* Validate that RefreshedToken differs from original invite token in remote cluster confirmation
* Add unit test for MM-67098
---------
Co-authored-by: JG Heithcock <jgheithcock@gmail.com>
* Add single-channel guests filter and channel count column to System Console Users
- Add guest_filter query parameter to Reports API with store-level
filtering by guest channel membership count (all, single_channel,
multi_channel)
- Add channel_count field to user report responses and CSV exports
- Add grouped guest role filter options in the filter popover
- Add toggleable Channel count column to the users table
- Add GuestFilter and SearchTerm to Go client GetUsersForReporting
- Add tests: API parsing, API integration, app job dedup, webapp utils,
E2E column data rendering
Made-with: Cursor
* Fix gofmt alignment and isolate guest store tests
- Align GuestFilter constants to satisfy gofmt
- Move guest user/channel setup into a nested sub-test to avoid
breaking existing ordering and role filter assertions
Made-with: Cursor
* Exclude archived channels from guest filter queries and ChannelCount
The ChannelMembers subqueries for guest_filter (single/multi channel)
and the ChannelCount column did not join with Channels to check
DeleteAt = 0. Since channel archival soft-deletes (sets DeleteAt) but
leaves ChannelMembers rows intact, archived channel memberships were
incorrectly counted, potentially misclassifying guests between
single-channel and multi-channel filters and inflating ChannelCount.
- Join ChannelMembers with Channels (DeleteAt = 0) in all three
subqueries in applyUserReportFilter and GetUserReport
- Add store test covering archived channel exclusion
- Tighten existing guest filter test assertions with found-flags
and exact count checks
Made-with: Cursor
* Exclude DM/GM from guest channel counts, validate GuestFilter, fix dropdown divider
- Scope ChannelCount and guest filter subqueries to Open/Private channel
types only (exclude DM and GM), so a guest with one team channel plus
a DM is correctly classified as single-channel
- Add GuestFilter validation in UserReportOptions.IsValid with
AllowedGuestFilters whitelist
- Add API test for invalid guest_filter rejection (400)
- Add store regression test for DM/GM exclusion
- Fix role filter dropdown: hide the divider above the first group
heading via CSS rule on DropDown__group:first-child
- Update E2E test label to match "Guests in a single channel" wording
Made-with: Cursor
* Add store test coverage for private and GM channel types
Private channels (type P) should be counted in ChannelCount and guest
filters, while GM channels (type G) should not. Add a test that creates
a guest with memberships in an open channel, a private channel, and a
GM, then asserts ChannelCount = 2, multi-channel filter includes the
guest, and single-channel filter excludes them.
Made-with: Cursor
* Add server i18n translation for invalid_guest_filter error
The new error ID model.user_report_options.is_valid.invalid_guest_filter
was missing from server/i18n/en.json, causing CI to fail.
Made-with: Cursor
* Make filter dropdown dividers full width
Remove the horizontal inset from grouped dropdown separators so the
system user role filter dividers span edge to edge across the menu.
Leave the unrelated webapp/package-lock.json change uncommitted.
Made-with: Cursor
* Optimize guest channel report filters.
Use per-user channel count subqueries for the single- and multi-channel guest filters so the report avoids aggregating all channel memberships before filtering guests.
* COmposing messages with redacted URLs
* Handled non member channels
* Some refinements
* Optimizations
* lint fixes
* cleaned up hasObfuscatedSlug test
* Fixed a test
* Added system console setting
* WIP
* fixed channel seelection double selection bug
* LInt fixes
* i18n fixes
* fixed test
* CI
* renamed setting
* lint fixes
* lint fixes
* WIP
* Combined TeamSignupDisplayNamePage and TeamUrl component into a single CreateTeamForm component
* Converted CreateTeamForm to functional component
* Refactored to mnake code cleaner
* Handle team creation with setting enabled
* Skipped team URL step if secure URL feature is enabled
* Managed button text and steps in team creation flow
* lint fixes
* Don't register team URL path when using secure URL
* Display team display name instead of name in system console top nav bar
* Fixed tests
* Fixed coderabbit issues
* Fixed type errors
* Optimization
* improvements
* Handled API errors during team creation when using secure URL setting
* Some refinements
* Added test
* Updaetd tests, and trimming when reading instead of writing
* Added tests for new components
* Added BackstageNavbar tests
* Restored package lock
* lint fix
* Updaetd plugin API
* Updated team creation tests
* Added tests for ChannelNameFormField
* Added plugin API tests
* Updated API terst
* Review fixes
* Added test for ConvertGmToChannelModal component
* Added EA license check for secure urls feature
* restored package lock
* Fixed GM conversion test
* Fixed team creation tests
* remove message composition changes
* remove message composition changes
* remove message composition changes
* restored a file
* lint fix
* renamed feature
* used model.SafeDereference
* Added E2E tests
* add secure URL Playwright coverage
Expand the secure URLs Playwright coverage to validate creation, routing, rename flows, system console configuration, and search/navigation behavior while adding the page objects needed to keep the tests maintainable.
