673 commits

Author	SHA1	Message	Date
Andre Vasconcelos	13a0d63b3c	MM-67372: Improve link preview metadata handling and filtering (#35178) ... * MM-67372: Filter SVG images from OpenGraph metadata to prevent DoS This commit adds server-side filtering of SVG images from OpenGraph metadata to mitigate a DoS vulnerability where malicious SVG images in og:image tags can crash Chromium-based browsers and Safari. Changes: - Add IsSVGImageURL() helper function in model package to detect SVG URLs - Filter SVG images in parseOpenGraphMetadata() for regular HTML pages - Filter SVG images in parseOpenGraphFromOEmbed() for oEmbed responses - Add defense-in-depth filtering in TruncateOpenGraph() and getImagesForPost() - Add comprehensive tests for all SVG filtering functionality SVG detection is based on: - File extension (.svg, .svgz) - case-insensitive - MIME type (image/svg+xml) Reference: https://issues.chromium.org/issues/40057345 * MM-67372: Filter SVG images from cache/DB and direct SVG URLs This commit addresses remaining attack vectors for the SVG DoS vulnerability: 1. Cache/DB filtering: Apply TruncateOpenGraph when returning OpenGraph from cache or database to filter stale data that was stored before the initial fix was deployed. 2. Direct SVG URLs: Filter PostImage entries with Format="svg" to prevent browser crashes when someone posts a direct link to an SVG file. 3. Embed creation: Skip creating image embeds for SVG images and create link embeds instead. 4. New SVG detection: Return nil instead of creating PostImage when fetching direct SVG URLs to prevent storing them in the database. These changes ensure that even environments with pre-existing malicious link metadata will be protected after a server restart. * MM-67372: Fix test expectation for SVG image handling * Removed duplicate logic in favor of already implemented FilterSVGImages in model * Addressing PR comments * Replacing exact match comparison with prefix check * Added new test cases for unit tests	2026-02-09 16:26:14 +02:00
David Krauser	1cfe3d92b6	[MM-66836] Integrate PropertyAccessService into API and app layers (#34818) ... Updates all Custom Profile Attribute endpoints and app layer methods to pass caller user IDs through to the PropertyAccessService. This connects the access control service introduced in #34812 to the REST API, Plugin API, and internal app operations. Also updates the OpenAPI spec to document the new field attributes (protected, source_plugin_id, access_mode) and adds notes about protected field restrictions.	2026-02-06 18:06:51 -05:00
David Krauser	63c3c70fe9	[MM-66836] Add some access control mechanisms with a wrapper around the property service (#34812) ... Custom profile attributes (properties) in Mattermost need to support security-critical use cases like Attribute-Based Access Control (ABAC), external identity system synchronization, and privacy-preserving collaboration. Without access controls on these properties, any user or component could modify property fields and values, making them unsuitable for security decisions. Additionally, different properties require different visibility patterns - some need to be publicly readable, some should only be visible to their managing system, and some require privacy-preserving visibility where users can only see shared values. This change introduces the PropertyAccessService, a wrapper around PropertyService that enforces access control for all property operations. This service is introduced in isolation and is not yet hooked up to the Plugin API, REST API, or app layer. It provides the foundation for a single enforcement point that will apply access restrictions consistently across all code paths once integrated.	2026-02-06 16:21:51 -05:00
David Krauser	9f40d051ee	[MM-66942] Ensure consistent option ID generation across all field creation paths (#34725) ... Option IDs are automatically generated for fields in the REST API, but plugins creating fields directly don't get this behavior. This change makes option ID generation consistent by automatically generating IDs for all select/multiselect options, regardless of whether they're created via REST API or plugin code. The option IDs are generated (if necessary) in the store layer right before saving, which is the same place we generate Field IDs if they don't exist.	2026-02-06 16:19:42 -05:00
Daniel Espino García	2bd29c0359	Add the ability to patch channel autotranslations (#35078) ... * Add the ability to patch channel autotranslations * Fix lint * Update docs * Fix CI * Fix CI * Fix mmctl test * Check whether the channel is translated for the user when checking user enabled * Fix wrong uses of patch acrros e2e and frontend * Fix test * Fix wording * Fix tests and column name * Move group constrained test so they don't mess with the basic entities * Fix patch sending too much information	2026-02-06 18:19:06 +01:00
Daniel Espino García	1273632d1a	Add endpoint to update channel member autotranslations (#35072) ... * Add endpoint to update channel member autotranslations * Add several improvements and remove unneeded functions * Add user id to audit record * Ensure autotranslation is defined * Update texts * Fix merge * Add new column for channel member autotranslations (#35111) * Minor renamings --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ben Cooke <benkcooke@gmail.com>	2026-02-05 13:43:50 +01:00
unified-ci-app[bot]	030a4e1921	Update latest minor version to 11.5.0 (#35176) ... Automatic Merge	2026-02-04 12:23:27 +02:00
Ben Cooke	36479bd721	Configurable workers and move sweeper job to job infra (#35007)	2026-02-02 15:52:42 -05:00
Nick Misasi	fe4100956c	[MM-66581] Include some thread context in AI Rewrites prompt (#34931) ... * Include last root, and most recent 10 posts in a thread with the rewrite system prompt * Include user's names in the thread context for better reference * Revert package-lock to master * Fix tests	2026-01-30 09:14:06 -05:00
Doug Lauder	7f6a98fd7a	MM-66789 Restrict log downloads to a root path for support packets (#35014) ... * [MM-66789] Fix arbitrary file read vulnerability in advanced logging Add path validation to prevent reading files outside the logging root directory via GetAdvancedLogs (used in support packet generation). Security controls: - Validate file paths are within logging root before reading - Support MM_LOG_PATH environment variable to allow system admins to configure a custom logging root directory - Resolve symlinks to prevent bypass attacks - Detect and block path traversal attempts Also adds: - Audit logging for support packet generation - Config-time validation that logs errors for paths outside logging root (will become blocking in future version) - Comprehensive test coverage for path validation * Update server/channels/app/platform/log_test.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix linter errors * Update server/channels/api4/system.go Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com> * Simplify unit tests for platform/log_test.go by moving some test logic to config/logger_test.go * Fix unit tests requiring logging root to be set * enforce LogSettings.FileLocation path validation; simplify path checking * fix linter errors * use dir in logging root for all unit test logging * MM_LOG_PATH is set once, centrally, for all tests * fix flaky test * fix flaky test --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>	2026-01-29 13:29:55 -05:00
Ben Cooke	36173a4948	Use one timeout config for requests to translation providers (#34957)	2026-01-29 10:00:22 -05:00
Alejandro García Montoro	2b075c9b74	MM-65970: New way to build routes in Client4 (#34499) ... * Add Client4 route building functions * Make DoAPIRequestWithHeaders add the API URL This makes it consistent with the other DoAPIXYZ functions, which all prepend the provided URL with the client's API URL. * Use the new route building logic in Client4 * Address review comments - clean renamed to cleanSegment - JoinRoutes and JoinSegments joined in Join - newClientRoute uses Join * Fix new routes from merge * Remove unused import * Simplify error handling around clientRoute (#34870) --------- Co-authored-by: Jesse Hallam <jesse@mattermost.com> Co-authored-by: Jesse Hallam <jesse.hallam@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-29 14:26:47 +00:00
Scott Bishel	c537b88f93	MM-65023 Add tooltip to actions buttons, display error (#33773) ... * Add tooltip support and error handling for action buttons - Add tooltip field to PostAction type definition - Display tooltips on hover for action buttons - Add comprehensive error handling for button actions - Show error messages when actions fail - Clear previous errors on subsequent actions - Add tests for error handling functionality 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add E2E tests for action button error handling and tooltips - Test error message display when action buttons fail - Test error clearing when successful actions are performed - Test tooltip display on action button hover - Use scoped selectors to avoid test interference - Cover complete error lifecycle and tooltip functionality 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Use WithTooltip component for action button tooltips Replace native HTML title attribute with WithTooltip component to provide consistent tooltip styling and behavior across the application. Changes: - Import and wrap ActionBtn with WithTooltip component - Remove title attribute from ActionBtn - Update E2E test to check for .tooltipContainer instead of title attribute 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix TypeScript errors and test patterns in message attachment tests - Fix TypeScript type errors in mock event objects by using arrow functions instead of jest.fn() - Update async test pattern to use process.nextTick() with done callback instead of await - Update test snapshots to reflect error handling wrapper div - Fix whitespace formatting in E2E test file 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com> * updated actionError to accept react node, replace hardcoded error with FormattedMessage components * Fix test to handle FormattedMessage in actionError state Update test expectation to check for FormattedMessage React element instead of plain string when no error message is provided. This aligns with the recent change to support internationalization in error messages. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com> * Disable tooltip interactions when no tooltip text is present Adds disabled prop to WithTooltip component when action.tooltip is empty or undefined, preventing unnecessary tooltip event handlers from being attached to action buttons that don't have tooltips. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com> * Add tests for action button tooltip behavior Adds three test cases to verify tooltip functionality: - Tooltip is disabled when action.tooltip is undefined - Tooltip is disabled when action.tooltip is empty string - Tooltip is enabled and displays correctly when action.tooltip has a value 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com> * fix e2e test --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-26 20:07:09 -07:00
Ben Cooke	a1c85007e1	Autotranslations MVP (#34696) ... --------- Co-authored-by: Elias Nahum <nahumhbl@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nick Misasi <nick.misasi@mattermost.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Matthew Birtch <mattbirtch@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-26 17:05:34 -05:00
Harrison Healey	777867dc36	Define types for WebSocket messages and migrate WebSocket actions to TS (#34603) ... * Add TS definitions for every WebSocket event * Remove unused WebSocket events * Add a few extra fields to POSTED events * Stop reusing WS event types as Redux actions * Remove now-unused WS event types from mattermost-redux * Rename some types to be clearer * Use new WebSocketEvents and WebSocketMessage type everywhere * Reorganize and export named types for WS messages * Use new types in websocket_actions.jsx the best we can * Rename websocket_actions.jsx to websocket_actions.tsx * Migrate websocket_actions.tsx to TypeScript * Break up websocket_messages.ts and group together WebSocketMessages types * Rename websocket_actions.tsx to websocket_actions.ts	2026-01-23 14:29:40 -05:00
Matthew Birtch	09c4a61fed	[MM-67030] Remove newsletter signup and replace with terms/privacy agreement (#34801) ... * remove newsletter signup and replace with terms/privacy agreement * removed subscribeToSecurityNewsletter, made checkbox required * update signup test to remove newsletter and ensure the terms checkbox is required * update unit test and e2e test to reflect changes * fix e2e test * Removed susbcribe-newsletter endpoint in server * Update signup.test.tsx * remove unused css * remove unused css * fixed broken tests * fixed linter issues * Remove redundant IntlProvider and comments * Remove usage of test IDs from Signup tests * Remove usage of fireEvent * Remove usage of mountWithIntl from Signup tests * update e2e tests * fix playwright test * Fix Lint in signup.ts --------- Co-authored-by: maria.nunez <maria.nunez@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Harrison Healey <harrisonmhealey@gmail.com> Co-authored-by: yasserfaraazkhan <attitude3cena.yf@gmail.com>	2026-01-23 18:24:27 +00:00
Jesse Hallam	41e5c7286b	Remove vestigial MySQL support (#34865) ... * Remove legacy quoteColumnName() utility Since Mattermost only supports PostgreSQL, the quoteColumnName() helper that was designed to handle database-specific column quoting is no longer needed. The function was a no-op that simply returned the column name unchanged. Remove the function from utils.go and update status_store.go to use the "Manual" column name directly. * Remove legacy driver checks from store.go Since Mattermost only supports PostgreSQL, remove conditional checks for different database drivers: - Simplify specialSearchChars() to always return PostgreSQL-compatible chars - Remove driver check from computeBinaryParam() - Remove driver check from computeDefaultTextSearchConfig() - Simplify GetDbVersion() to use PostgreSQL syntax directly - Remove switch statement from ensureMinimumDBVersion() - Remove unused driver parameter from versionString() * Remove MySQL alternatives for batch delete operations Since Mattermost only supports PostgreSQL, remove the MySQL-specific DELETE...LIMIT syntax and keep only the PostgreSQL array-based approach: - reaction_store.go: Use PostgreSQL array syntax for PermanentDeleteBatch - file_info_store.go: Use PostgreSQL array syntax for PermanentDeleteBatch - preference_store.go: Use PostgreSQL tuple IN subquery for DeleteInvalidVisibleDmsGms * Remove MySQL alternatives for UPDATE...FROM syntax Since Mattermost only supports PostgreSQL, remove the MySQL-specific UPDATE syntax that joins tables differently: - thread_store.go: Use PostgreSQL UPDATE...FROM syntax in MarkAllAsReadByChannels and MarkAllAsReadByTeam - post_store.go: Use PostgreSQL UPDATE...FROM syntax in deleteThreadFiles * Remove MySQL alternatives for JSON and subquery operations Since Mattermost only supports PostgreSQL, remove the MySQL-specific JSON and subquery syntax: - thread_store.go: Use PostgreSQL JSONB operators for updating participants - access_control_policy_store.go: Use PostgreSQL JSONB @> operator for querying JSON imports - session_store.go: Use PostgreSQL subquery syntax for Cleanup - job_store.go: Use PostgreSQL subquery syntax for Cleanup * Remove MySQL alternatives for CTE queries Since Mattermost only supports PostgreSQL, simplify code that uses CTEs (Common Table Expressions): - channel_store.go: Remove MySQL CASE-based fallback in UpdateLastViewedAt and use PostgreSQL CTE exclusively - draft_store.go: Remove driver checks in DeleteEmptyDraftsByCreateAtAndUserId, DeleteOrphanDraftsByCreateAtAndUserId, and determineMaxDraftSize * Remove driver checks in migrate.go and schema_dump.go Simplify migration code to use PostgreSQL driver directly since PostgreSQL is the only supported database. * Remove driver checks in sqlx_wrapper.go Always apply lowercase named parameter transformation since PostgreSQL is the only supported database. * Remove driver checks in user_store.go Simplify user store functions to use PostgreSQL-only code paths: - Remove isPostgreSQL parameter from helper functions - Use LEFT JOIN pattern instead of subqueries for bot filtering - Always use case-insensitive LIKE with lower() for search - Remove MySQL-specific role filtering alternatives * Remove driver checks in post_store.go Simplify post_store.go to use PostgreSQL-only code paths: - Inline getParentsPostsPostgreSQL into getParentsPosts - Use PostgreSQL TO_CHAR/TO_TIMESTAMP for date formatting in analytics - Use PostgreSQL array syntax for batch deletes - Simplify determineMaxPostSize to always use information_schema - Use PostgreSQL jsonb subtraction for thread participants - Always execute RefreshPostStats (PostgreSQL materialized views) - Use materialized views for AnalyticsPostCountsByDay - Simplify AnalyticsPostCountByTeam to always use countByTeam * Remove driver checks in