI. Fill in all translations based on the corresponding error messages in the enterprise and server source code. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix i18n * Fix i18n again * Rename Complete/CompleteService to AgentCompletion/ServiceCompletion Align the AgentsBridge interface method names with the underlying bridge client methods they delegate to (AgentCompletion, ServiceCompletion). Made-with: Cursor * Refactor * Add e2eAgentsBridge implementation The new file was missed from the prior refactor commit. Made-with: Cursor * Address CodeRabbit review feedback - Add 400 BadRequest response to AI bridge PUT endpoint OpenAPI spec - Add missing client_operation, operation_sub_type, service_id fields to AIBridgeTestHelperRecordedRequest schema - Deep-clone nested JSON schema values in cloneJSONOutputFormat - Populate ChannelID on recap summary bridge requests - Fix msg_count assertion to mention_count for mark-as-read verification - Make AgentCompletion/ServiceCompletion mutex usage atomic Made-with: Cursor * fix(playwright): align recaps page object with placeholder and channel menu Made-with: Cursor * fix(playwright): update recaps expectEmptyState to match RecapsList empty state After the master merge, the recaps page now renders RecapsList's "You're all caught up" empty state instead of the old placeholder. Made-with: Cursor * chore(playwright): update package-lock.json after npm install Made-with: Cursor * Revert "chore(playwright): update package-lock.json after npm install" This reverts commit 95c670863a. * style(playwright): fix prettier formatting in recaps page object Made-with: Cursor * fix(playwright): handle both recaps empty states correctly The recaps page has two distinct empty states: - Setup placeholder ("Set up your recap") when allRecaps is empty - RecapsList caught-up state ("You're all caught up") when the filtered tab list is empty Split expectEmptyState into expectSetupPlaceholder and expectCaughtUpEmptyState, used by the delete and bridge-unavailable tests respectively. Made-with: Cursor --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 16:20:47 +00:00
Maria A Nunez	ece6b956fa	Add single-channel guest count to support packet stats (#35846) ... Single-channel guests are excluded from billable seat counts for licensing. Include this metric in the support packet so support engineers can understand seat calculation discrepancies. Made-with: Cursor Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-30 11:13:09 -04:00
Carlos Garcia	fd2dd1c618	updated go to version 1.25.8 (#35817) ... * updated go to version 1.25.8 * updated gotestsum version to work with go 1.25.8 go 1.25 does not work with indirect tools 0.11 dependency pulled by gotestsum. * Use sync.WaitGroup.Go to simplify goroutine creation Replace the wg.Add(1) + go func() { defer wg.Done() }() pattern with wg.Go(), which was introduced in Go 1.25. * pushes fips image on workflow dispatch to allow fips test to run on go version update * fix new requirements for FIPS compliance imposed on updating to go 1.25.8 * updates openssl symbol check for library shipped with FIPS new versions go-openssl v2 shipped with FIPS versions starting from 1.25 uses mkcgo to generate bindings causing symbol names to be different. * removes temp workflow-dispatch condition * keep versions out of agents md file	2026-03-27 21:11:52 +01:00
Scott Bishel	30837f7c4e	move error back to logging warning...as caused breaking change (#35841) ... * move error back to logging warning...as caused breaking change * remove unnecessary translation * update test expectations * revert test changes	2026-03-27 11:29:56 -06:00
Miguel de la Cruz	dad9cab483	Add guards to avoid cards being created when the integrated boards feature flag is disabled (#35836)	2026-03-27 08:51:29 -07:00
Miguel de la Cruz	48f2fd0873	Merge the Integrated Boards MVP feature branch (#35796) ... * Add CreatedBy and UpdatedBy to the properties fields and values (#34485) * Add CreatedBy and UpdatedBy to the properties fields and values * Fix types --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds ObjectType to the property fields table (#34908) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Update ObjectType migration setting an empty value and marking the column as not null (#34915) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds uniqueness mechanisms to the property fields (#35058) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Fixing retrylayer mocks * Remove retrylayer duplication * Address review comments * Fix comment to avoid linter issues * Address PR comments * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.down.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.up.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update server/channels/db/migrations/postgres/000157_add_object_type_to_property_fields.up.sql Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Update field validation to check only for valid target types * Update migrations to avoid concurrent index creation within a transaction * Update migrations to make all index ops concurrent * Update tests to use valid PSAv2 property fields * Adds a helper for valid PSAv2 TargetTypes --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> * Fix property tests (#35388) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds Integrated Boards feature flag (#35378) Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds Integrated Boards MVP API changes (#34822) This PR includes the necessary changes for channels and posts endpoints and adds a set of generic endpoints to retrieve and manage property fields and values following the new Property System approach. Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com> * Property System Architecture permissions for v2 (#35113) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Fix i18n sorting --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Add Views store and app layer (#35361) * Add Views store and app layer for Integrated Boards Implements the View entity (model, SQL store, service, app) as described in the Integrated Boards tech spec. Views are channel-scoped board configurations with typed props (board, kanban subviews) and soft-delete. - public/model: View, ViewBoardProps, Subview, ViewPatch types with PreSave/PreUpdate/IsValid/Patch/Clone/Auditable - Migration 158: Views table with jsonb Props column and indexes - SqlViewStore: CRUD with nil-safe Props marshaling (AppendBinaryFlag) - ViewService: CreateView seeds default kanban subview and links the boards property field; caches boardPropertyFieldID at startup - App layer: CreateView/GetView/GetViewsForChannel/UpdateView/DeleteView with channel-membership permission checks and WebSocket events (view_created, view_updated, view_deleted) - doSetupBoardsPropertyField: registers the Boards property group and board field in NewServer() before ViewService construction - GetFieldByName now returns store.ErrNotFound instead of raw sql.ErrNoRows * Move permission checks out of App layer for views - Remove HasPermissionToChannel calls from all App view methods - Drop userID params from GetView, GetViewsForChannel, UpdateView, DeleteView - Fix doSetupBoardsPropertyField to include required TargetType for PSAv2 field * Make View service generic and enforce board validation in model - Remove board-specific auto-setup from service and server startup - Enforce that board views require Props, at least one subview, and at least one linked property in IsValid() - Move default subview seeding out of app layer; callers must provide valid props - Call PreSave on subviews during PreUpdate to assign IDs to new subviews - Update all tests to reflect the new validation requirements * Restore migrations files to match base branch * Distinguish ErrNotFound from other errors in view store Get * Use CONCURRENTLY and nontransactional for index operations in views migration * Split views index creation into separate nontransactional migrations * Update migrations.list * Update i18n translations for views * Fix makeView helper to include required Props for board view validation * Rename ctx parameter from c to rctx in OAuthProvider mock * Remove views service layer, call store directly from app * Return 500 for unexpected DB errors in GetView, 404 only for not-found * Harden View model: deep-copy Props, validate linked property IDs - Add ViewBoardProps.Clone() to deep-copy LinkedProperties and Subviews - Use it in View.Clone() and View.Patch() to prevent shared-slice aliasing - Iterate over LinkedProperties in View.IsValid() and reject invalid IDs with a dedicated i18n key - Register ViewStore in storetest AssertExpectations so mock expectations are enforced - Add tests covering all new behaviours * Restore autotranslation worker_stopped i18n translation * Fix view store test IDs and improve error handling in app layer - Use model.NewId() for linked property IDs in testUpdateView to fix validation failure (IsValid rejects non-UUID strings) - Fix import grouping in app/view.go (stdlib imports in one block) - Return 404 instead of 500 when Update/Delete store calls return ErrNotFound (e.g. concurrent deletion TOCTOU race) * Add View store mock to retrylayer test genStore helper The View store was added to the store interface but the genStore() helper in retrylayer_test.go was not updated, causing TestRetry to panic. Also removes the duplicate Recap mock registration. * Refactor view deletion and websocket event handling; update SQL store methods to use query builder * revert property field store * Remove useless migrations * Add cursor-based pagination to View store GetForChannel - Add ViewQueryCursor and ViewQueryOpts types with validation - Return (views, cursor, error) for caller-driven pagination - PerPage clamping: <=0 defaults to 20, >200 clamps to 200 - Support IncludeDeleted filter - Add comprehensive store tests for pagination, cursor edge cases, PerPage clamping, and invalid input rejection - Add app layer test for empty channelID → 400 - Update interface, retrylayer, timerlayer, and mock signatures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Refactor test loops in ViewStore tests for improved readability * change pagination to limit/offset * Add upper-bound limits on View Subviews and LinkedProperties Defense-in-depth validation: cap Subviews at 50 and LinkedProperties at 500 to prevent abuse below the 300KB payload limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * MM-67388, MM-66528, MM-67750: Add View REST API endpoints, websocket events, and sort order (#35442) * Add Views store and app layer for Integrated Boards Implements the View entity (model, SQL store, service, app) as described in the Integrated Boards tech spec. Views are channel-scoped board configurations with typed props (board, kanban subviews) and soft-delete. - public/model: View, ViewBoardProps, Subview, ViewPatch types with PreSave/PreUpdate/IsValid/Patch/Clone/Auditable - Migration 158: Views table with jsonb Props column and indexes - SqlViewStore: CRUD with nil-safe Props marshaling (AppendBinaryFlag) - ViewService: CreateView seeds default kanban subview and links the boards property field; caches boardPropertyFieldID at startup - App layer: CreateView/GetView/GetViewsForChannel/UpdateView/DeleteView with channel-membership permission checks and WebSocket events (view_created, view_updated, view_deleted) - doSetupBoardsPropertyField: registers the Boards property group and board field in NewServer() before ViewService construction - GetFieldByName now returns store.ErrNotFound instead of raw sql.ErrNoRows * Move permission checks out of App layer for views - Remove HasPermissionToChannel calls from all App view methods - Drop userID params from GetView, GetViewsForChannel, UpdateView, DeleteView - Fix doSetupBoardsPropertyField to include required TargetType for PSAv2 field * Make View service generic and enforce board validation in model - Remove board-specific auto-setup from service and server startup - Enforce that board views require Props, at least one subview, and at least one linked property in IsValid() - Move default subview seeding out of app layer; callers must provide valid props - Call PreSave on subviews during PreUpdate to assign IDs to new subviews - Update all tests to reflect the new validation requirements * Restore migrations files to match base branch * Distinguish ErrNotFound from other errors in view store Get * Use CONCURRENTLY and nontransactional for index operations in views migration * Split views index creation into separate nontransactional migrations * Update migrations.list * Update i18n translations for views * Fix makeView helper to include required Props for board view validation * Rename ctx parameter from c to rctx in OAuthProvider mock * Remove views service layer, call store directly from app * Return 500 for unexpected DB errors in GetView, 404 only for not-found * Harden View model: deep-copy Props, validate linked property IDs - Add ViewBoardProps.Clone() to deep-copy LinkedProperties and Subviews - Use it in View.Clone() and View.Patch() to prevent shared-slice aliasing - Iterate over LinkedProperties in View.IsValid() and reject invalid IDs with a dedicated i18n key - Register ViewStore in storetest AssertExpectations so mock expectations are enforced - Add tests covering all new behaviours * Restore autotranslation worker_stopped i18n translation * Fix view store test IDs and improve error handling in app layer - Use model.NewId() for linked property IDs in testUpdateView to fix validation failure (IsValid rejects non-UUID strings) - Fix import grouping in app/view.go (stdlib imports in one block) - Return 404 instead of 500 when Update/Delete store calls return ErrNotFound (e.g. concurrent deletion TOCTOU race) * Add View store mock to retrylayer test genStore helper The View store was added to the store interface but the genStore() helper in retrylayer_test.go was not updated, causing TestRetry to panic. Also removes the duplicate Recap mock registration. * Refactor view deletion and websocket event handling; update SQL store methods to use query builder * revert property field store * Add View API endpoints with OpenAPI spec, client methods, and i18n Implement REST API for channel views (board-type) behind the IntegratedBoards feature flag. Adds CRUD endpoints under /api/v4/channels/{channel_id}/views with permission checks matching the channel bookmark pattern. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove useless migrations * Add cursor-based pagination to View store GetForChannel - Add ViewQueryCursor and ViewQueryOpts types with validation - Return (views, cursor, error) for caller-driven pagination - PerPage clamping: <=0 defaults to 20, >200 clamps to 200 - Support IncludeDeleted filter - Add comprehensive store tests for pagination, cursor edge cases, PerPage clamping, and invalid input rejection - Add app layer test for empty channelID → 400 - Update interface, retrylayer, timerlayer, and mock signatures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add cursor-based pagination to View API for channel views * Enhance cursor handling in getViewsForChannel and update tests for pagination * Refactor test loops in ViewStore tests for improved readability * Refactor loop in TestGetViewsForChannel for improved readability * change pagination to limit/offset * switch to limit/offset pagination * Add upper-bound limits on View Subviews and LinkedProperties Defense-in-depth validation: cap Subviews at 50 and LinkedProperties at 500 to prevent abuse below the 300KB payload limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add view sort order API endpoint Add POST /api/v4/channels/{channel_id}/views/{view_id}/sort_order endpoint following the channel bookmarks reorder pattern. Includes store, app, and API layers with full test coverage at each layer. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add connectionId to view WebSocket events and sort_order API spec Thread connectionId from request header through all view handlers (create, update, delete, sort_order) to WebSocket events, matching the channel bookmarks pattern. Add sort_order endpoint to OpenAPI spec. Update minimum server version to 11.6. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove duplicate View/ViewPatch definitions from definitions.yaml The merge from integrated-boards-mvp introduced duplicate View and ViewPatch schema definitions that were already defined earlier in the file with more detail (including ViewBoardProps ref and enums). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update minimum server version to 11.6 in views API spec Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add missing translations for view sort order error messages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Merge integrated-boards-mvp into ibmvp_api-views; remove spec files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix flaky TestViewStore timestamp test on CI Add sleep before UpdateSortOrder to ensure timestamps differ, preventing same-millisecond comparisons on fast CI machines. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * remove duplicate views.yaml imclude * Use c.boolString() for include_deleted query param in GetViewsForChannel Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix views.yaml sort order schema: use integer type and require body Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Refactor view sort order tests to use named IDs instead of array indices Extract idA/idB/idC from views slice and add BEFORE/AFTER comments to make stateful subtest ordering easier to follow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Return 404 instead of 403 for view operations on deleted channels Deleted channels should appear non-existent to callers rather than revealing their existence via a 403. Detailed error text explains the context for debugging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * add missing channel deleteat checks * Use c.Params.Page instead of manual page query param parsing in getViewsForChannel c.Params already validates and defaults page/per_page, so the manual parsing was redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add support for total count in views retrieval * Add tests for handling deleted views in GetViewsForChannel and GetView * Short-circuit negative newIndex in UpdateSortOrder before opening transaction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add per-channel limit on views to bound UpdateSortOrder cost Without a cap, unbounded view creation makes sort-order updates increasingly expensive (CASE WHEN per view, row locks). Adds MaxViewsPerChannel=50 constant and enforces it in the app layer before saving. Includes API and app layer tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove include_deleted support from views API Soft-deleted views are structural metadata with low risk, but no other similar endpoint (e.g. channel bookmarks) exposes deleted records without an admin gate. Rather than adding an admin-only permission check for consistency, remove the feature entirely since there is no current use case. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update view permissions to require `create_post` instead of channel management permissions * Remove obsolete view management error messages for direct and group messages --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * feat(migrations): add user tracking and object type to property fields - Introduced user tracking columns (CreatedBy, UpdatedBy) to PropertyFields and PropertyValues. - Added ObjectType column to PropertyFields with associated unique indexes for legacy and typed properties. - Created new migration scripts for adding and dropping these features, including necessary indexes for data integrity. - Established views for managing property fields with new attributes. This update enhances the schema to support better tracking and categorization of property fields. * Add Property System Architecture v2 API endpoints (#35583) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Adds the Property System Architecture v2 API endpoints * Adds permission checks to the create field endpoint * Add target access checks to value endpoints * Add default branches for object_type and target_type and extra guards for cursor client4 methods * Fix vet API mismatch * Fix error checks * Fix linter * Add merge semantics for property patch logic and API endpoint * Fix i18n * Fix duplicated patch elements and early return on bad cursor * Update docs to use enums * Fix i18n sorting * Update app layer to return model.AppError * Adds a limit to the number of property values that can be patched in the same request * Require target_type filter when searching property fields * Add objectType validation as part of field.IsValid() * Fix linter * Fix test with bad objecttpye * Fix test grouping --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * MM-67968: Flatten view model — remove icon, subviews, typed board props (#35726) * feat(views): flatten view model by removing icon, subview, and board props Simplifies the View data model as part of MM-67968: removes Icon, Subview, and ViewBoardProps types; renames ViewTypeBoard to ViewTypeKanban; replaces typed Props with StringInterface (map[string]any); adds migration 000167 to drop the Icon column from the Views table. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * feat(api): update views OpenAPI spec to reflect flattened model Removes ViewBoardProps, Subview, and icon from the View and ViewPatch schemas. Changes type enum from board to kanban. Replaces typed props with a free-form StringInterface object. Aligns with MM-67968. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * refactor(views): simplify store by dropping dbView and marshalViewProps StringInterface already implements driver.Valuer and sql.Scanner, so the manual JSON marshal/unmarshal and the dbView intermediate struct were redundant. model.View now scans directly from the database. Also removes the dead ViewMaxLinkedProperties constant and wraps the Commit() error in UpdateSortOrder. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(api): allow arbitrary JSON in view props OpenAPI schema The props field was restricted to string values via additionalProperties: { type: string }, conflicting with the Go model's StringInterface (map[string]any). Changed to additionalProperties: true in View, ViewPatch, and inline POST schemas. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Adds basic implementation of the generic redux store for PSAv2 (#35512) * Adds basic implementation of the generic redux store for PSAv2 * Add created_by and updated_by to the test fixtures * Make target_id, target_type and object_type mandatory * Wrap getPropertyFieldsByIds and getPropertyValuesForTargetByFieldIds with createSelector * Address PR comments --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * Adds websocket messages for the PSAv2 API events (#35696) * Adds uniqueness mechanisms to the property fields After adding ObjectType, this commit ensures that both the PSAv1 and PSAv2 schemas are supported, and enforces property uniqueness through both database indexes and a logical check when creating new property fields. * Adds uniqueness check to property updates Updates are covered on this commit and we refactor as well the SQL code to use the squirrel builder and work better with the conditional addition of the `existingID` piece of the query. * Add translations to error messages * Add the permissions to the migrations, model and update the store calls * Adds the property field and property group app layer * Adds authorization helpers for property fields and values * Make sure that users cannot lock themselves out of property fields * Migrate permissions from a JSON column to three normalized columns * Remove the audit comment * Use target level constants in authorization * Log authorization membership failures * Rename admin to sysadmin * Adds the Property System Architecture v2 API endpoints * Adds permission checks to the create field endpoint * Add target access checks to value endpoints * Add default branches for object_type and target_type and extra guards for cursor client4 methods * Fix vet API mismatch * Fix error checks * Fix linter * Add merge semantics for property patch logic and API endpoint * Fix i18n * Fix duplicated patch elements and early return on bad cursor * Update docs to use enums * Fix i18n sorting * Update app layer to return model.AppError * Adds a limit to the number of property values that can be patched in the same request * Adds websocket messages for the PSAv2 API events * Add IsPSAv2 helper to the property field for clarity * Add guard against nil returns on field deletion * Add docs to the websocket endpoints --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> * migrations: consolidate views migrations and reorder after master - Merged 000165 (create Views) with 000167 (drop Icon) since Icon was never needed - Renumbered branch migrations 159-166 → 160-167 so master's 000159 (deduplicate_policy_names) runs first - Regenerated migrations.list Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add API endpoint to retrieve posts for a specific view (#35604) Automatic Merge * Apply fixes after merge * Return a more specific error from getting multiple fields * Prevent getting broadcast params on field deletion if not needed * Remove duplicated migration code * Update property conflict code to always use master * Adds nil guard when iterating on property fields * Check that permission level is valid before getting rejected by the database * Validate correctness on TargetID for PSAv2 fields * Avoid PSAv1 using permissions or protected * Fix test data after validation change * Fix flaky search test * Adds more posts for filter use cases to properly test exclusions --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> Co-authored-by: Julien Tant <julien@craftyx.fr> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Julien Tant <785518+JulienTant@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-27 10:36:35 +01:00
Adam Schildkraut	656a0248eb	Fix datetime MinDate/MaxDate validation and add sub-day relative patterns (#35327) ... * Add H/M/S sub-day units to validateRelativePattern * Fix datetime MinDate/MaxDate to use validateDateTimeFormat * Add H/M/S sub-day resolution to resolveRelativeDateToMoment * Add minDateTime/maxDateTime props to DateTimeInput * Wire min_date/max_date resolution in AppsFormDateTimeField * Align client relative pattern bounds with server validation * Fix allowPastDates when minDateTime is in the past	2026-03-26 17:19:15 -06:00
Miguel de la Cruz	58dd9e1bb4	Add property system app layer architecture (#35157) ... * Refactor property system with app layer routing and access control separation Establish the app layer as the primary entry point for property operations with intelligent routing based on group type. This architecture separates access-controlled operations (CPA groups) from standard operations, improving performance and code clarity. Architecture Changes: - App layer now routes operations based on group type: - CPA groups -> PropertyAccessService (enforces access control) - Non-CPA groups -> PropertyService (direct, no access control) - PropertyAccessService simplified to handle only CPA operations - Eliminated redundant group type checks throughout the codebase * Move access control routing into PropertyService This change makes the PropertyService the main entrypoint for property related operations, and adds a routing mechanism to decide if extra behaviors or checks should run for each operation, in this case, the property access service logic. To add specific payloads that pluggable checks and operations may need, we use the request context. When the request comes from the API, the endpoints are in charge of adding the caller ID to the payload, and in the case of the plugin API, on receiving a request, the server automatically tags the context with the plugin ID so the property service