Made-with: Cursor
* rename secure URLs copy to anonymous URLs
Align the admin console and Playwright coverage with the Anonymous URLs feature name while preserving the existing UseAnonymousURLs config behavior and validating the renamed test surfaces.
Made-with: Cursor
* Update team creation CTA for anonymous URLs
Show Create in the single-step anonymous URL flow while preserving Next and Finish in the standard team creation flow. Update unit and Playwright coverage to match the revised create-team UX.
Made-with: Cursor
---------
Co-authored-by: maria.nunez <maria.nunez@mattermost.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* Add CI check for broken mattermost.com links in webapp
Add a script that scans the webapp source files for links to mattermost.com
domains and tests each unique URL for 404s. This helps detect broken
documentation and marketing links early.
- New script: webapp/scripts/check-external-links.mjs
- New npm target: check-external-links
- New CI job in webapp-ci.yml to run on every commit
* Add --markdown flag for GitHub Actions job summary
* Fix job summary: use pipefail and suppress progress output
* Require mattermost.com links to use /pl/ permalink format
* Require all mattermost.com links (including subdomains) to use /pl/
* Allow exceptions for push servers and root domain
* Make non-permalink URLs warnings instead of errors
* Add User-Agent header and retry GET on 403
* Follow redirects when checking URLs
Check the final destination of redirects to catch broken links that
redirect to error pages. If a redirect response has the Cloudflare
cf-mitigated header, assume the URL is OK and stop following.
* Simplify link checker code
- Combine PUSH_SERVER_PATTERN and HPNS_PATTERN into single regex
- Simplify validatePermalink to return boolean (reason was unused)
- Consolidate Cloudflare header checks in processResponse
* replace broken links with valid ones
* updates
* MM-67387 Prevent useExternalLink from erroring on certain invalid links
* Make check for domain in useExternalLink stricter
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* Channel sharing operations (invite, uninvite, list shared channel remotes)
now require ManageSharedChannels instead of ManageSecureConnections, allowing
customers to delegate channel sharing without granting full connection management access.
Endpoints serving both roles (getRemoteClusters, getSharedChannelRemotesByRemoteCluster) accept either permission.
Also adds RequirePermission helpers on Context to reduce boilerplate across all remote cluster and shared channel handlers, and fixes a bug where invite/uninvite checked ManageSecureConnections but reported ManageSharedChannels in the error.
Allows plugins to programmatically trigger their RHS panel to pop out
into a separate window by calling window.WebappUtils.popouts.popoutRhsPlugin().
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [MM-67626] Update Playbooks plugin to v2.8.0
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Prepackage FIPS version for Playbooks
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* Add single-channel guest tracking and reporting
- Add AnalyticsGetSingleChannelGuestCount store method to count guests in exactly one channel
- Exclude single-channel guests from active user seat count in GetServerLimits
- Add single-channel guest count to standard analytics response
- Add Single-channel Guests card to System Statistics page with overage warning
- Add Single-channel guests row to Edition and License page with overage styling
- Add dismissible admin-only banner when single-channel guest limit is exceeded
- Gate feature behind non-Entry SKU and guest accounts enabled checks
- Re-fetch server limits on config changes for reactive UI updates
- Fix label alignment in license details panel
Made-with: Cursor
* Refine single-channel guest tracking
- Remove license GuestAccounts feature check from shouldTrackSingleChannelGuests (only config matters)
- Re-add getServerLimits calls on page mount for fresh data
- Remove config-change reactivity code (componentDidUpdate, useEffect)
- Add server i18n translations for error strings
- Sync webapp i18n via extract
- Add inline comments for business logic
- Restore struct field comments in ServerLimits model
- Add Playwright E2E tests for single-channel guest feature
- Fix label alignment in license details panel
Made-with: Cursor
* Guests over limit fixes and PR feedback
* Fix linter issues and code quality improvements
- Use max() builtin to clamp adjusted user count instead of if-statement (modernize linter)
- Change banner type from ADVISOR to CRITICAL for proper red color styling
Made-with: Cursor
* Fix overage warnings incorrectly counting single-channel guests
Single-channel guests are free and should not trigger license seat
overage warnings. Update all overage checks to use
serverLimits.activeUserCount (seat-adjusted, excluding SCG) instead
of the raw total_users_count or TOTAL_USERS analytics stat.