channel_store.go Simplify channel_store.go to use PostgreSQL-only code paths: - Always use sq.Dollar.ReplacePlaceholders for UNION queries - Use PostgreSQL LEFT JOIN for retention policy exclusion - Use PostgreSQL jsonb @> operator for access control policy imports - Simplify buildLIKEClause to always use LOWER() for case-insensitive search - Simplify buildFulltextClauseX to always use PostgreSQL to_tsvector/to_tsquery - Simplify searchGroupChannelsQuery to use ARRAY_TO_STRING/ARRAY_AGG * Remove driver checks in file_info_store.go Simplify file_info_store.go to use PostgreSQL-only code paths: - Always use PostgreSQL to_tsvector/to_tsquery for file search - Use file_stats materialized view for CountAll() - Use file_stats materialized view for GetStorageUsage() when not including deleted - Always execute RefreshFileStats() for materialized view refresh * Remove driver checks in attributes_store.go Simplify attributes_store.go to use PostgreSQL-only code paths: - Always execute RefreshAttributes() for materialized view refresh - Remove isPostgreSQL parameter from generateSearchQueryForExpression - Always use PostgreSQL LOWER() LIKE LOWER() syntax for case-insensitive search * Remove driver checks in retention_policy_store.go Simplify retention_policy_store.go to use PostgreSQL-only code paths: - Remove isPostgres parameter from scanRetentionIdsForDeletion - Always use pq.Array for scanning retention IDs - Always use pq.Array for inserting retention IDs - Remove unused json import * Remove driver checks in property stores Simplify property_field_store.go and property_value_store.go to use PostgreSQL-only code paths: - Always use PostgreSQL type casts (::text, ::jsonb, ::bigint, etc.) - Remove isPostgres variable and conditionals * Remove driver checks in channel_member_history_store.go Simplify PermanentDeleteBatch to use PostgreSQL-only code path: - Always use ctid-based subquery for DELETE with LIMIT * Remove remaining driver checks in user_store.go Simplify user_store.go to use PostgreSQL-only code paths: - Use LEFT JOIN for bot exclusion in AnalyticsActiveCountForPeriod - Use LEFT JOIN for bot exclusion in IsEmpty * Simplify fulltext search by consolidating buildFulltextClause functions Remove convertMySQLFullTextColumnsToPostgres and consolidate buildFulltextClause and buildFulltextClauseX into a single function that takes variadic column arguments and returns sq.Sqlizer. * Simplify SQL stores leveraging PostgreSQL-only support - Simplify UpdateMembersRole in channel_store.go and team_store.go to use UPDATE...RETURNING instead of SELECT + UPDATE - Simplify GetPostReminders in post_store.go to use DELETE...RETURNING - Simplify DeleteOrphanedRows queries by removing MySQL workarounds for subquery locking issues - Simplify UpdateUserLastSyncAt to use UPDATE...FROM...RETURNING instead of fetching user first then updating - Remove MySQL index hint workarounds in ORDER BY clauses - Update outdated comments referencing MySQL - Consolidate buildFulltextClause and remove convertMySQLFullTextColumnsToPostgres * Remove MySQL-specific test artifacts - Delete unused MySQLStopWords variable and stop_word.go file - Remove redundant testSearchEmailAddressesWithQuotes test (already covered by testSearchEmailAddresses) - Update comment that referenced MySQL query planning * Remove MySQL references from server code outside sqlstore - Update config example and DSN parsing docs to reflect PostgreSQL-only support - Remove mysql:// scheme check from IsDatabaseDSN - Simplify SanitizeDataSource to only handle PostgreSQL - Remove outdated MySQL comments from model and plugin code * Remove MySQL references from test files - Update test DSNs to use PostgreSQL format - Remove dead mysql-replica flag and replicaFlag variable - Simplify tests that had MySQL/PostgreSQL branches * Update docs and test config to use PostgreSQL - Update mmctl config set example to use postgres driver - Update test-config.json to use PostgreSQL DSN format * Remove MySQL migration scripts, test data, and docker image Delete MySQL-related files that are no longer needed: - ESR upgrade scripts (esr.*.mysql.*.sql) - MySQL schema dumps (mattermost-mysql-*.sql) - MySQL replication test scripts (replica-*.sh, mysql-migration-test.sh) - MySQL test warmup data (mysql_migration_warmup.sql) - MySQL docker image reference from mirror-docker-images.json * Remove MySQL references from webapp - Simplify minimumHashtagLength description to remove MySQL-specific configuration note - Remove unused HIDE_MYSQL_STATS_NOTIFICATION preference constant - Update en.json i18n source file * clean up e2e-tests * rm server/tests/template.load * Use teamMemberSliceColumns() in UpdateMembersRole RETURNING clause Refactor to use the existing helper function instead of hardcoding the column names, ensuring consistency if the columns are updated. * u.id -> u.Id * address code review feedback --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-20 21:01:59 +00:00
Alejandro García Montoro	5e99f12c3a	MM-67119: Remove unused Channel.Etag (#34951) ... * Remove unused Channel.Etag Computing the etag for a channel is complex due to user-specific data, so we remove the unused Etag function to avoid confusion until a performance need for it arises. * Remove etag from Client4.GetChannel and tests * make mocks * Fix missing GetChannel calls	2026-01-20 17:46:17 +01:00
Daniel Espino García	b5a816a657	Add audits for accessing posts without membership (#31266) ... * Add audits for accessing posts without membership * Fix tests * Use correct audit level * Address feedback * Add missing checks all over the app * Fix lint * Fix test * Fix tests * Fix enterprise test * Add missing test and docs * Fix merge * Fix lint * Add audit logs on the web socket hook for permalink posts * Fix lint * Fix merge conflicts * Handle all events with "non_channel_member_access" parameter * Fix lint and tests * Fix merge * Fix tests	2026-01-20 10:38:27 +01:00
Nick Misasi	b2f93dec1a	[MM-67118] Add Agents to @ mention autocomplete in channel (#34881) ... * Add support for autocomplete of plugin-created bots * stashing * Add support for including agents in the autocomplete list for @ mentions * Change server response to be users rather than interface * fix	2026-01-19 16:10:57 -05:00
Nick Misasi	c62d103d76	[MM-67160] Add audit logging for recap API endpoints (#34929) ... * Add audit logging for recap API endpoints - Add audit event constants for all recap operations - Implement Auditable interface for Recap model - Add comprehensive audit logging to all 6 recap endpoints - Log channel_ids to track implicit channel content access - Use LevelContent for content-related operations, LevelAPI for listing * Address PR feedback: standardize audit method order and extract helper function - Standardized order of audit record method calls across all handlers: set object type first, then prior state (if applicable), then result state - Extracted duplicated channel ID extraction logic into addRecapChannelIDsToAuditRec helper function	2026-01-19 13:46:43 -05:00
Devin Binnie	f00dd11e34	[MM-67138][MM-67139] Update Audit/Activity logging for Desktop App external auth (#34928) ... * [MM-67138][MM-67139] Update Audit/Activity logging for Desktop App external auth * PR feedback --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-16 13:28:44 -05:00
Nick Misasi	8e4cadbc88	[MM-66359] Recaps MVP (#34337) ... * initial commit for POC of Plugin Bridge * Updates * POC for plugin bridge * Updates from collaboration * Fixes * Refactor Plugin Bridge to use HTTP/REST instead of RPC - Remove ExecuteBridgeCall hook and Context.SourcePluginId - Implement HTTP-based bridge using existing PluginHTTP infrastructure - Add CallPlugin API method with endpoint parameter instead of method name - Update CallPluginBridge to construct HTTP POST requests - Add proper headers: Mattermost-User-Id, Mattermost-Plugin-ID - Use 'com.mattermost.server' as plugin ID for core server calls - Update ai.go to use REST endpoint /inter-plugin/v1/completion - Add comprehensive spec documentation in server/spec.md - Add MIGRATION_GUIDE.md for plugin developers - Fix 401/404 issues by setting correct headers and URL paths * Improve Plugin Bridge security and architecture - Create ServeInternalPluginRequest for internal plugin calls (core + plugin-to-plugin) - Move header-setting logic from CallPluginBridge to ServeInternalPluginRequest - Improve separation of concerns: business logic vs HTTP transport - Add security documentation explaining header protection Security Improvements: - ServeInternalPluginRequest is NOT exposed as HTTP route (internal only) - Headers (Mattermost-User-Id, Mattermost-Plugin-ID) are set by trusted server code - External requests cannot spoof these headers (stripped by servePluginRequest) - Core calls use 'com.mattermost.server' as plugin ID for authorization - Plugin-to-plugin calls use real plugin ID (enforced by server) Backward Compatibility: - Keep ServeInterPluginRequest for existing API.PluginHTTP callers (deprecated) - All tests pass Docs: - Update spec.md with security model explanation - Update MIGRATION_GUIDE.md with correct header usage examples * Space * cursor please stop creating markdown files * Fix style * Fix i18n, linter * REMOVE MARKDOWN * Remove CallPlugin method from plugin API interface Per review feedback, this method is no longer needed. Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> * Remove CallPlugin method implementation from PluginAPI Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> * fixes * Add AI OpenAPI spec * fix openapi spec * Use agents client (#34225) * Use agents client * Remove default agent * Fixes * fix: modify system prompts to ensure JSON is being returned * Base implementation for recaps working * small fixes * Adjustments * remove webapp changes * Add feature flags for rewrites and ai bridge, clean up * Remove comments that aren't helpful * Fix i18n * Remove rewrites * Fix tests * Fix i18n * adjust i18n again * Add back translations * Remove leftover mock code * remove model file * Changes from PR review * Make the real substitutions * Include a basic invokation of the client with noop to ensure build works * more fix * Remove unneeded change * Updates from review * Fixes * Remove some logic from rewrites to clean up branch * Use v1.5.0 of agents plugin * A bunch more additions for general UX flow * Add missing files * Add mocks * Fixes for vet-api, i18n, build, types, etc * One more linter fix * Fix i18n and some tests * Refactors and cleanup in backend code * remove rogue markdown file * fixes after refactors from backend * Add back renamed files, and add tests * More self code review * More fixes * More refactors * Fix call stack exceeded bug * Include read messages if there are no unreads * Fix test failure: use correct error message key for recap permission denied The getRecapAndCheckOwnership function was using strings.ToLower(callerName) to generate error keys, which caused 'GetRecap' to become 'getrecap' instead of the expected 'get'. Changed to use the correct static key that matches the en.json localization file. Fixes TestGetRecap/get_recap_by_non-owner test failure. Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> * Consolidate permission errors down to a single string * Fixes for i18n, worktrees making this difficult * Fix i18n * Fix i18n once and for all (for real) (final) * Fix duplicate getAgents method in client4.ts * Remove duplicate ai state from initial_state.ts * Fix types * Fix tests * Fix return type of GetAgents and GetServices * Add tests for recaps components * Fix types * Update i18n * Fixes * Fixes * More cleanup * Revert random file * Use undefined * fix linter * Address feedback * Missed a git add * Fixes * Fix i18n * Remove fallback * Fixes for PR --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> Co-authored-by: Christopher Speller <crspeller@gmail.com> Co-authored-by: Felipe Martin <me@fmartingr.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-13 11:59:22 -05:00
Ben Schumacher	43bfdbfd1b	[MM-66840] Add CPU cores and total memory to Support Packet (#34658) ... * [MM-66840] Add CPU cores and total memory to support packet Add system resource information to support packet diagnostics to help with troubleshooting and capacity analysis. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Clarify that memory is in MB * Add comment clarifying CPU/memory are host values Clarifies that the CPU cores and total memory values in the support packet represent the host machine's resources, not any container limits that may be configured in Docker or Kubernetes environments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>	2026-01-13 16:23:32 +01:00
unified-ci-app[bot]	4389116b19	Update latest minor version to 11.4.0 (#34874) ... Automatic Merge	2026-01-08 09:47:31 +02:00
Pablo Vélez	e0052be9c3	MM-66890 - Set default for BurnOnRead feature flag to true (#34763) ... * MM-66890 - Set default for BurnOnRead feature flag to true * enable the feature by default * fix unit tests * fix e2e tests --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-12-18 09:39:44 +01:00
Daniel Espino García	0901686681	[MM-66710] Do not allow MFA enforcement on magic link accounts (#34614) ... * [MM-66710] Do not allow MFA enforcement on magic link accounts * Update server/i18n/en.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix blocker when changing configuration --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-12-17 15:46:41 +01:00
Jesse Hallam	6404ab29ac	MM-66424: Improve team filtering in common teams API (#34454) ... * add Client4.GetDirectOrGroupMessageMembersCommonTeams * Improve team filtering in common teams API Filter the common teams to only include teams the requesting user is a member of, ensuring proper access control. * simplify GetDirectOrGroupMessageMembersCommonTeamsAsUser	2025-12-15 15:06:48 -04:00
Devin Binnie	959022f953	[MM-66875][MM-66876] Implement RHS plugin popout (#34692) ... * [MM-66875] Implement RHS popout component * [MM-66876] Add RHS plugin popouts * Give plugins a way to check when popouts are opened * Fix test * Fix border radius * Fix lint * Update title to just show plugin name * Add server name to plugin popout for Desktop App * Fix test --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-12-11 14:04:43 -05:00
Ibrahim Serdar Acikgoz	084006c0ea	[MM-61758] Burn on read feature (#34703) ... * Add read receipt store for burn on read message types * update mocks * fix invalidation target * have consistent case on index creation * Add temporary posts table * add mock * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * add burn endpoint for explicitly burning messages * add translations * Added logic to associate files of BoR post with the post * Added test * fixes * disable pinning posts and review comments * MM-66594 - Burn on read UI integration (#34647) * MM-66244 - add BoR visual components to message editor * MM-66246 - BoR visual indicator for sender and receiver * MM-66607 - bor - add timer countdown and autodeletion * add the system console max time to live config * use the max expire at and create global scheduler to register bor messages * use seconds for BoR config values in BE * implement the read by text shown in the tooltip logic * unestack the posts from same receiver and BoR and fix styling * avoid opening reply RHS * remove unused dispatchers * persis the BoR label in the drafts * move expiration value to metadata * adjust unit tests to metadata insted of props * code clean up and some performance improvements; add period grace for deletion too * adjust migration serie number * hide bor messages when config is off * performance improvements on post component and code clean up * keep bor existing post functionality if config is disabled * Add read receipt store for burn on read message types * Add temporary posts table * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * avoid reacting to unrevealed bor messages * adjust migration number * Add read receipt store for burn on read message types * have consistent case on index creation * Add temporary posts table * add mock * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * add burn endpoint for explicitly burning messages * adjust post reveal and type with backend changes * use real config values, adjust icon usage and style * adjust the delete from from sender and receiver * improve self deleting logic by placing in badge, use burn endpoint * adjust websocket events handling for the read by sender label information * adjust styling for concealed and error state * update burn-on-read post event handling for improved recipient tracking and multi-device sync * replace burn_on_read with type in database migrations and model * remove burn_on_read metadata from PostMetadata and related structures * Added logic to associate files of BoR post with the post * Added test * adjust migration name and fix linter * Add read receipt store for burn on read message types * update mocks * have consistent case on index creation * Add temporary posts table * add mock * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * add burn endpoint for explicitly burning messages * Added logic to associate files of BoR post with the post * Added test * disable pinning posts and review comments * show attachment on bor reveal * remove unused translation * Enhance burn-on-read post handling and refine previous post ID retrieval logic * adjust the returning chunk to work with bor messages * read temp post from master db * read from master * show the copy link button to the sender * revert unnecessary check * restore correct json tag * remove unused error handling and clarify burn-on-read comment * improve type safety and use proper selectors * eliminate code duplication in deletion handler * optimize performance and add documentation * delete bor message for sender once all receivers reveal it * add burn on read to scheduled posts * add feature enable check * use master to avoid all read recipients race condition --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com> Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> * squash migrations into single file * add configuration for the scheduler * don't run messagehasbeenposted hook * remove parallel tests on burn on read * add clean up for closing opened modals from previous tests * simplify delete menu item rendering * add cleanup step to close open modals after each test to prevent pollution * streamline delete button visibility logic for Burn on Read posts * improve reliability of closing post menu and modals by using body ESC key --------- Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> Co-authored-by: Pablo Vélez <pablovv2012@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-12-11 07:59:50 +01:00