can react accordingly. Finally, the new design enforces all these checks migrating the actual property logic to internal, non-exposed methods, so any caller from the App layer needs to go through the service checks that decide if pluggable logic is needed, avoiding any possibility of a bypass. * Fix i18n * Fix bad error string * Added nil guards to property methods * Add check for multiple group IDs on value operations * Add nil guard to the plugin checker * Fix build error * Update value tests * Fix linter * Adds early return when content flaggin a thread with no replies * Fix mocks * Clean the state of plugin property tests before each run * Do not wrap appErr on API response and fix i18n * Fix create property field test * Remove the need to cache cpaGroupID as part of the property service * Split the property.go file into multiple * Not found group doesn't bypass access control check * Unexport SetPluginCheckerForTests * Rename plugin context getter to be more PSA specific --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2026-03-26 07:54:50 +00:00
Christopher Poile	e738016c59	[MM-67143] Fix for custom slash command response URL (#34922) ... * require siteURL for external-facing slash cmds, use that as host * warn when rewriting the SiteURL of a custom slash command; test	2026-03-25 12:06:34 -04:00
Alejandro García Montoro	4f16a29cb5	MM-67793: Remove dependency on blang/semver/v4 (#35742) ... * Remove dependency on blang/semver/v4 Instead, consolidate on the usage of Masterminds/semver/v3 * Remove empty line * make modules-tidy	2026-03-25 13:41:33 +00:00
Doug Lauder	7d6d834f1f	MM-68016, MM-68017, MM-68018 Add plugin pre-hooks for membership and channel archive (#35731) ... * MM-68016, MM-68017, MM-68018 Add plugin pre-hooks for channel member add, team member add, and channel archive Enable plugins to intercept and reject (or modify) three operations before they are persisted: adding a channel member, adding a team member, and archiving a channel. These are the three high-priority hooks from epic MM-68003.	2026-03-25 08:45:17 -04:00
Pavel Zeman	f04c3f0071	Fix nil pointer dereference in UpdateUser (MATTERMOST-SERVER-VF) (#35717) ... * Fix nil pointer dereference in UpdateUser after store update Add nil check on userUpdate result from userService.UpdateUser to prevent panic when the store returns nil unexpectedly. This fixes a nil pointer dereference that occurs when accessing userUpdate.New after the store update call. Sentry: MATTERMOST-SERVER-VF (14 events) Co-authored-by: Claude <claude@anthropic.com> * Add unit test for nil userUpdate guard in UpdateUser Test verifies that when the store returns (nil, nil) from Update, the app layer returns an appropriate error instead of panicking with a nil pointer dereference. Co-authored-by: Claude <claude@anthropic.com> * fix: gofmt user_test.go Co-authored-by: Claude <claude@anthropic.com> * fix: split nil checks per review feedback, add parallel test execution Separate userUpdate==nil from userUpdate.New==nil with distinct error detail strings for easier debugging. Add mainHelper.Parallel(t) to test for consistency with other mock-based tests. Addresses review feedback from @JulienTant and @coderabbitai. Co-authored-by: Claude <claude@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com>	2026-03-23 16:48:22 -04:00
Doug Lauder	f0b2a36dbc	MM-67616: Refactor shared channel membership sync to use ChannelMemberHistory (#35619) ... * Refactor shared channel membership sync to use ChannelMemberHistory (MM-67616) Replace the trigger-time membership sync mechanism with a cursor-based approach using ChannelMemberHistory, aligning membership sync with the established pattern used by posts and reactions. Previously, membership changes were built into SyncMsg at trigger time and sent via a separate TopicChannelMembership code path. This meant removals were lost if a remote was offline, since ChannelMembers hard-deletes rows. Now, membership changes are fetched from ChannelMemberHistory at sync time using the LastMembersSyncAt cursor, detecting both joins and leaves reliably. The data flows through the normal syncForRemote pipeline alongside posts, reactions, and other sync data. Key changes: - Add GetMembershipChanges store method for ChannelMemberHistory - Add fetchMembershipsForSync and sendMembershipSyncData to sync pipeline - Replace HandleMembershipChange with NotifyMembershipChanged (trigger-only) - Remove conflict detection (idempotent add/remove resolves naturally) - Remove per-user membership tracking (GetUserChanges, UpdateUserLastMembershipSyncAt) - Add MembershipErrors to SyncResponse - Keep TopicChannelMembership receiver for one release cycle (backward compat)	2026-03-23 10:12:17 -04:00
Harrison Healey	8740152df7	MM-66944 Change PlatformService.IsLeader to always be true when license doesn't support clustering (#35577) ... * MM-66944 Change PlatformService.IsLeader to always be true when license doesn't support clustering * Address feedback * Add thorough null-checking for license	2026-03-20 11:15:16 -04:00
Patel Parthkumar	92533c44c1	Fix EXIF profile picture orientation bug (#34275) (#35594) ... * Fix EXIF profile picture orientation bug (#34275) * Test AdustProfileImage with rotated PNG assets This commit adds two test assets: - quadrants-orientation-1.png - quadrants-orientation-8.png Both represent the exact same image: a 128x128 image with four differently coloured 64x64 quadrants. Clockwise, starting from the top-left: green, white, blue and red [G][W] [R][B] quadrants-orientation-1.png has an EXIF rotation tag of 1, meaning that its data is already correctly rotated. quadrants-orientation-8.png has an EXIF rotation tag of 8, meaning that the data in the file is rotated 90° clockwise, and an inverse rotation needs to be applied to render it correctly. Rendering the raw data would show the following: [R][G] [B][W] That rotation is what we test in the new TestAdjustProfileImage sub-test, which calls AdjustImage in both PNGs and make a byte-to-byte comparison of the result, which is expected to be equal. * Fix imports --------- Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>	2026-03-19 15:46:21 +00:00
Ben Schumacher	76b8e3f5f7	[MM-66838] Update throttled library to v2.15.0 with Go modules support (#34657) ... Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-19 11:36:19 +01:00
Ben Cooke	e9ae890a01	oauth check (#35553)	2026-03-18 13:31:48 -04:00
135yshr	314ed3756a	Fix import failures for Japanese filenames with dakuten on macOS (#35204) ... * 🐛 fix: normalize Unicode filenames in import attachment lookup Fix import failures for files with Japanese dakuten/handakuten characters (e.g., ガ, パ, べ) on macOS. macOS stores filenames in NFD (decomposed) form while Linux/Windows use NFC (composed) form. This mismatch caused attachment lookup failures when zip filenames and JSONL paths used different normalization forms. Changes: - Add NormalizeFilename utility function using golang.org/x/text/unicode/norm - Normalize filenames when building attachment maps from zip files - Normalize paths when looking up attachments in maps - Apply fixes to both server (import.go) and mmctl (validate.go) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * avoid duplicating normalizeFilename * add coverage for Korean filenames --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Jesse Hallam <jesse@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-18 12:16:55 +00:00