- UserSeatAlertBanner on License page: use serverLimits.activeUserCount
- UserSeatAlertBanner on Site Statistics page: use serverLimits.activeUserCount
- ActivatedUserCard display and overage check: use serverLimits.activeUserCount
- OverageUsersBanner: use serverLimits.activeUserCount
Made-with: Cursor
* Use license.Users as fallback for singleChannelGuestLimit before limits load
This prevents the SingleChannelGuestsCard from showing a false overage
state before serverLimits has been fetched, while still rendering the
card immediately on page load.
Made-with: Cursor
* Fix invite modal overage banner incorrectly counting single-channel guests
Made-with: Cursor
* Fix invitation modal tests missing limits entity in mock state
Made-with: Cursor
* Fix tests
* Add E2E test for single-channel guest exceeded limit scenario
Made-with: Cursor
* Fix TypeScript errors in single channel guests E2E test
Made-with: Cursor
* Fix channel name validation error caused by unawaited async getRandomId()
Made-with: Cursor
* Add contextual tooltips to stat cards when guest accounts are enabled
Made-with: Cursor
* Code review feedback: query builder, readability, tooltips, and alignment fixes
Made-with: Cursor
* Fix license page tooltip alignment, width, and SaveLicense SCG exclusion
Made-with: Cursor
* Fix banner dismiss, license spacing, and add dismiss test
Made-with: Cursor
* Exclude DM/GM channels from single-channel guest count and fix E2E tests
Filter the AnalyticsGetSingleChannelGuestCount query to only count
memberships in public/private channels, excluding DMs and GMs. Update
store tests with DM-only, GM-only, and mixed membership cases. Fix E2E
overage test to mock the server limits API instead of skipping, and
correct banner locator to use data-testid.
Made-with: Cursor
* Add operation tracking fields to bridge client CompletionRequest calls
Populate UserID, Operation, and OperationSubType on CompletionRequest
for recaps (SummarizePosts) and message rewrite (RewriteMessage) so
token usage logs show correct values instead of defaults.
Also bumps mattermost-plugin-ai v1.8.1 → v1.12.0 which adds the
Operation/OperationSubType fields to the bridgeclient struct.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Address PR feedback: normalize rewrite action and use session-derived userID
- post.go: Add normalizeRewriteAction() that validates action against a
whitelist of known RewriteAction values, mapping unknown values to
"unknown" before assigning to OperationSubType.
- summarization.go: Use sessionUserID (derived from rctx.Session().UserId)
instead of the userID parameter for tracking, ensuring operation
tracking always uses the authenticated session user.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* feat: pass unicode emojis from emoji picker to textare
* fi test
* PR feedback
* fix unit tests
* fix linter
* fix emoji test
* fix e2e test
* e2e test
* Fix MM-T155 emoji test to use flexible recently used assertions
Made-with: Cursor
---------
Co-authored-by: Nevyana Angelova <nevyangelova@Nevy-Macbook-16-2025.local>
When TeamSettings.RestrictDirectMessage is set to "team", the system bot could not create DM channels with users on different teams (or no shared team). This broke SendTestMessage, CheckPostReminders, and other background jobs that use an empty session context.
The existing bypass in GetOrCreateDirectChannel only covered bots owned by the current session user or a plugin. The system bot is owned by a system admin, so it failed the ownership check and hit the common-team guard.
Changes:
- Rename IsBotOwnedByCurrentUserOrPlugin to IsBotExemptFromDMRestrictions to better reflect its purpose
- Add an explicit system bot exemption (bot.Username == BotSystemBotUsername) as the first check in the function
- Add tests covering the system bot exemption with both empty and user sessions
* UpdateByQuery methods for channel_type; rewrite reindexChannelPosts
log pre-fetch error in channel Update and upgrade reindexChannelPosts to error level
* add backfill orchestration, config listener, webapp toggle changes
fix misleading backfill complete log when SaveOrUpdate fails
* add integration & unit tests for public channel search and backfill
* fix nil pointer dereference on UpdateByQuery response and log partial failures
* add tests for compliance mode override and P channel post leakage
* update system console snapshots
* add instructions to error message
* improve compliance-mode test
* getAllChannels doesn't filter by O/S, need to do ourselves
* in search, load channel info for channels we're not a member of
* blank commit -- something is wrong with github, maybe this will help
* improve channelType passing; error msg; simplify settings naming
* debug logging for timing backfill and channel change; TO BE REVERTED
* fix getMissingChannelsFromFiles in search as well
* blank commit
* Improve job progress estimation with no data
For the Elasticsearch indexing job, we compute the job progress
executing analytics queries to get the total number of posts, channels,
users and files in the database.