Elias Nahum	4589005a54	feat: Add Microsoft Intune MAM authentication support (#34577) ... * Add Entra ID token authentication and Intune MAM config exposure * Add Intune MAM toggle to Mobile Security admin console * Add IntuneSettings with the AuthService to use and its own TenantID andClientID for the Entra App registration Include Admin console changes switch from /oauth/entra to /oauth/intune endpoint * openAPI documentation --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: yasser khan <attitude3cena.yf@gmail.com>	2025-12-10 08:31:53 +02:00
Jesse Hallam	fcdd6962ff	MM-65575: Fix server panic when bot posts trigger persistent notifications (#34174) ... * reproduce panic with test * allow bots in the profile map * explicitly prevent sending notifications to bots * persistent notifications: handle senders not in the channel	2025-12-08 20:41:29 +00:00
unified-ci-app[bot]	2397ad59fd	Update latest minor version to 11.3.0 (#34673) ... Automatic Merge	2025-12-08 13:24:15 +02:00
Ben Schumacher	6e87c94f29	[MM-62770] Validate log levels in AdvancedLoggingJSON (#34414)	2025-12-08 10:54:33 +01:00
Ben Cooke	c78ebc5ec1	add audit logs to DCR (#34598)	2025-11-28 11:44:15 -05:00
Catena cyber	758bdd785f	perf: apply perfpsrint linter (#33967) ... * perf: apply perfpsrint linter * further simplifications * improved TestParseHashtags coverage * more simplifications * simplify renderBlockHTML further --------- Co-authored-by: Jesse Hallam <jesse@mattermost.com>	2025-11-28 11:23:51 -04:00
Elias Nahum	1022cd44c0	MM-65756 Database Migrations, Indexes and Methods for Auto-Translation (#34047) ... * AutoTranslate config settings * comment out Agents provider * Add auto translate timeout config validation * i18n messages for autotranslation config validation * fix test * validate url for libreTranslate * Feedback review * Admin Console UI for Auto-Translation * fix admin console conditional section display * i18n * removed unintentional change Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * update admin.general.localization.autoTranslateProviderDescription newline * fix lint * Fix types * UX feedback review * fix typo in i18n * Fix AutoTranslation feature flag * feedback review * Fix test default values * feedback review * re-add isHidden property to feature discovery * Database Migrations, Indexes and Methods for Auto-Translation * i18n * fix retrylayer and storetest * Fix search query * fix lint * remove the request.CTX and modify Translation model * fix lint and external url * Add settings to playwright * Add empty as a valid value for the Provider * Update jsonb queries * Fix queries and add model methods * fix go lint * go lint fix 2 * fix db migrations * feedback review + store cache * increase migration number * cleanup autotranslation store cache * use NULL as objectType for posts * fix bad merge * fix tests * add missing i18n * Switch prop bags column to boolean * fix lint * fix tests * Remove database search * use Builder methods --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: BenCookie95 <benkcooke@gmail.com>	2025-11-22 09:32:01 +08:00
Pablo Vélez	2c997945b2	MM-66244 - add BoR visual components to message editor (#34455) ... * MM-66244 - add BoR visual components to message editor * add test coverage and fix linter * fix linter * implement pr ux feedback * add translation * fix unit test --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-20 18:10:08 +01:00
Rahim Rahman	edb05c7ea5	Magic link (passwordless) authentication for guests (#34264) ... * Add EasyLogin configuration (#34217) * add easy login config * add easy login to the invite modal * add to the query parameters * Add an API to get login method for the login id (#34223) * add an api to get login method for the login id * do not return errors if user is not found * Add support for Easy Login invitation link sending (#34224) This generates Easy Login token types when requested. The server doesn't do anything with these tokens, yet - that will come in a future change. * Add support for logging in with easy login (#34236) * Fix E2E tests (#34240) * Prevent easy login accounts to reset their password (#34262) * Add easy login support to login api and limit token to 5 min (#34259) * webapp easy login ui mods (#34237) * webapp easy login ui mods * easy login i18n * lint issues * getUserLoginType * using the real API * easylogin proper redirect * remove unneeded functions and files * duplicated localization * remove easylogin * using EnableEasyLogin setting * localization fix * fix lint issue * remove excessive setIsWaiting * changed logic to make it more readable * renaming component to make easier editable * password will disappear when username change * login test * text for easy login password * Add app links to emails * Update templates and always land in the landing screen * Update svg image, improve checks on server, fix linking page and show deactivated on login type * Update naming * Fix mocks and imports * Remove all sessions on disable and forbid user promotion * Fix layer and tests * Address feedback * Fix tests * Fix missing string * Fix texts * Fix tests * Fix constant name * Fix tests * Fix test * Address feedback * Fix lint * Fix test * Address feedback * Fix test --------- Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com> Co-authored-by: David Krauser <david@krauser.org> Co-authored-by: Daniel Espino <larkox@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-20 14:06:23 +01:00
Carlos Garcia	4ba7f7e16e	MM-66202: Migrate to aws-sdk-go-v2 (#34496) ... * updated aws-sdk dependency to aws-sdk-go-v2 * simplify error handling in case of timeout errors --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-20 11:26:09 +01:00
Ibrahim Serdar Acikgoz	fc93ede640	[MM-65956] Tweak auto add to make it consistent with child policies (#33990)	2025-11-19 20:18:45 +00:00
Ben Cooke	188b57fbcb	[MM-66681] Update path matching (#34524)	2025-11-19 09:50:25 -05:00
Harshil Sharma	e8406345a5	Content flagging file downloads (#34480) ... * Server change donw * webapp changes * Disabled file actions * lint fixes * Removed leftover comment * CI * Added tests * lint fixes --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-19 14:22:07 +05:30
Ben Schumacher	97dedb9de5	Migrate from gopkg.in/yaml.v3 to github.com/goccy/go-yaml (#34510) ... Co-authored-by: Claude <noreply@anthropic.com>	2025-11-18 08:52:05 +01:00
Scott Bishel	b1338853a1	Add cursor-based Posts Reporting API for compliance and auditing (#34252) ... * Add cursor-based Posts Reporting API for compliance and auditing Implements a new admin-only endpoint for retrieving posts with efficient cursor-based pagination, designed for compliance, auditing, and archival workflows. Key Features: - Cursor-based pagination using composite (time, ID) keys for consistent performance regardless of dataset size (~10ms per page at any depth) - Flexible time range queries with optional upper/lower bounds - Support for both create_at and update_at time fields - Ascending or descending sort order - Optional metadata enrichment (files, reactions, acknowledgements) - System admin only access (requires manage_system permission) - License enforcement for compliance features API Endpoint: POST /api/v4/reports/posts - Request: JSON body with channel_id, cursor_time, cursor_id, and options - Response: Posts map + next_cursor object (null when pagination complete) - Max page size: 1000 posts per request (MaxReportingPerPage constant) Implementation: - Store Layer: Direct SQL queries with composite index on (ChannelId, CreateAt, Id) - App Layer: Permission checks, optional metadata enrichment, post hooks - API Layer: Parameter validation, system admin enforcement, license checks - Data Model: ReportPostOptions, ReportPostOptionsCursor, ReportPostListResponse Code Quality Improvements: - Added MaxReportingPerPage constant (1000) to eliminate magic numbers - Removed unused StartTime field from ReportPostOptions - Added fmt import for dynamic error messages Testing: - 14 comprehensive store layer unit tests - 12 API layer integration tests covering permissions, pagination, filters - All tests passing Documentation: - POSTS_REPORTING.md: Developer reference with Go structs and usage examples - POSTS_REPORTING_API_SPEC.md: Complete technical specification - GET_POSTS_API_IMPROVEMENTS.md: Implementation analysis and design rationale - POSTS_TIME_RANGE_FEATURE.md: Archived time range feature for future use Performance: Cursor-based pagination maintains consistent ~10ms query time at any dataset depth, compared to offset-based pagination which degrades significantly (Page 1 = 10ms, Page 1000 = 10 seconds). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * lint fixes * lint fixes * gofmt * i18n-extract * Add Enterprise license requirement to posts reporting API Enforce Enterprise license (tier 20+) for the new posts reporting endpoint to align with compliance feature licensing. Professional tier is insufficient. Changes: - Add MinimumEnterpriseLicense check in GetPostsForReporting app layer - Add test coverage for license validation (no license and Professional tier) All existing tests pass with new license enforcement. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * i18n-extract * add licensing to api documentation * Test SSH signing * Add mmctl command for posts reporting API Adds mmctl report posts command to retrieve posts from a channel for administrative reporting purposes. Supports cursor-based pagination with configurable sorting, filtering, and time range options. Includes database migration for updateat+id index to support efficient cursor-based queries when sorting by update_at. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor posts reporting API cursor to opaque token and improve layer separation This addresses code review feedback by transforming the cursor from exposed fields to an opaque token and improving architectural layer separation. **Key Changes:** 1. **Opaque Cursor Implementation** - Transform cursor from split fields (cursor_time, cursor_id) to single opaque base64-encoded string - Cursor now self-contained with all query parameters embedded - When cursor provided, embedded parameters take precedence over request body - Clients treat cursor as opaque token and pass unchanged 2. **Field Naming** - Rename ExcludeChannelMetadataSystemPosts → ExcludeSystemPosts - Now excludes ALL system posts (any type starting with "system_") - Clearer and more consistent naming 3. **Layer Separation** - Move cursor decoding from store layer to model layer - Create ReportPostQueryParams struct for resolved parameters - Store layer receives pre-resolved parameters (no business logic) - Add ResolveReportPostQueryParams() function in model layer 4. **Code Quality** - Add type-safe constants (ReportingTimeFieldCreateAt, ReportingSortDirectionAsc, etc.) - Replace magic number 9223372036854775807 with math.MaxInt64 - Remove debug SQL logging (info disclosure risk) - Update mmctl to use constants and fix NextCursor pointer access 5. **Tests** - Update all 17 store test calls to use new resolution pattern - Add comprehensive test for DESC + end_time boundary behavior 6. **API Documentation** - Update OpenAPI spec to reflect opaque cursor format - Update all request/response examples - Clarify end_time behavior with sort directions **Files Changed:** - Model layer: public/model/post.go - App layer: channels/app/report.go - Store layer: channels/store/store.go, channels/store/sqlstore/post_store.go - Tests: channels/store/storetest/post_store.go - Mocks: channels/store/storetest/mocks/PostStore.go - API: channels/api4/report.go, channels/api4/report_test.go - mmctl: cmd/mmctl/commands/report.go - Docs: api/v4/source/reports.yaml 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix unhandled parse errors in cursor decoding Address security finding: cursor decoding was silently ignoring parse errors from strconv functions, which could lead to unexpected behavior when malformed cursors are provided. Changes: - Add explicit error handling for strconv.Atoi (version parsing) - Add explicit error handling for strconv.ParseBool (includeDeleted, excludeSystemPosts) - Add explicit error handling for strconv.ParseInt (timestamp parsing) - Return clear error messages indicating which field failed to parse This prevents silent failures where malformed values would default to zero-values (0, false) and potentially alter query behavior without warning. Addresses DryRun Security finding: "Unhandled Errors in Cursor Parsing" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix linting issues - Remove unused reportPostCursorV1 struct (unused) - Remove obsolete +build comment (buildtag) - Use maps.Copy instead of manual loop (mapsloop) - Modernize for loop with range over int (rangeint) - Apply gofmt formatting 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix gofmt formatting issues Fix alignment in struct literals and constant declarations: - Align map keys in report_test.go request bodies - Align struct fields in ReportPostOptions initialization - Align reporting constant declarations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update mmctl tests for opaque cursor and add i18n translations Update report_test.go to align with the refactored Posts Reporting API: - Replace split cursor flags (cursor-time, cursor-id) with single opaque cursor flag - Update field name: ExcludeChannelMetadataSystemPosts → ExcludeSystemPosts - Update all mock expectations to use new ReportPostOptionsCursor structure - Replace test cursor values with base64-encoded opaque cursor strings Add English translations for cursor decoding error messages in i18n/en.json. Minor API documentation fix in reports.yaml (remove "all" from description). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update mmctl tests for opaque cursor and add i18n translations Update report_test.go to align with the refactored Posts Reporting API: - Replace split cursor flags (cursor-time, cursor-id) with single opaque cursor flag - Update field name: ExcludeChannelMetadataSystemPosts → ExcludeSystemPosts - Update all mock expectations to use new ReportPostOptionsCursor structure - Replace test cursor values with base64-encoded opaque cursor strings Add English translations for cursor decoding error messages in i18n/en.json. Minor API documentation fix in reports.yaml (remove "all" from description). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * more lint fixes * remove index update files * Remove end_time parameter from Posts Reporting API Align with other cursor-based APIs in the codebase by removing the end_time parameter. The caller now controls when to stop pagination by simply not making another request, which is the same pattern used by GetPostsSinceForSync, MessageExport, and GetPostsBatchForIndexing. Changes: - Remove EndTime field from ReportPostOptions and ReportPostQueryParams - Remove EndTime filtering logic from store layer - Remove tests that used end_time parameter 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor posts reporting API for security and validation Address security review feedback by consolidating parameter resolution and validation in the API layer, with comprehensive validation of all cursor fields to prevent SQL injection and invalid queries. Changes: - Move parameter resolution from model to API layer for clearer separation - Add ReportPostQueryParams.Validate() with inline validation for all fields - Validate ChannelId, TimeField, SortDirection, and CursorId format - Add start_time parameter for time-bounded queries - Cap per_page at 100-1000 instead of rejecting invalid values - Export DecodeReportPostCursorV1() for API layer use - Simplify app layer to receive pre-validated parameters - Check channel existence when results are empty (better error messages) Testing: - Add 10 model tests for validation and malformed cursor scenarios - Add 4 API tests for cursors with invalid field values - Refactor 13 store tests to use buildReportPostQueryParams() helper - All 31 tests pass Documentation: - Update OpenAPI spec with start_time, remove unused end_time - Update markdown docs with start_time examples Security improvements: - Whitelist validation prevents SQL injection in TimeField/SortDirection - Format validation ensures ChannelId and CursorId are valid IDs - Single validation point for both cursor and options paths - Defense in depth: validation + parameterized queries + store layer whitelist 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Improve posts reporting query efficiency and safety Replace SELECT * and nested OR/AND conditions with explicit column selection and PostgreSQL row value comparison for better performance and maintainability. Changes: - Use postSliceColumns() instead of SELECT * for explicit column selection - Replace Squirrel OR/AND with row value comparison: (timeField, Id) > (?, ?) - Use fmt.Sprintf for safer string formatting in WHERE clause Query improvements: Before: WHERE (CreateAt > ?) OR (CreateAt = ? AND Id > ?) After: WHERE (CreateAt, Id) > (?, ?) Benefits: - Explicit column selection prevents issues if table schema changes - Row value comparison is more concise and better optimized by PostgreSQL - Follows existing patterns in post_store.go (postSliceColumns) - Standard SQL:2003 syntax 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Change posts reporting response from map to ordered array Replace the Posts map with an ordered array to preserve query sort order and provide a more natural API response for sequential processing. Changes: - ReportPostListResponse.Posts: map[string]*Post → []*Post - Store layer returns posts array directly (already sorted by query) - App layer iterates by index for metadata enrichment - Remove applyPostsWillBeConsumedHook call (not applicable to reporting) - Update API tests to iterate arrays instead of map lookups - Update store tests to convert array to map for deduplication checks - Remove unused "maps" import Benefits: - Preserves query sort order (ASC/DESC, create_at/update_at) - More natural for sequential processing/export workflows - Simpler response structure for reporting/compliance use cases - Aligns with message export/compliance patterns (no plugin hooks) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix linting issues in posts reporting tests Replace inefficient loops with append(...) for better performance. Changes: - Use append(postSlice, result.Posts...) instead of loop - Simplifies code and follows staticcheck recommendations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix store test AppError nil checking Use require.Nil instead of require.NoError for *AppError returns to avoid Go interface nil pointer issues. When DecodeReportPostCursorV1 returns nil *AppError and it's assigned to error interface, the interface becomes non-nil even though the pointer is nil. This causes require.NoError to fail incorrectly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-17 09:02:19 -07:00
Nick Misasi	91dfcbbdd1	Integration permission management changes (#34421) ... * Support for permissions allowing end users to create and manage their own integrations if sysadmin deems necessary * Adjustments based on new understanding * remove extra functions now that we've consolidated * Fix webapp i18n * Update snapshots * Fix test * Fix some tests, refactor some more, and add a few extra * fix linter * Update snapshots * Fix test * Missed some cleanup * Fix e2e * Fi * Fix * Fixes from PR feedback * Update snapshots * Fix tests * Fix slash command list endpoint per PR feedback. Remove changes around OAuth Apps * Further reversions of oauth stuff * Update tests * Small changes to fix when customOnly=false * Remove extra perm from cypress * Fixes from Eva's feedback * Fix i18n * More fixing * More fixing	2025-11-13 11:12:30 +00:00
Miguel de la Cruz	ef16fcfad2	Adds default values to the attrs of CPA fields and refactors the app layer (#34408) ... * Adds default values to the attrs of CPA fields and refactors the app layer * Fix mmctl tests * Fix types and linter * Fix model test --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-13 12:00:54 +01:00
Ben Schumacher	9a74ab5009	[MM-66438] Add SAML provider type to Support Packet (#34378) ... Co-authored-by: Claude <noreply@anthropic.com>	2025-11-13 10:30:59 +01:00
Eva Sarafianou	0d181ca215	Push Proxy Authentication (#34211) ... * Initial Implementation of Push Proxy Authentication * Include Config Listener for Leader plus delete startup function as job scheduler runs on initialization * Remove push proxy auth from local imports * Add push proxy auth to external imports * Add push proxy auth error messages * Update error codes * Fix enterprise dep definition * make i18n-extract * Mock System store Get * m * m * m * m * Update serverID header * Add install type env var to docker * Update Push Proxy config with new options Global, US, Germany and Japan. Previous configurations will keep working * use model.SafeDereference * Delete token when new push proxy URL is empty * ServerID header only if auth token is available --------- Co-authored-by: Daniel Schalla <daniel@mattermost.com> Co-authored-by: Nick Misasi <nick.misasi@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-12 20:16:44 +02:00
Ben Schumacher	b2df9be70b	Fix errcheck linter errors in helpers (#31578)	2025-11-12 13:00:51 +01:00
Ben Cooke	da3ba59f7e	OAuth public client improvements (#34435)	2025-11-11 16:57:49 -05:00
Ben Cooke	3aad6b0448	Add support for resource parameter with OAuth (#33743)	2025-11-11 15:24:42 -05:00
Ben Cooke	a79ac96b50	OAuth public client support through DCR and PKCE support for public/confidential clients (#33664) ... * public client support along with PKCE for public/confidential clients --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-11 17:43:37 +00:00
Ben Cooke	a9c9953439	Authorization metadata endpoint and Dynamic Client Registration of Confidential OAuth Apps (#33642) ... * initial DCR and metadata implementation * check for duplicate registrations * tests and other cleanup * dcr fixes * tidy up unused DCR fields * remove initial access token support * remove duplicate client checks * remove unused store function * remove restrictive redirect url checks * create some constants for endpoints * surface support for implicit grant and add system console setting * fix frontend issues with DCR clients * rate limiting the DCR endpoint * lint * lint and cleanup * remove storage of grants, responses and methods. Just enforce in the code * fix lint and tests * docs and test * accidentally removed comments * fix mock * translations * do not advertise public client capability * validate supplied token_endpoint_auth_method * fix pr comments * updates * add metadata endpoint to docs * add definition * lint * fix client4 * fix client methods * fix client again --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-11 14:27:18 +00:00
Devin Binnie	1e14ed7f87	[MM-66358] AI-enabled rewriting of messages (#34407) ... * [MM-66358] AI-enabled rewriting of messages * Fixes and PR feedback * Fix i18n * Remove extraneous logger calls * Update icons * UX feedback * Fix lint * Couple more UX fixes	2025-11-11 14:14:21 +00:00
Ben Schumacher	3c14d8b65d	Fix NPE in PluginSettings.Sanitize (#34405)	2025-11-11 13:41:18 +01:00
Jesse Hallam	fddb7eee14	MM-66458: Fix panic in GenerateTriggerId with invalid signing keys (#34384)	2025-11-11 07:12:36 -04:00
Pablo Vélez	fdeea21e07	MM-66177 - add BoR items to system console post page + BoR FF (#34188) ... * MM-66177 - add BoR items to system console post page + BoR FF * simplify selectors and promises * Mm 66181 bor feature discovery page (#34210) * MM-66181 - bor feature discovery page * MM-66181 - bor feature discovery page; sysconsole > post section revamp * adjust scss files bem syntax * adjust margins and support for team fetching * implement final visual feedback to multiselector * fix unit tests * fix snapshots * revert unwanted snapshot update --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-11 12:08:56 +01:00
Ben Cooke	e882a16c6b	[MM-65988] Add new post prop for handling ai generated posts (#34103) ... * add ai icon to ai generated posts --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-10 16:32:18 -05:00
unified-ci-app[bot]	da157966f0	Update latest minor version to 11.2.0 (#34439) ... Automatic Merge	2025-11-10 09:31:47 +02:00
Ben Schumacher	01ead3fd91	[MM-66352] Add search backend type to Support Packet (#34377) ... Co-authored-by: Claude <noreply@anthropic.com>	2025-11-05 10:11:20 +01:00
Caleb Roseland	74f7cfdc76	fix: ensure field attrs in read pipeline (#34386)	2025-11-04 16:04:10 -06:00
Ben Schumacher	892a7c9c69	Use golangci-lints's build-in modernize linter (#34341)	2025-11-04 12:09:11 +01:00
Ben Schumacher	494b570f3a	[MM-63607] Add length validation for LDAP user fields (#30596)	2025-11-04 10:02:18 +01:00
Harshil Sharma	00374ae456	Set feature flag default to true (#34374)	2025-11-04 13:54:49 +05:30
Nick Misasi	0dc1830948	[Build 2025] AI Plugin Bridge (#34216) ... * initial commit for POC of Plugin Bridge * Updates * POC for plugin bridge * Updates from collaboration * Fixes * Refactor Plugin Bridge to use HTTP/REST instead of RPC - Remove ExecuteBridgeCall hook and Context.SourcePluginId - Implement HTTP-based bridge using existing PluginHTTP infrastructure - Add CallPlugin API method with endpoint parameter instead of method name - Update CallPluginBridge to construct HTTP POST requests - Add proper headers: Mattermost-User-Id, Mattermost-Plugin-ID - Use 'com.mattermost.server' as plugin ID for core server calls - Update ai.go to use REST endpoint /inter-plugin/v1/completion - Add comprehensive spec documentation in server/spec.md - Add MIGRATION_GUIDE.md for plugin developers - Fix 401/404 issues by setting correct headers and URL paths * Improve Plugin Bridge security and architecture - Create ServeInternalPluginRequest for internal plugin calls (core + plugin-to-plugin) - Move header-setting logic from CallPluginBridge to ServeInternalPluginRequest - Improve separation of concerns: business logic vs HTTP transport - Add security documentation explaining header protection Security Improvements: - ServeInternalPluginRequest is NOT exposed as HTTP route (internal only) - Headers (Mattermost-User-Id, Mattermost-Plugin-ID) are set by trusted server code - External requests cannot spoof these headers (stripped by servePluginRequest) - Core calls use 'com.mattermost.server' as plugin ID for authorization - Plugin-to-plugin calls use real plugin ID (enforced by server) Backward Compatibility: - Keep ServeInterPluginRequest for existing API.PluginHTTP callers (deprecated) - All tests pass Docs: - Update spec.md with security model explanation - Update MIGRATION_GUIDE.md with correct header usage examples * Space * cursor please stop creating markdown files * Fix style * Fix i18n, linter * REMOVE MARKDOWN * Remove CallPlugin method from plugin API interface Per review feedback, this method is no longer needed. Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> * Remove CallPlugin method implementation from PluginAPI Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> * fixes * Add AI OpenAPI spec * fix openapi spec * Use agents client (#34225) * Use agents client * Remove default agent * Fixes * fix: modify system prompts to ensure JSON is being returned * remove webapp changes * Add feature flags for rewrites and ai bridge, clean up * Remove comments that aren't helpful * Fix i18n * Remove rewrites * Fix tests * Fix i18n * adjust i18n again * Add back translations * Remove leftover mock code * remove model file * Make the real substitutions * Include a basic invokation of the client with noop to ensure build works * Remove unneeded change * Updates from review * Fixes * Use v1.5.0 of agents plugin --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Nick Misasi <nickmisasi@users.noreply.github.com> Co-authored-by: Christopher Speller <crspeller@gmail.com> Co-authored-by: Felipe Martin <me@fmartingr.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-10-30 19:09:27 +00:00
Jesse Hallam	67568d558f	Introduce model.AssertNotSameMap (#34058) ... When we last bumped dependencies in https://github.com/mattermost/mattermost/pull/30005, `assert.NotSame` for maps started failing because of the change in https://github.com/stretchr/testify/issues/1661. The reality was that the previous assertion was silently skipped, and just now reporting as much. Here's an illustrative example: ```go package main import ( "maps" "testing" "github.com/stretchr/testify/assert" ) func TestClonedMapsAreNotSame(t *testing.T) { original := map[string]int{ "a": 1, "b": 2, "c": 3, } cloned := maps.Clone(original) assert.NotSame(t, original, cloned) } func TestSameMaps(t *testing.T) { original := map[string]int{ "a": 1, "b": 2, "c": 3, } cloned := original assert.Same(t, original, cloned) cloned["d"] = 4 assert.Same(t, original, cloned) } ``` which fails with the following after the original dependency update: ``` --- FAIL: TestClonedMapsAreNotSame (0.00s) main_test.go:19: Error Trace: /Users/jesse/tmp/testify/main_test.go:19 Error: Both arguments must be pointers Test: TestClonedMapsAreNotSame --- FAIL: TestSameMaps (0.00s) main_test.go:30: Error Trace: /Users/jesse/tmp/testify/main_test.go:30 Error: Both arguments must be pointers Test: TestSameMaps main_test.go:33: Error Trace: /Users/jesse/tmp/testify/main_test.go:33 Error: Both arguments must be pointers Test: TestSameMaps FAIL FAIL testassertequal 0.149s FAIL ``` However, instead of fixing the underlying issue, we took the address of those variables and kept using `assert.Same`. This isn't meaningful, since it doesn't directly compare the underlying pointers of the map objects in question, just the address of the pointers to those maps. Here's the output after taking the address (e.g. `&original` and `&cloned`): ``` --- FAIL: TestSameMaps (0.00s) main_test.go:30: Error Trace: /Users/jesse/tmp/testify/main_test.go:30 Error: Not same: expected: 0x14000070170 &map[string]int{"a":1, "b":2, "c":3} actual : 0x14000070178 &map[string]int{"a":1, "b":2, "c":3} Test: TestSameMaps main_test.go:33: Error Trace: /Users/jesse/tmp/testify/main_test.go:33 Error: Not same: expected: 0x14000070170 &map[string]int{"a":1, "b":2, "c":3, "d":4} actual : 0x14000070178 &map[string]int{"a":1, "b":2, "c":3, "d":4} Test: TestSameMaps FAIL FAIL testassertequal 0.157s FAIL ``` They are obviously the same map, since modifying `cloned` modified the original, yet `assert.Same` thinks they are different (because the pointe values are indeed different). (`assert.NotSame` "passes", but for the wrong reasons.) To fix this, introduce `model.AssertNotSameMap` to check this correctly.	2025-10-27 13:16:59 -03:00
Elias Nahum	595e600eea	MM-65755 Admin Console UI for Auto-Translation (#33982) ... * AutoTranslate config settings * comment out Agents provider * Add auto translate timeout config validation * i18n messages for autotranslation config validation * fix test * validate url for libreTranslate * Feedback review * Admin Console UI for Auto-Translation * fix admin console conditional section display * i18n * removed unintentional change Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * update admin.general.localization.autoTranslateProviderDescription newline * fix lint * Fix types * UX feedback review * fix typo in i18n * Fix AutoTranslation feature flag * feedback review * Fix test default values * feedback review * re-add isHidden property to feature discovery * fix lint and external url * Add settings to playwright * Add empty as a valid value for the Provider * Add searchable strings * set apikey input type as password --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-27 11:36:25 +08:00
Jesse Hallam	acda1fb5dd	MM-66299: type handling for ConsumeTokenOnce (#34247)	2025-10-22 18:03:33 -03:00
Jesse Hallam	82b9c3738b	Revert "[MM-64517] Fix NPE in PluginSettings.Sanitize (#31361)" (#34197) ... This reverts commit 832d033785.	2025-10-18 18:41:31 -03:00