Miguel de la Cruz	e39be2b7e5	Improves the Property System Architecture groups (#35395) ... * Improves the Property System Architecture groups The group creation for builtin property groups is moved from behaving like a singleton in the app layer (first call creates the group) to register groups and making sure they're present at server startup time. At the same time, it adds a groups cache as a sync map in the property service, to avoid having individual caches per feature as package variables, making the group caching part of the system. * Fix i18n * Fix test and calls after updating the branch * Avoid panics by controlling the errors * Adjust translations after merge --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-16 22:03:43 +01:00
David Krauser	7425c6817b	[MM-67741] Scope role_updated WS events to affected team/channel (#35497) ... With this change, we now scope role_updated websocket events to users that need to receive them. Built-in and unowned role broadcast globally, team-scheme roles emit one event per team using the role, channel-scheme roles emit one event per channel using the role. To efficiently find a role's owning scheme, a schemeid column is added to the roles table. The ID is set when the scheme creates its related roles.	2026-03-16 14:36:55 -04:00
Nick Misasi	0192d529ed	PermissionManageOauth removal impact (#35554) ... * Restore manage oauth permission Co-authored-by: Nick Misasi <nick13misasi@gmail.com> * Fix migration test lint assertion Co-authored-by: Nick Misasi <nick13misasi@gmail.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>	2026-03-15 12:05:29 -04:00
Maria A Nunez	2efee7ec28	Add single-channel guests filter and channel count column to System Console Users (#35517) ... * Add single-channel guests filter and channel count column to System Console Users - Add guest_filter query parameter to Reports API with store-level filtering by guest channel membership count (all, single_channel, multi_channel) - Add channel_count field to user report responses and CSV exports - Add grouped guest role filter options in the filter popover - Add toggleable Channel count column to the users table - Add GuestFilter and SearchTerm to Go client GetUsersForReporting - Add tests: API parsing, API integration, app job dedup, webapp utils, E2E column data rendering Made-with: Cursor * Fix gofmt alignment and isolate guest store tests - Align GuestFilter constants to satisfy gofmt - Move guest user/channel setup into a nested sub-test to avoid breaking existing ordering and role filter assertions Made-with: Cursor * Exclude archived channels from guest filter queries and ChannelCount The ChannelMembers subqueries for guest_filter (single/multi channel) and the ChannelCount column did not join with Channels to check DeleteAt = 0. Since channel archival soft-deletes (sets DeleteAt) but leaves ChannelMembers rows intact, archived channel memberships were incorrectly counted, potentially misclassifying guests between single-channel and multi-channel filters and inflating ChannelCount. - Join ChannelMembers with Channels (DeleteAt = 0) in all three subqueries in applyUserReportFilter and GetUserReport - Add store test covering archived channel exclusion - Tighten existing guest filter test assertions with found-flags and exact count checks Made-with: Cursor * Exclude DM/GM from guest channel counts, validate GuestFilter, fix dropdown divider - Scope ChannelCount and guest filter subqueries to Open/Private channel types only (exclude DM and GM), so a guest with one team channel plus a DM is correctly classified as single-channel - Add GuestFilter validation in UserReportOptions.IsValid with AllowedGuestFilters whitelist - Add API test for invalid guest_filter rejection (400) - Add store regression test for DM/GM exclusion - Fix role filter dropdown: hide the divider above the first group heading via CSS rule on DropDown__group:first-child - Update E2E test label to match "Guests in a single channel" wording Made-with: Cursor * Add store test coverage for private and GM channel types Private channels (type P) should be counted in ChannelCount and guest filters, while GM channels (type G) should not. Add a test that creates a guest with memberships in an open channel, a private channel, and a GM, then asserts ChannelCount = 2, multi-channel filter includes the guest, and single-channel filter excludes them. Made-with: Cursor * Add server i18n translation for invalid_guest_filter error The new error ID model.user_report_options.is_valid.invalid_guest_filter was missing from server/i18n/en.json, causing CI to fail. Made-with: Cursor * Make filter dropdown dividers full width Remove the horizontal inset from grouped dropdown separators so the system user role filter dividers span edge to edge across the menu. Leave the unrelated webapp/package-lock.json change uncommitted. Made-with: Cursor * Optimize guest channel report filters. Use per-user channel count subqueries for the single- and multi-channel guest filters so the report avoids aggregating all channel memberships before filtering guests.	2026-03-12 12:50:53 -04:00
Harshil Sharma	52858082fe	Anonymous URLs (#35493) ... * COmposing messages with redacted URLs * Handled non member channels * Some refinements * Optimizations * lint fixes * cleaned up hasObfuscatedSlug test * Fixed a test * Added system console setting * WIP * fixed channel seelection double selection bug * LInt fixes * i18n fixes * fixed test * CI * renamed setting * lint fixes * lint fixes * WIP * Combined TeamSignupDisplayNamePage and TeamUrl component into a single CreateTeamForm component * Converted CreateTeamForm to functional component * Refactored to mnake code cleaner * Handle team creation with setting enabled * Skipped team URL step if secure URL feature is enabled * Managed button text and steps in team creation flow * lint fixes * Don't register team URL path when using secure URL * Display team display name instead of name in system console top nav bar * Fixed tests * Fixed coderabbit issues * Fixed type errors * Optimization * improvements * Handled API errors during team creation when using secure URL setting * Some refinements * Added test * Updaetd tests, and trimming when reading instead of writing * Added tests for new components * Added BackstageNavbar tests * Restored package lock * lint fix * Updaetd plugin API * Updated team creation tests * Added tests for ChannelNameFormField * Added plugin API tests * Updated API terst * Review fixes * Added test for ConvertGmToChannelModal component * Added EA license check for secure urls feature * restored package lock * Fixed GM conversion test * Fixed team creation tests * remove message composition changes * remove message composition changes * remove message composition changes * restored a file * lint fix * renamed feature * used model.SafeDereference * Added E2E tests * add secure URL Playwright coverage Expand the secure URLs Playwright coverage to validate creation, routing, rename flows, system console configuration, and search/navigation behavior while adding the page objects needed to keep the tests maintainable. Made-with: Cursor * rename secure URLs copy to anonymous URLs Align the admin console and Playwright coverage with the Anonymous URLs feature name while preserving the existing UseAnonymousURLs config behavior and validating the renamed test surfaces. Made-with: Cursor * Update team creation CTA for anonymous URLs Show Create in the single-step anonymous URL flow while preserving Next and Finish in the standard team creation flow. Update unit and Playwright coverage to match the revised create-team UX. Made-with: Cursor --------- Co-authored-by: maria.nunez <maria.nunez@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-12 10:32:29 -04:00
Carlos Garcia	3057ae7e83	MM-67646 slack import improvements (#35490) ... * improves logging during slack import * add imported users with no password and force reset flow * use i18n key ids during test	2026-03-11 11:26:50 +01:00
Ben Schumacher	b6e5264731	[MM-67739] Rename SlackAttachment to MessageAttachment across the codebase (#35445) ... Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-10 16:37:21 +01:00
Maria A Nunez	461db71178	Add single-channel guest tracking and reporting (#35451) ... * Add single-channel guest tracking and reporting - Add AnalyticsGetSingleChannelGuestCount store method to count guests in exactly one channel - Exclude single-channel guests from active user seat count in GetServerLimits - Add single-channel guest count to standard analytics response - Add Single-channel Guests card to System Statistics page with overage warning - Add Single-channel guests row to Edition and License page with overage styling - Add dismissible admin-only banner when single-channel guest limit is exceeded - Gate feature behind non-Entry SKU and guest accounts enabled checks - Re-fetch server limits on config changes for reactive UI updates - Fix label alignment in license details panel Made-with: Cursor * Refine single-channel guest tracking - Remove license GuestAccounts feature check from shouldTrackSingleChannelGuests (only config matters) - Re-add getServerLimits calls on page mount for fresh data - Remove config-change reactivity code (componentDidUpdate, useEffect) - Add server i18n translations for error strings - Sync webapp i18n via extract - Add inline comments for business logic - Restore struct field comments in ServerLimits model - Add Playwright E2E tests for single-channel guest feature - Fix label alignment in license details panel Made-with: Cursor * Guests over limit fixes and PR feedback * Fix linter issues and code quality improvements - Use max() builtin to clamp adjusted user count instead of if-statement (modernize linter) - Change banner type from ADVISOR to CRITICAL for proper red color styling Made-with: Cursor * Fix overage warnings incorrectly counting single-channel guests Single-channel guests are free and should not trigger license seat overage warnings. Update all overage checks to use serverLimits.activeUserCount (seat-adjusted, excluding SCG) instead of the raw total_users_count or TOTAL_USERS analytics stat. - UserSeatAlertBanner on License page: use serverLimits.activeUserCount - UserSeatAlertBanner on Site Statistics page: use serverLimits.activeUserCount - ActivatedUserCard display and overage check: use serverLimits.activeUserCount - OverageUsersBanner: use serverLimits.activeUserCount Made-with: Cursor * Use license.Users as fallback for singleChannelGuestLimit before limits load This prevents the SingleChannelGuestsCard from showing a false overage state before serverLimits has been fetched, while still rendering the card immediately on page load. Made-with: Cursor * Fix invite modal overage banner incorrectly counting single-channel guests Made-with: Cursor * Fix invitation modal tests missing limits entity in mock state Made-with: Cursor * Fix tests * Add E2E test for single-channel guest exceeded limit scenario Made-with: Cursor * Fix TypeScript errors in single channel guests E2E test Made-with: Cursor * Fix channel name validation error caused by unawaited async getRandomId() Made-with: Cursor * Add contextual tooltips to stat cards when guest accounts are enabled Made-with: Cursor * Code review feedback: query builder, readability, tooltips, and alignment fixes Made-with: Cursor * Fix license page tooltip alignment, width, and SaveLicense SCG exclusion Made-with: Cursor * Fix banner dismiss, license spacing, and add dismiss test Made-with: Cursor * Exclude DM/GM channels from single-channel guest count and fix E2E tests Filter the AnalyticsGetSingleChannelGuestCount query to only count memberships in public/private channels, excluding DMs and GMs. Update store tests with DM-only, GM-only, and mixed membership cases. Fix E2E overage test to mock the server limits API instead of skipping, and correct banner locator to use data-testid. Made-with: Cursor	2026-03-10 10:31:10 -04:00
Nick Misasi	a81c8c2993	Show priority badges in permalink previews (#35532) ... * Add agent-browser skill * Update AGENTS.CURSOR.md * Add guidance for localization * Fix permalink preview priority badges Co-authored-by: Nick Misasi <nick13misasi@gmail.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>	2026-03-10 10:17:59 -04:00
Nick Misasi	e5f4b982e5	Add operation tracking fields to bridge client calls (#35514) ... * Add operation tracking fields to bridge client CompletionRequest calls Populate UserID, Operation, and OperationSubType on CompletionRequest for recaps (SummarizePosts) and message rewrite (RewriteMessage) so token usage logs show correct values instead of defaults. Also bumps mattermost-plugin-ai v1.8.1 → v1.12.0 which adds the Operation/OperationSubType fields to the bridgeclient struct. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address PR feedback: normalize rewrite action and use session-derived userID - post.go: Add normalizeRewriteAction() that validates action against a whitelist of known RewriteAction values, mapping unknown values to "unknown" before assigning to OperationSubType. - summarization.go: Use sessionUserID (derived from rctx.Session().UserId) instead of the userID parameter for tracking, ensuring operation tracking always uses the authenticated session user. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-10 06:49:18 -07:00