Harshil Sharma	76e6638129	Content flagging private channel flagged post fix (#34098) ... * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Fixed test * Updated OpenAPI specs * fixed types * fixed types * refactoring * refactor: improve test mocking for data spillage report component * test mock updates * Fixed tests * Updated reducer * not resetting mocks * Added migrations for content flagging tables * Created new structure * review fixes * Used correct ot name * WIP * review fixes * review fixes * Added new property translations * CI * CI * CI * Improved test * fixed test * CI * New UI component * WIP * Updated settings APIs * cached DB data * used cached reviewer data * Updated tests * Lint fixes * test: add tests for saveContentFlaggingSettings and getContentFlaggingSettings APIs * test fix * test: add tests for SaveContentFlaggingConfig and GetContentFlaggingConfigReviewerIDs * Updated tests * test: add content flagging test for local cache layer * test: add comprehensive tests for content flagging store cache * Updated tests * lint fix * Updated mobile text * Added content flagging SQL store mocks * Added API specs for new APIs * fixed tests * feat: add TestContentFlaggingStore function for content flagging store testing * feat: add comprehensive tests for content flagging store * Added SQL store tests * test: add content flagging test for local cache layer * test: add tests for content flagging store caching * Added cache layer tests * Updated tests * Fixed * Handled JSON error * fixes * fixes * Fixed retry layer test * fixerdf i18n * Fixed test * CI * building index concurrently * CI * fixed a test * CI * cleanup * Implemented reviewer search API * feat: add tests for SearchCommonContentFlaggingReviewers and SearchTeamContentFlaggingReviewers * Added store tests * test: add comprehensive tests for SearchReviewers function * feat: add comprehensive tests for searchReviewers endpoint * API tests * Integrate flag post api (#33798) * WIP * WIP * Added API call * test: add test for Client4.flagPost API call in FlagPostModal * fix: remove userEvent.setup() from flag post modal test * test: wrap submit button click in act for proper state updates * Updated tests * lint fix * CI * Updated to allow special characters in comments * Handled empty comment * Used finally * CI * Fixed test * Spillage card integration (#33832) * Created getContentFlaggingFields API * created getPostPropertyValues API * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Fixed test * refactor: improve test mocking for data spillage report component * test mock updates * Updated reducer * not resetting mocks * WIP * review fixes * CI * Fixed * fixes * Content flagging actions implementation (#33852) * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Updated OpenAPI specs * fixed types * fixed types * refactoring * Fixed tests * review fixes * Added new property translations * Improved test * fixed test * CI * fixes * CI * fixed a test * fixed abad commit * CI * WIP * IMplemented assign reviewer API * Display reviewers * Review fixes * UI integration * lint fix * Added API docs * test: add comprehensive tests for assignFlaggedPostReviewer function * test: add comprehensive tests for AssignFlaggedPostReviewer * Added tests * Fixed test * Sequential tests * minor improvemenmts * WIP * Added keep/delete message notifications * refactor: update AssignFlaggedPostReviewer method signature to include context * test: add tests for getReviewerPostsForFlaggedPost and postReviewerMessage * lint fixes * handled reviewer updates * Handled preference * Implemented notifications * test: add comprehensive tests for content flagging notification functions * refactor: Replace th.UpdateConfig with SaveContentFlaggingConfig in tests * test: add test case for content flagging with string comparison * refactor: simplify content flagging test config setup * refactor: Update content flagging notification settings types in test cases * refactor: Update content flagging tests to use exact message matching * Added tests * lint fixes * Added new hooks * lint fixes * feat: add API specs for getPostChannel and getPostTeam endpoints * lint fixes * test: add tests for getPostChannel and getPostTeam APIs * Added API tests * test: add empty test files for property card view loaders * test: add comprehensive tests for property card view hooks * refactor: replace waitForNextUpdate with waitFor in test files * Added hook tests * fixed test * review fixes * Fixed a test * Fixed a test * Fixed for default state * lint fixes * migration update * review fixes * Reduced code duplication * Refactored tests to reduce duplication * review fixes * lint fix * WIP * Updated existing APIs instead of creating new API * Lint fix * Added new tests * Fixed a test * Review fixes * WIP * test: add comprehensive tests for sendFlaggedPostRemovalNotification and sendKeepFlaggedPostNotification * Updated tests * review fixes * review fixes * test update * fixed a test * Updated logs * i18n fixes	2025-10-15 12:07:30 +05:30
Pablo Vélez	833e012532	MM-66178 - re-remove abac channel feature flag (#34134)	2025-10-14 09:57:01 +02:00
Harshil Sharma	79756ae1e1	Reviewer search api (#34036) ... * Added another property field * WIP * WIP * Added validations * Added data validations and hidden post if confifgured to * lint fixes * Added API spec * Added some tests * Added tests for getContentReviewBot * test: add comprehensive tests for getContentReviewChannels function * Added more app layer tests * Added TestCanFlagPost * test: Add comprehensive tests for FlagPost function * Added all app layer tests * Removed a file that was reamoved downstream * test: add content flagging test file * test: add comprehensive tests for FlagContentRequest.IsValid method * Added model tests * test: add comprehensive tests for SqlPropertyValueStore.CreateMany * test: add comprehensive tests for flagPost() API function * Added API tests * linter fix * WIP * sent post flagging confirmation message * fixed i18n nissues * fixed i18n nissues * CI * WIP * WIP * Added API call * test: add test for Client4.flagPost API call in FlagPostModal * fix: remove userEvent.setup() from flag post modal test * test: wrap submit button click in act for proper state updates * Updated tests * lint fix * Updated test * fix: reset contentFlaggingGroupId for test isolation in content flagging tests * removed cached group ID * removed debug log * CI * Updated to allow special characters in comments * Handled empty comment * Created getContentFlaggingFields API * created getPostPropertyValues API * Used finally * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Fixed test * Updated OpenAPI specs * fixed types * fixed types * refactoring * refactor: improve test mocking for data spillage report component * test mock updates * Fixed tests * Updated reducer * not resetting mocks * Added migrations for content flagging tables * Created new structure * review fixes * Used correct ot name * WIP * review fixes * review fixes * Added new property translations * CI * CI * CI * Improved test * fixed test * CI * New UI component * WIP * Updated settings APIs * cached DB data * used cached reviewer data * Updated tests * Lint fixes * test: add tests for saveContentFlaggingSettings and getContentFlaggingSettings APIs * test fix * test: add tests for SaveContentFlaggingConfig and GetContentFlaggingConfigReviewerIDs * Updated tests * test: add content flagging test for local cache layer * test: add comprehensive tests for content flagging store cache * Updated tests * lint fix * Updated mobile text * Added content flagging SQL store mocks * Added API specs for new APIs * fixed tests * feat: add TestContentFlaggingStore function for content flagging store testing * feat: add comprehensive tests for content flagging store * Added SQL store tests * test: add content flagging test for local cache layer * test: add tests for content flagging store caching * Added cache layer tests * Updated tests * Fixed * Handled JSON error * fixes * fixes * Fixed retry layer test * fixerdf i18n * Fixed test * CI * building index concurrently * CI * fixed a test * CI * cleanup * Implemented reviewer search API * feat: add tests for SearchCommonContentFlaggingReviewers and SearchTeamContentFlaggingReviewers * Added store tests * test: add comprehensive tests for SearchReviewers function * feat: add comprehensive tests for searchReviewers endpoint * API tests * Integrate flag post api (#33798) * WIP * WIP * Added API call * test: add test for Client4.flagPost API call in FlagPostModal * fix: remove userEvent.setup() from flag post modal test * test: wrap submit button click in act for proper state updates * Updated tests * lint fix * CI * Updated to allow special characters in comments * Handled empty comment * Used finally * CI * Fixed test * Spillage card integration (#33832) * Created getContentFlaggingFields API * created getPostPropertyValues API * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Fixed test * refactor: improve test mocking for data spillage report component * test mock updates * Updated reducer * not resetting mocks * WIP * review fixes * CI * Fixed * fixes * Content flagging actions implementation (#33852) * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Updated OpenAPI specs * fixed types * fixed types * refactoring * Fixed tests * review fixes * Added new property translations * Improved test * fixed test * CI * fixes * CI * fixed a test * fixed abad commit * CI * WIP * IMplemented assign reviewer API * Display reviewers * Review fixes * UI integration * lint fix * Added API docs * test: add comprehensive tests for assignFlaggedPostReviewer function * test: add comprehensive tests for AssignFlaggedPostReviewer * Added tests * Fixed test * Sequential tests * minor improvemenmts * WIP * Added keep/delete message notifications * refactor: update AssignFlaggedPostReviewer method signature to include context * test: add tests for getReviewerPostsForFlaggedPost and postReviewerMessage * lint fixes * handled reviewer updates * Handled preference * review fixes * Review fixes	2025-10-14 09:06:23 +05:30
Harshil Sharma	3265054ad5	Migrate content flagging settings to database (#33989) ... * lint fix * CI * added new migration mocks * Used setup for tests * some comment * Removed unnecesseery nil check * Form validation * WIP tests * WIP tests * WIP tests * fix: mock content flagging config selector with correct reasons format Co-authored-by: aider (anthropic/claude-sonnet-4-20250514) <aider@aider.chat> * fix: add mock for getContentFlaggingConfig in flag post modal test Co-authored-by: aider (anthropic/claude-sonnet-4-20250514) <aider@aider.chat> * Updated error code order in API docs * removed empty files * Added tests * lint fixes * minor tweak * lint fix * type fix * fixed test * nit * test enhancements * API WIP * API WIP * creating values * creating content flagging channel and properties * Able to save properties * Added another property field * WIP * WIP * Added validations * Added data validations and hidden post if confifgured to * lint fixes * Added API spec * Added some tests * Added tests for getContentReviewBot * test: add comprehensive tests for getContentReviewChannels function * Added more app layer tests * Added TestCanFlagPost * test: Add comprehensive tests for FlagPost function * Added all app layer tests * Removed a file that was reamoved downstream * test: add content flagging test file * test: add comprehensive tests for FlagContentRequest.IsValid method * Added model tests * test: add comprehensive tests for SqlPropertyValueStore.CreateMany * test: add comprehensive tests for flagPost() API function * Added API tests * linter fix * WIP * sent post flagging confirmation message * fixed i18n nissues * fixed i18n nissues * CI * WIP * WIP * Added API call * test: add test for Client4.flagPost API call in FlagPostModal * fix: remove userEvent.setup() from flag post modal test * test: wrap submit button click in act for proper state updates * Updated tests * lint fix * Updated test * fix: reset contentFlaggingGroupId for test isolation in content flagging tests * removed cached group ID * removed debug log * CI * Updated to allow special characters in comments * Handled empty comment * Created getContentFlaggingFields API * created getPostPropertyValues API * Used finally * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Fixed test * Updated OpenAPI specs * fixed types * fixed types * refactoring * refactor: improve test mocking for data spillage report component * test mock updates * Fixed tests * Updated reducer * not resetting mocks * Added migrations for content flagging tables * Created new structure * review fixes * Used correct ot name * WIP * review fixes * review fixes * Added new property translations * CI * CI * CI * Improved test * fixed test * CI * New UI component * WIP * Updated settings APIs * cached DB data * used cached reviewer data * Updated tests * Lint fixes * test: add tests for saveContentFlaggingSettings and getContentFlaggingSettings APIs * test fix * test: add tests for SaveContentFlaggingConfig and GetContentFlaggingConfigReviewerIDs * Updated tests * test: add content flagging test for local cache layer * test: add comprehensive tests for content flagging store cache * Updated tests * lint fix * Updated mobile text * Added content flagging SQL store mocks * Added API specs for new APIs * fixed tests * feat: add TestContentFlaggingStore function for content flagging store testing * feat: add comprehensive tests for content flagging store * Added SQL store tests * test: add content flagging test for local cache layer * test: add tests for content flagging store caching * Added cache layer tests * Updated tests * Fixed * Handled JSON error * fixes * fixes * Fixed retry layer test * fixerdf i18n * Fixed test * CI * building index concurrently * CI * fixed a test * CI * cleanup * Integrate flag post api (#33798) * WIP * WIP * Added API call * test: add test for Client4.flagPost API call in FlagPostModal * fix: remove userEvent.setup() from flag post modal test * test: wrap submit button click in act for proper state updates * Updated tests * lint fix * CI * Updated to allow special characters in comments * Handled empty comment * Used finally * CI * Fixed test * Spillage card integration (#33832) * Created getContentFlaggingFields API * created getPostPropertyValues API * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Fixed test * refactor: improve test mocking for data spillage report component * test mock updates * Updated reducer * not resetting mocks * WIP * review fixes * CI * Fixed * fixes * Content flagging actions implementation (#33852) * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Updated OpenAPI specs * fixed types * fixed types * refactoring * Fixed tests * review fixes * Added new property translations * Improved test * fixed test * CI * fixes * CI * fixed a test * CI * Review fixes --------- Co-authored-by: aider (anthropic/claude-sonnet-4-20250514) <aider@aider.chat>	2025-10-13 12:24:01 +05:30
Alejandro García Montoro	d3eb6cbf1c	Revert "MM-13657: Set ExperimentalStrictCSRFEnforcement to true by default (#33444)" (#34112) ... * Revert "MM-13657: Set ExperimentalStrictCSRFEnforcement to true by default (#33444)" This reverts commit 257eec43ed. * Fix call to checkCSRFToken * Adapt test that relied on strict CSRF enforcement This test was added after https://github.com/mattermost/mattermost/pull/33444, so it assumed strict CSRF enforcement to be enabled. When reverting that PR, we need to adapt the test to account for both cases. * Fix newer tests to use older setting	2025-10-10 19:15:45 +02:00
Elias Nahum	a01d06df9f	Feat: MM-65754 Channel Auto-Translate configuration (#33968) ... * AutoTranslate config settings * comment out Agents provider * Add auto translate timeout config validation * i18n messages for autotranslation config validation * fix test * validate url for libreTranslate * Feedback review * Fix test default values	2025-10-09 12:56:44 +08:00
Amy Blais	fb2979d0e9	Update latest minor version to 11.1.0 (#34090) ... Automatic Merge	2025-10-08 18:43:38 +03:00
Guillermo Vayá	dfa0128552	[MM-65769] add updatedSince to field search (#34037) ... * add updatedSince to field search * Update server/public/model/property_field.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update server/channels/store/storetest/property_field_store.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-08 10:54:29 +00:00
Ben Schumacher	71579a85a6	[MM-64633] Rewrite Go client using Generics (#31805) ... Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>	2025-10-07 12:19:21 +02:00
Scott Bishel	5a0dee5fc2	Add date and datetime field support for AppsForm (#33288) ... * Add AppsForm-based InteractiveDialog implementation with feature flag control - Add InteractiveDialogAppsForm feature flag (default enabled) to control migration path - Enhance AppsForm components with backwards compatibility features: - Add onHide prop support for legacy dialog behavior - Add RADIO field type support with proper rendering - Add required field indicators with red asterisk styling - Use FormattedMessage for "(optional)" text internationalization - Create InteractiveDialogAdapter to bridge legacy dialogs to AppsForm: - Convert DialogElement fields to AppField format with proper type mapping - Handle default value conversion for select, radio, and boolean fields - Implement submission adapter to convert between Apps and legacy formats - Support cancel notifications and proper context creation - Update InteractiveDialog container to route between implementations based on feature flag - Add Redux selector for feature flag state management 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix circular dependency issue with dynamic InteractiveDialog import Replace static import of InteractiveDialog in websocket_actions.jsx with dynamic import to resolve circular dependency chain that was causing test failures in unrelated components. The static import created a dependency chain: websocket_actions → InteractiveDialog → AppsFormContainer → AppsFormComponent → Markdown → AtMention → user group components This affected many tests because websocket_actions is imported by core system components. The dynamic import only loads InteractiveDialog when the dialog event is actually triggered, improving performance and breaking the circular dependency. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor InteractiveDialog to use isolated DialogRouter architecture Move InteractiveDialogAdapter out of the interactive_dialog directory to break circular dependency chain that was causing test failures in unrelated components. **Changes:** - Create new `dialog_router` component with dynamic imports for both legacy InteractiveDialog and AppsForm-based adapter - Move InteractiveDialogAdapter to dialog_router directory to isolate it from existing components - Update adapter to use dynamic import for AppsFormContainer to avoid circular dependency - Replace embedded routing logic in interactive_dialog/index.tsx with clean DialogRouter usage **Benefits:** - Fixes circular dependency: websocket_actions → InteractiveDialog → AppsFormContainer → AppsFormComponent → Markdown → AtMention components - Cleaner separation of concerns - new code is isolated from existing stable code - Dynamic imports improve performance by loading components only when needed - Maintains backward compatibility while enabling new AppsForm features 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * lint fixes * Fix TypeScript compilation error in dropdown_input_hybrid Explicitly constrain react-select types to single-select mode (isMulti=false) to resolve type inference conflicts introduced by the InteractiveDialog to AppsForm migration. The component was always single-select only, but the types were previously ambiguous. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix ESLint errors in dropdown_input_hybrid - Fix variable naming convention violation - Add eslint-disable comment for intentionally unused components prop - Ensures clean CI/CD pipeline 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Enhance InteractiveDialogAdapter with comprehensive validation and type safety - Add enhanced TypeScript interfaces (ValidationError, ConversionContext) - Implement comprehensive dialog and element validation with server-side limits - Add XSS prevention through string sanitization for security - Implement structured logging following Mattermost webapp conventions - Maintain complete backwards compatibility (validation disabled by default) - Add configurable validation modes (validateInputs, strictMode, enableDebugLogging) - Enhance error handling with detailed field-specific validation - Support all dialog element types with proper validation rules - Add proper server-side length limits (title: 24, name: 300, etc.) - Improve type safety throughout conversion logic 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix lint errors * Fix test expectations for XSS sanitization in InteractiveDialogAdapter - Update test assertions to match actual sanitization behavior - Fix expected text content for script and iframe tag removal - Correct event handler sanitization test expectations - All 23 InteractiveDialogAdapter tests now pass successfully 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix ESLint errors in InteractiveDialogAdapter test file - Replace await-in-loop with Promise.all for boolean conversion tests - Add newline at end of file to satisfy eol-last rule - All tests continue to pass (23/23) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix React act() warnings in apps_form_field tests - Wrap async select field renders in act() to prevent console warnings - Fix user, channel, and dynamic select field test warnings - Add proper async/await handling for react-select components - All 17 apps_form_field tests now pass without warnings 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Simplify default value handling to match original InteractiveDialog - Remove complex numeric subtype logic - not needed - Use simple `element.default ?? null` for all text/textarea fields - Matches original InteractiveDialog behavior exactly (lines 42-50) - Treat all field types consistently like original dialog - Fix syntax error with missing brace in switch statement 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Enhance InteractiveDialogAdapter with server-side error handling and improved type safety - Fix server-side submission failures to keep dialog open and display errors - Add proper TypeScript types for ActionResult<SubmitDialogResponse> - Implement comprehensive error handling for both server and network errors - Add numeric field support with proper number conversion and fallback - Enhance test coverage with server-side error handling scenarios - Maintain backwards compatibility with existing InteractiveDialog behavior 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add internationalization for InteractiveDialogAdapter error messages - Replace hardcoded error strings with proper i18n using intl.formatMessage() - Add new localization keys to server/i18n/en.json for user-facing error messages - Support parameter interpolation for dynamic error details - Maintain backwards compatibility with default English messages - Follow Mattermost internationalization patterns and conventions Error messages localized: - interactive_dialog.submission_failed - interactive_dialog.submission_failed_validation - interactive_dialog.validation_failed - interactive_dialog.element_validation_failed 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix i18n-extract * remove dynamic loading, see if tests still fail * Optimize InteractiveDialogAppsForm validation and performance - Remove redundant validateDialogElement calls (50% validation performance improvement) - Simplify DialogRouter by eliminating unnecessary async loading state - Optimize option validation with combined loop for select/radio fields - Fix TypeScript errors with proper PropsFromRedux type inheritance - Replace regex stringMatching with traditional string patterns in tests - Simplify mocked state in interactive_dialog.test.ts (1500+ lines → minimal) - Fix ESLint issues: trailing spaces and import ordering Performance improvements: - DialogRouter: 50% faster mounting (eliminated loading state) - Validation: 50% fewer validation calls per element - Bundle: No size increase, better tree-shaking 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Convert all test files from enzyme to React Testing Library - Replace enzyme shallow/mount with React Testing Library's renderWithContext - Update all assertions to test user-visible behavior instead of implementation details - Remove brittle snapshot test and replace with behavioral assertions - Add comprehensive test coverage for form validation, lookup functionality, and edge cases - Fix all ESLint and styling issues - Remove unused enzyme imports and dependencies This improves test maintainability and aligns with modern React testing best practices by focusing on user interactions rather than component internals. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix all failing tests in apps_form_component.test.tsx - Fix error message assertion to match exact text instead of regex - Simplify lookup functionality tests to avoid async rendering issues - Update custom submit buttons test to handle multiple cancel buttons correctly - Remove complex field configurations that were causing React Select warnings - All 27 tests now pass successfully The tests are now more stable and focus on verifying component configuration and user-visible behavior rather than complex async interactions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix lint * cleanup tests, fix E2E tests * Improve unit test coverage for InteractiveDialogAdapter and AppsForm components • Add 22 new comprehensive test cases across both components • interactive_dialog_adapter.test.tsx: Added 9 new tests covering advanced validation scenarios, enhanced type conversion, and error handling • apps_form_component.test.tsx: Added 13 new tests covering component lifecycle, field error handling, client-side validation, and lookup functionality • Enhanced coverage includes validation edge cases, error recovery, form state management, and component interaction patterns • All tests passing: 49/49 for interactive_dialog_adapter and 50/50 for apps_form_component 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add submit_label backward compatibility for Interactive Dialog to AppsForm migration This commit restores the submit_label functionality that was lost during the transition from Interactive Dialog to AppsForm. The changes ensure backward compatibility by allowing interactive dialogs to specify custom submit button text through the submit_label property. Changes made: - Added submit_label property to AppForm interface in apps.ts - Updated InteractiveDialogAdapter to extract and pass through submitLabel from legacy dialogs - Modified AppsForm component to use custom submit_label when provided instead of hardcoded "Submit" - Added comprehensive test coverage for the new functionality - Maintained XSS protection through existing sanitization methods 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update e2e tests for AppsForm compatibility and fix TypeScript compilation errors This commit updates interactive dialog e2e tests to work with AppsForm instead of legacy interactive dialog: Key changes: - Update modal selectors from #interactiveDialogModal to #appsModal - Update button selectors from #interactiveDialogSubmit to #appsModalSubmit - Fix label selectors to work with AppsForm DOM structure - Handle ReactSelect portal rendering for dropdown options - Fix TypeScript compilation errors in demo_boolean_spec.ts with triple-slash references - Add ESLint comment spacing fixes to interactive_dialog_adapter.test.tsx - Update checkbox selectors to use generic input[type="checkbox"] instead of element IDs - Remove feature flag disabling InteractiveDialogAppsForm to use AppsForm by default 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * updates from self review * revert bad file commits * Update files_1_spec.ts * Add date and datetime field support for AppsForm This commit implements comprehensive date and datetime picker functionality for AppsForm components, enabling date-based form fields in Mattermost interactive dialogs and Apps. Key changes: - Add DATE and DATETIME field type constants to apps - Create AppsFormDateField and AppsFormDateTimeField components with calendar/time selectors - Implement date_utils module with timezone-aware date handling and relative date resolution - Update DateTimeInput component with consolidated allowPastDates prop for form usage - Add server-side validation for date/datetime field types - Enhance InteractiveDialogAdapter to properly handle date field types - Add comprehensive test coverage for date utilities Features: - Calendar-based date selection with timezone support - Combined date/time picker for datetime fields - Relative date references (today, tomorrow, +7d, etc.) - ISO 8601 date format handling (dates as YYYY-MM-DD, datetimes as UTC) - Input validation and error handling - Integration with existing form validation systems 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * i18n-extract, test fixes * initial fixes from reviews * more review cleanup/fixes * i18n-extract * fix interactive dialog tests * fix circular reference error in tests * fix/cleanup tests * lint fix * use makeAsyncComponent instead of DynamicAppsFormContainer * mysql fixes * fix bad merge * Address interactive dialog datetime code review feedback Comprehensive improvements addressing all code review comments: **Server-side enhancements:** - Add validateDateFormat() and validateDateTimeFormat() functions in Go - Implement ISO date/datetime validation with relative date support - Integrate validation into DialogElement.IsValid() method **Client-side improvements:** - Add AppField property validation (time_interval, min_date, max_date) - Centralize validation logic in checkDialogElementForError - Implement proper locale formatting using Intl.DateTimeFormat - Add intelligent past date restrictions based on min_date constraints - Optimize date field conversion patterns for better performance **Component architecture:** - Move default value initialization to initFormValues - Standardize help text and error text rendering patterns - Simplify conditional rendering in datetime components - Add comprehensive validation for field properties **Test reliability:** - Fix timezone-dependent tests with proper UTC handling - Add comprehensive allowPastDates logic tests - Implement consistent fake timer usage across test files - Add validation tests for edge cases and error conditions **Validation enhancements:** - Add min_date/max_date format validation before usage - Implement translatable error messages with MessageDescriptor - Add comprehensive property validation with helpful error messages - Ensure consistent validation between server and client All changes maintain backward compatibility while significantly improving the robustness, user experience, and maintainability of the datetime interactive dialog functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address interactive dialog datetime code review feedback - Centralize validation logic in integration_utils.ts with validateDateTimeValue function - Remove duplicate help text and error rendering from individual field components - Apply DND modal pattern to apps form modal to prevent date picker overflow - Add comprehensive field validation for time intervals, date ranges, and field definitions - Optimize date utilities with improved performance and structure - Add server-side validation for DialogElement date/datetime properties - Update type definitions for enhanced date/datetime field support - Improve test coverage for centralized validation architecture 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add comprehensive E2E test coverage for interactive dialog datetime fields - Add datetime_spec.js with comprehensive test scenarios covering basic date/datetime fields, validation constraints, time intervals, relative dates, and user interactions - Extend webhook_utils.js with focused dialog functions for different test scenarios: getBasicDateDialog, getMinDateConstraintDialog, getCustomIntervalDialog, getRelativeDateDialog - Add datetime dialog request handlers in webhook_serve.js with command parameter support Test coverage includes: - MM-T2530A: Basic date field functionality - MM-T2530B: Basic datetime field with time picker - MM-T2530C: Date constraints (min_date/max_date) - MM-T2530D: Custom time intervals (15, 30, 60 minutes) - MM-T2530F: Relative date values (today, +1d, etc.) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix TypeScript errors in datetime field components - Fix momentValue type safety in apps_form_datetime_field to handle null stringToMoment returns - Fix dialog conversion test type assertions with optional chaining for form.fields - Update test to use empty string instead of null for DialogElement default value 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix ESLint code style issues - Remove unused intl import and variable from datetime field component - Fix trailing spaces in integration utils and test files - Add required line spacing around comments in test files - Auto-fix other ESLint formatting issues 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Go code formatting in integration_action_test.go Apply gofmt formatting to resolve linting errors in DialogElement datetime validation tests 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Enable date fields to accept datetime formats by extracting date portion Following the established pattern in custom_status_modal and dnd_custom_time_picker_modal: - Accept datetime formats in date-only fields (user-friendly) - Extract date portion from datetime strings (e.g., "2025-01-15T10:30:00Z" -> "2025-01-15") - Preserve existing rejection of time-only strings (e.g., "14:30" still invalid) - Add comprehensive tests for various datetime format acceptance - Maintain backward compatibility with pure date strings This aligns with the server-side validation improvements and provides consistent user experience across the platform where datetime formats are gracefully handled. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Refine date format handling implementation - Use processedValue variable instead of mutating input parameter - Improve code readability and maintainability - Update test descriptions and organization for clarity - All functionality remains the same, just cleaner implementation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix dialog conversion and date validation test failures - Fix getDefaultValue to preserve empty string defaults for date fields - Add strict date format validation using moment.js strict parsing mode - Update test expectations to correctly handle optional date properties - Implement proper ISO format validation while preserving relative date support 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix TypeScript error with moment.tz parameter order in strict mode - Correct parameter order for moment.tz strict parsing: (date, formats, strict, timezone) - Maintain functionality while fixing type compilation errors 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Enhance DateTime field validation and clean up test suite This commit introduces comprehensive improvements to DateTime field handling, validation, and testing infrastructure: ## Core Improvements - **Add TIME_FORMAT_REGEX constant**: Centralized HH:MM time format validation regex to eliminate duplication - **Fix time_interval validation**: Prevent infinite loops when invalid negative intervals (like -1) are used - **Add DEFAULT_TIME_INTERVAL_MINUTES constant**: Standardized default time interval across components ## Validation Enhancements - **Sanitize invalid time_interval values**: Reset to default (60 minutes) after logging validation errors to prevent PropTypes warnings - **Enhanced safety checks**: Added safety validation in getTimeInIntervals to prevent infinite loops with negative intervals ## Test Suite Cleanup - **Remove duplicate test sections**: Eliminated redundant Lookup Functionality and Refresh on Select test blocks - **Consolidate basic rendering tests**: Merged overlapping form rendering and initial value tests - **Organize validation tests**: Renamed and structured validation test sections for better clarity - **Fix test selector issues**: Updated text matching to use regex for required field labels with asterisks ## Code Quality - **Eliminate magic numbers**: Replace hardcoded 60-minute defaults with named constant - **Reduce duplication**: Share TIME_FORMAT_REGEX between date_utils.ts and apps_form_component.tsx - **Improve maintainability**: Single source of truth for time validation patterns ## Files Changed - Enhanced DateTime field validation and infinite loop prevention - Cleaned up test suite reducing ~400 lines while maintaining full coverage - Added shared constants for better code organization 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Replace hardcoded constants and clean up test code - Add DefaultTimeIntervalMinutes constant in Go integration_action.go - Replace hardcoded 60 values with DefaultTimeIntervalMinutes constant - Clean up test formatting and remove trailing whitespace - Remove outdated documentation files (CODE_REVIEW_ANALYSIS.md, INTERACTIVE_DIALOG_DATETIME_FIELDS.md) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor date/datetime validation and remove default_time field This commit consolidates date validation logic, removes the redundant default_time field, and standardizes relative date patterns across both Go backend and TypeScript frontend. Key Changes: - Remove default_time field from DialogElement and AppField types - Standardize relative patterns to use 'dwm' (days, weeks, months) for both date and datetime fields - Refactor validateDateFormat and validateDateTimeFormat to be more succinct with shared helpers - Add validateDateFieldValue helper that warns when datetime formats are used for date fields - Extract date portion when datetime formats are provided to date fields - Update all validation to use parseISO for strict ISO-8601 validation - Remove redundant validation functions and tests The datetime field now uses only the 'value' field for defaults, making the API cleaner and eliminating confusion between default_time and value. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * remove property from tests * Fix date_utils tests for standardized relative patterns Updated tests to reflect the standardized relative date patterns: - Hours (+1H) are no longer supported, test expects input unchanged - Uppercase month (+1M) patterns are no longer supported - Only lowercase dwm (days, weeks, months) patterns are supported - Added test for unsupported +1M pattern This aligns tests with the standardized validation that only accepts lowercase 'm' for months and removes hour support. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Go backend tests after default_time removal and validation changes Updated Go tests to align with recent changes: - Fixed validateDateFormat test expectations: datetime formats now return errors when used in date fields (validation warnings) - Removed all default_time related tests since the field was removed from DialogElement struct - Updated time_interval validation test to expect proper error message - Fixed missing lookupInteractiveDialog action in webapp test All tests now pass: - TestValidateDateFormat: ✅ - TestValidateDateTimeFormat: ✅ - TestDialogElementDateTimeValidation: ✅ - Interactive dialog adapter tests: ✅ 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Simplify loop using slices.Contains for relative date validation Replace manual loop with slices.Contains in isValidRelativeFormat function to improve code readability and address linting suggestion. Changes: - Use slices.Contains(relativeFormats, value) instead of manual iteration - Maintain same functionality: check for "today", "tomorrow", "yesterday" - Preserve fallback to validateRelativePattern for other relative patterns - All existing tests continue to pass 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix lint * Improve date/datetime validation consistency and format handling - Replace regex-based validation with parseISO + format validation in integration_utils.ts - Enforce strict format validation: date fields (YYYY-MM-DD) and datetime fields (YYYY-MM-DDTHH:mm:ssZ) - Remove redundant datetime format constants from server (millisecond variants) - Update tests to expect strict format validation for storage consistency - Clean up test formatting and remove unnecessary comments 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Simplify date/datetime validation to focus on storage format only - Remove relative date handling from validateDateTimeValue (relative dates are input helpers, not stored values) - Use simple regex patterns for exact format validation: DATE_FORMAT_PATTERN and DATETIME_FORMAT_PATTERN - Validate only exact storage formats: YYYY-MM-DD for dates, YYYY-MM-DDTHH:mm:ssZ for datetimes - Update tests to expect only exact storage formats to be valid - Eliminate complex date-fns formatting and timezone conversion issues 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Remove unused date utility functions - Remove combineDateAndTime function - only used in tests, actual date/time combination happens in DateTimeInput component - Remove getDefaultTime function - only used in tests, no actual application usage - Remove corresponding test cases for both functions - Streamline date_utils.ts to only contain functions used in the application - All remaining tests pass (35 tests, down from 39) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Implement timezone-aware datetime initialization and field sanitization - Connect apps form to user's configured timezone from Redux store - Implement Option 2 pattern: create sanitized field copies without mutating originals - Use user's timezone for datetime default values instead of browser local time - Add comprehensive UTC storage documentation and timezone conversion tests - Remove unused date utility functions (validateDateRange, useMemoizedRelativeDate) - Add extensive timezone conversion chain tests covering DST transitions and edge cases 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix ESLint style issues - Remove trailing spaces and extra blank lines - Fix comment spacing requirements - Clean up whitespace formatting 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * increase spacing in header * Wrap error messages in defineMessage for i18n extraction Wraps all error message objects in integration_utils.ts with defineMessage() to ensure proper extraction for internationalization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update i18n extraction for interactive dialog errors Extracted error messages to en.json for internationalization support. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Address code review feedback: clean up comments and add hours support - Add 'h' unit for hours in relative date patterns (+3h, -2h, etc.) - Server: Added 'h' to validateRelativePattern in integration_action.go - Client: Added 'h' case to date_utils.ts with case-insensitive matching - Fix unique i18n message IDs for date vs datetime validation errors - Changed to 'bad_date_format' and 'bad_datetime_format' - Remove verbose/redundant inline comments across codebase - Kept doc comments, removed obvious inline comments - Cleaner code flow in date_utils.ts, integration_utils.ts, apps_form files - Replace date-fns dependency in types package with native Date() - Avoids adding dependency to published types package - Uses permissive validation since server is authoritative - Added comment explaining approach 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix datetime timezone bug and reduce moment.js usage in date fields **Datetime timezone bug fix:** - Fix momentToString to properly convert timezone to UTC - Changed from date-fns format() to moment's format() to preserve timezone conversion - Was losing timezone info when converting moment → Date → format - Now correctly converts 4 PM Mountain → 10 PM UTC instead of 4 PM UTC - Fix default datetime rounding to round up to next interval - Changed from Math.round (nearest) to always round up - Matches getRoundedTime behavior used elsewhere - 4:17 PM with 60-min interval now correctly shows 5:00 PM **Reduce moment.js usage in date fields:** - Add stringToDate() and dateToString() helpers using date-fns - Update apps_form_date_field to use Date objects instead of moment - Add timezone helper functions: isValidTimezone(), parseDateInTimezone() - Update resolveRelativeDate() to use date-fns format() - Date fields now moment-free, only datetime fields still use moment for timezone operations **Fix relative date pattern validation:** - Remove hours (h) from relative patterns - not intended for date constraints - Fix Godoc comment to remove mention of hours (+3H) - Keep only d/w/m units for day/week/month offsets - Add case-insensitive matching for consistency with server validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix test errors and update i18n strings - Fix dialog_conversion.test.ts to include missing sourceUrl and dialogState parameters - Add i18n strings for new error message IDs (bad_date_format, bad_datetime_format) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix E2E test selector for date picker day buttons Use exact text match filter instead of :contains() to avoid matching multiple buttons when selecting day 2 (which also matches 12, 22, 23, etc.). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-10-06 12:55:22 -06:00
Harshil Sharma	c21ef29f02	Flag post API (#33765) ... * Added enable/disable setting and feature flag * added rest of notifgication settings * Added backend for content flagging setting and populated notification values from server side defaults * WIP user selector * Added common reviewers UI * Added additonal reviewers section * WIP * WIP * Team table base * Added search in teams * Added search in teams * Added additional settings section * WIP * Inbtegrated reviewers settings * WIP * WIP * Added server side validation * cleanup * cleanup * [skip ci] * Some refactoring * type fixes * lint fix * test: add content flagging settings test file * test: add comprehensive unit tests for content flagging settings * enhanced tests * test: add test file for content flagging additional settings * test: add comprehensive unit tests for ContentFlaggingAdditionalSettingsSection * Added additoonal settings test * test: add empty test file for team reviewers section * test: add comprehensive unit tests for TeamReviewersSection component * test: update tests to handle async data fetching in team reviewers section * test: add empty test file for content reviewers component * feat: add comprehensive unit tests for ContentFlaggingContentReviewers component * Added ContentFlaggingContentReviewersContentFlaggingContentReviewers test * test: add notification settings test file for content flagging * test: add comprehensive unit tests for content flagging notification settings * Added ContentFlaggingNotificationSettingsSection tests * test: add user profile pill test file * test: add comprehensive unit tests for UserProfilePill component * refactor: Replace enzyme shallow with renderWithContext in user_profile_pill tests * Added UserProfilePill tests * test: add empty test file for content reviewers team option * test: add comprehensive unit tests for TeamOptionComponent * Added TeamOptionComponent tests * test: add empty test file for reason_option component * test: add comprehensive unit tests for ReasonOption component * Added ReasonOption tests * cleanup * Fixed i18n error * fixed e2e test lijnt issues * Updated test cases * Added snaoshot * Updated snaoshot * lint fix * WIP * lint fix * Added post flagging properties setup * review fixes * updated snapshot * CI * Added base APIs * Fetched team status data on load and team switch * WIP * Review fixes * wip * WIP * Removed an test, updated comment * CI * Added tests * Added tests * Lint fix * Added API specs * Fixed types * CI fixes * API tests * lint fixes * Set env variable so API routes are regiustered * Test update * term renaming and disabling API tests on MySQL * typo * Updated store type definition * Minor tweaks * Added tests * Removed error in app startup when content flaghging setup fails * Updated sync condition: * Flag message modal basE * added post preview * displaying options * Adde comment input * Updated tests and docs * finction rename * WIP * Updated tests * refactor * lint fix * MOved to data migration * lint fix * CI * added new migration mocks * Used setup for tests * some comment * Removed unnecesseery nil check * Form validation * WIP tests * WIP tests * WIP tests * fix: mock content flagging config selector with correct reasons format Co-authored-by: aider (anthropic/claude-sonnet-4-20250514) <aider@aider.chat> * fix: add mock for getContentFlaggingConfig in flag post modal test Co-authored-by: aider (anthropic/claude-sonnet-4-20250514) <aider@aider.chat> * Updated error code order in API docs * removed empty files * Added tests * lint fixes * minor tweak * lint fix * type fix * fixed test * nit * test enhancements * API WIP * API WIP * creating values * creating content flagging channel and properties * Able to save properties * Added another property field * WIP * WIP * Added validations * Added data validations and hidden post if confifgured to * lint fixes * Added API spec * Added some tests * Added tests for getContentReviewBot * test: add comprehensive tests for getContentReviewChannels function * Added more app layer tests * Added TestCanFlagPost * test: Add comprehensive tests for FlagPost function * Added all app layer tests * Removed a file that was reamoved downstream * test: add content flagging test file * test: add comprehensive tests for FlagContentRequest.IsValid method * Added model tests * test: add comprehensive tests for SqlPropertyValueStore.CreateMany * test: add comprehensive tests for flagPost() API function * Added API tests * linter fix * WIP * sent post flagging confirmation message * fixed i18n nissues * fixed i18n nissues * CI * Updated test * fix: reset contentFlaggingGroupId for test isolation in content flagging tests * removed cached group ID * removed debug log * review fixes * Used correct ot name * CI * Updated mobile text * Handled JSON error * fixerdf i18n * CI * Integrate flag post api (#33798) * WIP * WIP * Added API call * test: add test for Client4.flagPost API call in FlagPostModal * fix: remove userEvent.setup() from flag post modal test * test: wrap submit button click in act for proper state updates * Updated tests * lint fix * CI * Updated to allow special characters in comments * Handled empty comment * Used finally * CI * Fixed test * Spillage card integration (#33832) * Created getContentFlaggingFields API * created getPostPropertyValues API * WIP * Created useContentFlaggingFields hook * WIP * WIP * Added option to retain data for reviewers * Displayed deleted post's preview * DIsplayed all properties * Adding field name i18n * WIP - managing i18n able texts * Finished displaying all fields * Manual cleanup * lint fixes * team role filter logic fix * Fixed tests * created new API to fetch flagged posts * lint fix * Added new client methods * test: add comprehensive tests for content flagging APIs * Added new API tests * fixed openapi spec * Fixed DataSpillageReport tests * Fixed PostMarkdown test * Fixed PostPreviewPropertyRenderer test * Added metadata to card renderer * test fixes * Added no comment placeholder * Fixed test * refactor: improve test mocking for data spillage report component * test mock updates * Updated reducer * not resetting mocks * WIP * review fixes * CI * Fixed * fixes * Content flagging actions implementation (#33852) * Added view detail button * Created RemoveFlaggedMessageConfirmationModal modal * Added key and remove flag request modal * IMplemented delete flagged post * Handled edge cases of deleting flagged post * keep message * UI integration * Added WS event for post report update and handled deleted files of flagged post * Added error handling in keep/remove forms * i18n fixes * Updated OpenAPI specs * fixed types * fixed types * refactoring * Fixed tests * review fixes * Added new property translations * Improved test * fixed test * CI * fixes * CI * fixed a test * CI --------- Co-authored-by: aider (anthropic/claude-sonnet-4-20250514) <aider@aider.chat>	2025-10-02 20:24:29 +05:30