David Krauser	c0c2ff2ad9	[MM-67314] Fix system bot DM restriction bypass (#35477) ... When TeamSettings.RestrictDirectMessage is set to "team", the system bot could not create DM channels with users on different teams (or no shared team). This broke SendTestMessage, CheckPostReminders, and other background jobs that use an empty session context. The existing bypass in GetOrCreateDirectChannel only covered bots owned by the current session user or a plugin. The system bot is owned by a system admin, so it failed the ownership check and hit the common-team guard. Changes: - Rename IsBotOwnedByCurrentUserOrPlugin to IsBotExemptFromDMRestrictions to better reflect its purpose - Add an explicit system bot exemption (bot.Username == BotSystemBotUsername) as the first check in the function - Add tests covering the system bot exemption with both empty and user sessions	2026-03-09 14:08:30 -04:00
Christopher Poile	2ada8d7659	MM-67540 - Allow searching public channel messages without channel membership (#35298) ... * UpdateByQuery methods for channel_type; rewrite reindexChannelPosts log pre-fetch error in channel Update and upgrade reindexChannelPosts to error level * add backfill orchestration, config listener, webapp toggle changes fix misleading backfill complete log when SaveOrUpdate fails * add integration & unit tests for public channel search and backfill * fix nil pointer dereference on UpdateByQuery response and log partial failures * add tests for compliance mode override and P channel post leakage * update system console snapshots * add instructions to error message * improve compliance-mode test * getAllChannels doesn't filter by O/S, need to do ourselves * in search, load channel info for channels we're not a member of * blank commit -- something is wrong with github, maybe this will help * improve channelType passing; error msg; simplify settings naming * debug logging for timing backfill and channel change; TO BE REVERTED * fix getMissingChannelsFromFiles in search as well * blank commit	2026-03-09 14:07:44 -04:00
Maria A Nunez	f1b9aa052e	Rename Content Flagging to Data Spillage Handling (#35407) ... * Rename Content Flagging to Data Spillage Handling Update all user-facing text to use "Data Spillage Handling" and "Quarantine for Review" terminology. Rename i18n keys that referenced content flagging. Auto-patch bot display name on pre-existing servers. Co-authored-by: Cursor <cursoragent@cursor.com> * Fixed searchable stringgs * Revert unintended package-lock.json changes Co-authored-by: Cursor <cursoragent@cursor.com> * Fix i18n extract check: correct typo and key ordering Fix "posed" -> "posted" typo in keep/remove quarantine modal defaultMessages. Move admin.contentFlagging.title to correct alphabetical position in en.json. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix webapp tests for Data Spillage Handling rename Update test assertions to match renamed i18n strings: notification settings, content reviewers, and additional settings tests now expect the new quarantine terminology. Co-authored-by: Cursor <cursoragent@cursor.com> * Use translatable i18n strings for notification messages Replace hardcoded "flagged for review" notification templates with i18n.T() calls using "quarantined for review" terminology. Add six new server i18n keys for author, reporter, and reviewer notifications. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix server i18n key mismatches and update test assertions Rename remaining app.content_flagging.* keys to app.data_spillage.* in server/i18n/en.json to match Go code references. Fix the quarantine_post_confirmation key name. Update test assertions to match new "quarantined for review" terminology. Co-authored-by: Cursor <cursoragent@cursor.com> * Fix gofmt formatting in content_flagging.go Co-authored-by: Cursor <cursoragent@cursor.com> * Prevent nil bot on PatchBot failure in getContentReviewBot Use a separate variable for PatchBot result so the original bot is preserved if the display name update fails. Co-authored-by: Cursor <cursoragent@cursor.com> * Reorder server i18n keys after extract Run mmgotool i18n extract to sort entries into correct alphabetical order. Co-authored-by: Cursor <cursoragent@cursor.com> * Replace i18n.T() with fmt.Sprintf for notification messages and fix test assertions Use direct string formatting for bot notification messages instead of i18n translation keys, which were being removed by mmgotool i18n extract due to indirect key references. Also update test expectations for renamed error keys (content_flagging -> data_spillage). Co-authored-by: Cursor <cursoragent@cursor.com> * Update default quarantine reasons to DISC-aligned terminology Replace generic content moderation reasons with defense/intelligence sector terminology: Classification mismatch, Need-to-know violation, PII exposure, OPSEC concern, CUI violation, Unauthorized disclosure, and Other. Updated across model, API tests, webapp tests, and e2e tests. Co-authored-by: Cursor <cursoragent@cursor.com> * Adding a string missing from bad merge * Update remaining flagged terminology and icon for data spillage rename - Change post menu icon from flag-outline to alert-outline - Update reviewer notification: "quarantined" -> "submitted" a message - Update action notifications: "flagged message" -> "quarantined message" - Update modal errors: "flagging" -> "quarantining" this message - Update report title: "flagged" -> "submitted" a message for review - Update e2e page object locator for renamed menu item Made-with: Cursor * Fix tests * Fix quarantine icon alignment in post dot menu Use AlertOutlineIcon React component with size={18} instead of raw <i> tag to match the sizing of all other menu item icons. Made-with: Cursor * Fixed E2E tests * Missing test fix * Fix E2E tests --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-06 21:15:01 -05:00
Doug Lauder	e31f471498	MM-67647 Add roles for shared channels management (#35354) ... * Add shared_channel_manager and secure_connection_manager built-in roles Introduce two new delegated admin roles for granular Shared Channels permission management, allowing admins to assign shared channel and secure connection management to specific non-admin users without granting full System Admin or System Manager access. - shared_channel_manager: grants manage_shared_channels permission - secure_connection_manager: grants manage_secure_connections permission Includes server role definitions, app migrations, permissions migrations, System Console UI support, and API permission tests.	2026-03-06 10:51:21 -05:00
Guillermo Vayá	f5fe8ded6b	[MM-67377] Fix (#35336) ... fix MM-67377	2026-03-06 13:39:48 +01:00
edgarbellot	f542d7ca18	[MM-67791] Use atomic token consumption for guest magic links (#35489) ... #### Summary Use the atomic `ConsumeOnce` pattern for guest magic link token consumption, consistent with how SSO code exchange tokens are already handled. #### Ticket Link https://mattermost.atlassian.net/browse/MM-67791 #### Release Note ```release-note Improved token handling in the guest magic link authentication flow. ```	2026-03-06 10:47:55 +01:00
Ben Schumacher	99d119cf85	[MM-66846] Fix missing ES version and plugins in diagnostics (#35475) ... Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 23:55:32 +01:00