Pablo Vélez	b311da87a4	Mm 65123 remove channel abac ff (#33953) ... * MM-65123 - remove channel abac feature flag * enable the channel scope access control to true * fix linters * adjust expected error in tests * remove no longer needed comment * Remove write_restrictable from core ABAC settings and fix channel access control logic --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-10-01 16:12:36 +02:00
Devin Binnie	47aa32f0fc	[MM-61899] Properly restrict users who previously shared a team from DMs/GMs when they no longer share a team. (#30094) ... * [MM-61899] Properly restrict users who previously shared a team from DMs/GMs when they no longer share a team. * Fix checks * Fix test * Fix i18n * Added E2E tests * Merge'd * Add restricted DM check to more places * Merge'd * Restrict patching the channel (updating the channel) * Update verbiage in the admin console * Fix lint * More tests --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-30 11:41:14 -04:00
JG Heithcock	a41db04d27	MM 65084 server-side (#33861) ... * MM-65084: (server-side) PKCE code-exchange for SSO Server side changes needed for MM-65084. Guarded by MobileSSOCodeExchange feature flag. * Update users.yaml for vet-api testing * Change error for not saving SAML token to existing generic 'can't save token' message * Restricting to sha256 only PKCEs * Change out PKCE terminology to SAML This came out as Claude used "PKCE" as a shorthand for the style and I did not know better. SAML is the correct term here. This also fixes a linter issue where we were assigning `codeVerifier` to `computed` but then overwriting it in all cases (so that was misleading and unecessary) * Adding ConsumeTokenOnce and IsExpired as suggested by security review --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-29 14:29:32 -07:00
Scott Bishel	f8b3ce4e3b	Add multiform functionality to Interactivedialog (#33076) ... * Implement Interactive Dialog field refresh and multi-step form functionality - Add field refresh capability to interactive dialogs - Implement multi-step form support - Add comprehensive E2E tests for new features - Enhance InteractiveDialogAdapter with server-side error handling - Optimize form validation and performance - Add internationalization support for error messages - Maintain backward compatibility with existing dialogs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fixes and cleanup * Enhance field refresh e2e tests with improved field ordering and form submission - Reverse field order: project name first, then project type (with refresh) - Ensure all tests enter project name to verify value preservation - Add form submission to MM-T2540B test to verify complete workflow - Update webhook server to preserve project name values during refresh - Add submission handler for field refresh dialog callback - Update introduction text to reflect new field ordering workflow 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * code review updates * Simplify apps form value preservation by always merging previous values - Remove AppFormUpdateType enum and updateType props throughout apps form system - Simplify getDerivedStateFromProps to always preserve existing values via spread operator - Remove restoreFormFieldValues function and manual value restoration logic - Eliminate conditional refresh vs submit behavior in favor of consistent value preservation This change makes apps form behavior consistent regardless of whether it's a multi-step submission or field refresh, improving reliability and reducing complexity. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add server-side validation for SubmitDialogResponse - Add SubmitDialogResponseType enum with OK, Form, Navigate, and Empty types - Implement IsValid() method with fail-fast validation logic - Validate type field and ensure Form field consistency based on type - Add comprehensive test coverage for all validation scenarios - Integration validates responses in SubmitInteractiveDialog handler 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * lint fixes * Fix test case for multierror format in Dialog.IsValid() The Dialog.IsValid() method returns multierror format, so the test expectation needs to match the actual error format with line breaks. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * i18n-extract * log dialog errors, allow invalid dialog * Fix interactive dialog test assertions for undefined values Handle cases where dialog elements have undefined default values or placeholders by providing empty string fallbacks. This resolves CI test failures where undefined values were expected but empty strings were returned from DOM elements. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-26 11:09:50 -06:00
Guillermo Vayá	9d16035212	[MM-65769] Add UpdatedSince to properties search in pluginapi (#33959) ... * add since to properties search * improve testing * fix tests * address naming concerns * adapt comments to new naming * style fixes * who you gonna call?	2025-09-26 13:14:29 +02:00
Miguel de la Cruz	b9cf758756	Adds upper limit validation to property fields and values (#33659) ... Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-09-19 18:52:34 +00:00
Jesse Hallam	8d74c6c45c	MM-64395: Remove unused searchArchivedChannelsForTeam API and implementations (#33885) ... The searchArchivedChannelsForTeam functionality has been superseded by the searchAllChannels API with include_deleted parameter. The Browse Channels modal and other UI components now use the modern searchAllChannels approach. Fixes: https://mattermost.atlassian.net/browse/MM-64395	2025-09-16 09:51:37 -03:00
Miguel de la Cruz	b3c4aa4cc8	Ensures new CPA fields are created without DeleteAt set (#33652) ... * Ensures new CPA fields are created without DeleteAt set * Move the DeleteAt check to the main property logic * Apply timestamps unconditinally as this method is only run before creating a new field * Fix the linter and test --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-09-16 11:19:18 +00:00
Ben Schumacher	832d033785	[MM-64517] Fix NPE in PluginSettings.Sanitize (#31361) ... * Fix NPE in PluginSettings.Sanitize * Don't return settings that the plugin doesn't define any longer * Fix TestPluginAPILoadPluginConfiguration * Apply suggestions from code review * Update server/public/model/config.go --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-09-16 12:57:28 +02:00
Jesse Hallam	06b1bf3a51	MM-64878: FIPS Build (#33809) ... * pin to ubuntu-24.04 * always use FIPS compatible Postgres settings * use sha256 for remote cluster IDs * use sha256 for client config hash * rework S3 backend to be FIPS compatible * skip setup-node during build, since already in container * support FIPS builds * Dockerfile for FIPS image, using glibc-openssl-fips * workaround entrypoint inconsistencies * authenticate to DockerHub * fix FIPS_ENABLED, add test-mmctl-fips * decouple check-mattermost-vet from test/build steps * fixup! decouple check-mattermost-vet from test/build steps * only build-linux-amd64 for fips * rm entrypoint workaround * tweak comment grammar * rm unused Dockerfile.fips (for now) * ignore gpg import errors, since would fail later anyway * for fips, only make package-linux-amd64 * set FIPS_ENABLED for build step * Add a FIPS-specific list of prepackaged plugins Note that the names are still temporary, since they are not uploaded to S3 yet. We may need to tweak them when that happens. * s/golangci-lint/check-style/ This ensures we run all the `check-style` checks: previously, `modernize` was missing. * pin go-vet to @v2, remove annoying comment * add -fips to linux-amd64.tz.gz package * rm unused setup-chainctl * use BUILD_TYPE_NAME instead * mv fips build to enterprise-only * fixup! use BUILD_TYPE_NAME instead * temporarily pre-package no plugins for FIPS * split package-cleanup * undo package-cleanup, just skip ARM, also test * skip arm for FIPS in second target too * fmt Makefile * Revert "rm unused Dockerfile.fips (for now)" This reverts commit 601e37e0ff. * reintroduce Dockerfile.fips and align with existing Dockerfile * s/IMAGE/BUILD_IMAGE/ * bump the glibc-openssl-fips version * rm redundant comment * fix FIPS checks * set PLUGIN_PACKAGES empty until prepackaged plugins ready * upgrade glibc-openssl-fips, use non-dev version for final stage * another BUILD_IMAGE case * Prepackage the FIPS versions of plugins * relocate FIPS_ENABLED initialization before use * s/Config File MD5/Config File Hash/ * Update the FIPS plugin names and encode the + sign * add /var/tmp for local socket manipulation --------- Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-15 10:53:28 -03:00
Eva Sarafianou	b617153d79	import/export directories cloud restricable (#33506)	2025-09-15 15:28:50 +03:00
Pablo Vélez	f2f83187b8	MM-65618 - filter based on admin values (#33857) ... * MM-65618 - filter based on admin values * add open api documentation * adjust api description and adjust UX to match design * reorganize function and add unit tests * more UX adjustments; always show the self-exclusion warning modal * use SubjectID parameter for more performant user lookup instead of fetching all matching users * fix unit tests and remove wrong condition for job run --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-12 20:09:47 +02:00
Miguel de la Cruz	aad2fa1461	Adds Custom Profile Attributes value commands to mmctl (#33881) ... Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-09-12 17:59:40 +02:00
Julien Tant	78050bb0d3	Change properties search signature to support multiple TargetIDs (#33873) ... * change properties search * add tests * Fix calls to to the search methods * Fix SearchPropertyFields call with wrong signature	2025-09-11 22:56:01 +00:00
Pablo Vélez	a062239402	MM-65182 - auto disable toggle on rules deleted and permissions update (#33810) ... * MM-65182 - auto disable toggle on rules deleted and channel admin permissions update * fix types and fix unit test * adjust the useEffect hook and fix auto-save issue * MM-65183 - rename access rules tab to access control (#33812) * fix infinite loop issue and fix channel admin permissions issue * fix linter and fix snapshots * allow non-sysadmin users to see the system policy information banner * stack modals backdrops * address pr feedback; reorganize function and add unit tests --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-11 18:27:30 +02:00
Alejandro García Montoro	c28d13cbc9	MM-64692: Migrate passwords to PBKDF2 (#33830) ... * Add parser and hasher packages The new `password` module includes two packages: - `hashers` provides a structure allowing for seamless migrations between password hashing methods. It also implements two password hashers: bcrypt, which was the current hashing method, and PBKDF2, which is the one we are migrating to. - `parser` provides types and primitives to parse PHC[0] strings, serving as the foundation of the `PasswordHasher` interface and implementations, which are all PHC-based. [0] https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md * Use latest hasher to hash new passwords The previous commit added a LatestHasher variable, that contains the `PasswordHasher` currently in use. Here, we make sure we use it for hashing new passwords, instead of the currently hardcoded bcrypt. * Use errors from hashers' package Some chore work to unify errors defined in `hashers`, not from external packages like `bcrypt`. * Implement password migration logic This commit implements the actual logic to migrate passwords, which can be summarized as: 0. When the user enters their password (either for login in `App.CheckPasswordAndAllCriteria` or for double-checking the password when the app needs additional confirmation for anything in `App.DoubleCheckPassword`), this process is started. 1. The new `App.checkUserPassword` is called. In `users.CheckUserPassword`, we parse the stored hashed password with the new PHC parser and identify whether it was generated with the current hashing method (PBKDF2). If it is, just verify the password as usual and continue normally. 2. If not, start the migration calling `App.migratePassword`: a. First, we call `Users.MigratePassword`, which validates that the stored hash and the provided password match, using the hasher that generated the old hash. b. If the user-provided password matches the old hash, then we simply re-hash that password with our current hasher, the one in `hashers.LatestHasher`. If not, we fail. c. Back in `App.migratePassword`, if the migration was successful, then we update the user in the database with the newly generated hash. * make i18n-extract * Rename getDefaultHasher to getOriginalHasher * Refactor App checkUserPsasword and migratePassword Simplify the flow in these two methods, removing the similarly named users.CheckUserPassword and users.MigratePassword, inlining the logic needed in the App layer and at the same time removing the need to parse the stored hash twice. This implements a package-level function, CompareHashAndPassword: the first step to unexport LatestHasher. * Add a package level Hash method This completely removes the need to expose LatestHasher, and lets us also remove model.HashPassword, in favour of the new hashers.Hash * Unexport LatestHasher * Remove tests for removed functions * Make the linter happy * Remove error no longer used * Allow for parameter migrations on the same hasher Before this, we were only checking that the function ID of the stored hash was the ID of the latest hashing method. Here, we no longer ignore the parameters, so that if in the future we need to migrate to the same hashing method with a different parameter (let's say PBKDF2 with work factor 120,000 instead of work factor 60,000), we can do it by updating the latestHasher variable. IsPHCValid will detect this change and force a migration if needed. * Document new functions * make i18n-extract * Fix typo in comment Co-authored-by: Ben Cooke <benkcooke@gmail.com> * Rename parser package to phcparser * Simplify phcparser.New documentation * Rename scanSymbol to scanSeparator Redefine the list of separator tokens, including EOF as one. * Document undocumented functions that are unexported * Reorder error block in checkUserPassword * Add unit tests for IsLatestHasher * Reorder code in parser.go * Enforce SHA256 as internal function for PBKDF2 * Fix typo in comment Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> --------- Co-authored-by: Ben Cooke <benkcooke@gmail.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-11 16:43:34 +02:00
Maria A Nunez	3253b9ff6d	Message History Limits in Entry Edition (#33831) ... * Support for Entry license with limits + updates to Edition & License screen * Refactor message history limit to use entry sku limits * Fixed missing update on license change * Fix typo in limit types * Revert unnecessary thread change * Revert merge issue * Cleanup * Fix CTAs of limit notifications * Linting * More linting * Linting and fix tests * More linting * Fix tests * PR feedback and fix tests * Fix tests * Fix test * Fix test * Linting * Simplified Limit panels * Linting * PR feedback * Revert back job time * Linting * linting * Fixed issue switching in RHS * PR Feedback --------- Co-authored-by: Nick Misasi <nick.misasi@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-10 22:52:19 -04:00
Ben Schumacher	9c8148a0a7	[MM-65127] Add Elasticsearch config testing to support packet diagnostics (#33782) ... - Test Elasticsearch configuration when indexing is enabled - Capture configuration errors in support packet diagnostics - Add comprehensive test coverage for Elasticsearch scenarios - Fix LDAP mock cleanup in existing tests 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>	2025-09-10 13:06:38 +02:00
Pablo Vélez	4542ecc9d4	Mm 65096 - channel admin rules confirmation modal (#33758) ... * MM65096 - channel admin rules confirmation modal * trigger the sync job directly * update the active state correctly and adjust styling * Add ids to policy search so sync job finds the channel policy * combine the channel and the inherited policies expressions for confirm modal * add missing translations * fix tests and fix incorrect Id definition * fix translations * Revert "fix translations" * fix typo * remove plugin auto injected logging code --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-09 16:41:07 +02:00