Until now, if that call failed, we instead used an estimate. That
estimate is a hardcoded number that is in no way related to the server
data. If that estimate was smaller than the number of already processed
entities, the job progress would show up as larger than 100%.
This commit changes that behaviour by caching the result of the
analytics query:
1. If the analytics query succeeds, we store that value in the job data.
2. If the analytics query fails, we pick a value for the total as
follows:
- Use the value previously stored in the job data if available.
- If not, use the hardcoded estimate.
- If the hardcoded estimate is smaller than the current count of
processed entities, use that count instead.
* Add defensive code against division by zero
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
When a multiselect dialog field uses data_source: "dynamic", a
comma-separated default value (e.g. "Product1,Product2") was rendered
as a single chip instead of two separate pre-selected chips.
---------
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* Port scripts/update-versions to a shell script
* Update the scripts to change the version to use jq
* Add the shared package
* Update webapp/scripts/CLAUDE.OPTIONAL.md
* Update webapp/scripts/CLAUDE.OPTIONAL.md
* docs(auth): Add clarification note about Google SSO username/email sync behavior
* i18n: Add translation for SSO username sync note
* Fix linting errors in User Settings Security
Fixed react/jsx-tag-spacing and other linting issues in user_settings_security.tsx.
Also updated webapp/package.json to enforce npm engines.
* Fix: Revert whitespace changes in package.json and en.json
* Fix: Reorder en.json keys alphabetically to satisfy check-i18n
* Fix: Scope Google SSO sync note to Google service and use block element
* Rename Content Flagging to Data Spillage Handling
Update all user-facing text to use "Data Spillage Handling" and
"Quarantine for Review" terminology. Rename i18n keys that referenced
content flagging. Auto-patch bot display name on pre-existing servers.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Fixed searchable stringgs
* Revert unintended package-lock.json changes
Co-authored-by: Cursor <cursoragent@cursor.com>
* Fix i18n extract check: correct typo and key ordering
Fix "posed" -> "posted" typo in keep/remove quarantine modal
defaultMessages. Move admin.contentFlagging.title to correct
alphabetical position in en.json.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Fix webapp tests for Data Spillage Handling rename
Update test assertions to match renamed i18n strings:
notification settings, content reviewers, and additional
settings tests now expect the new quarantine terminology.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Use translatable i18n strings for notification messages
Replace hardcoded "flagged for review" notification templates with
i18n.T() calls using "quarantined for review" terminology. Add six
new server i18n keys for author, reporter, and reviewer notifications.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Fix server i18n key mismatches and update test assertions
Rename remaining app.content_flagging.* keys to app.data_spillage.*
in server/i18n/en.json to match Go code references. Fix the
quarantine_post_confirmation key name. Update test assertions to
match new "quarantined for review" terminology.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Fix gofmt formatting in content_flagging.go
Co-authored-by: Cursor <cursoragent@cursor.com>
* Prevent nil bot on PatchBot failure in getContentReviewBot
Use a separate variable for PatchBot result so the original bot
is preserved if the display name update fails.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Reorder server i18n keys after extract
Run mmgotool i18n extract to sort entries into correct
alphabetical order.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Replace i18n.T() with fmt.Sprintf for notification messages and fix test assertions
Use direct string formatting for bot notification messages instead of
i18n translation keys, which were being removed by mmgotool i18n extract
due to indirect key references. Also update test expectations for renamed
error keys (content_flagging -> data_spillage).
Co-authored-by: Cursor <cursoragent@cursor.com>
* Update default quarantine reasons to DISC-aligned terminology
Replace generic content moderation reasons with defense/intelligence
sector terminology: Classification mismatch, Need-to-know violation,
PII exposure, OPSEC concern, CUI violation, Unauthorized disclosure,
and Other. Updated across model, API tests, webapp tests, and e2e tests.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Adding a string missing from bad merge
* Update remaining flagged terminology and icon for data spillage rename
- Change post menu icon from flag-outline to alert-outline
- Update reviewer notification: "quarantined" -> "submitted" a message
- Update action notifications: "flagged message" -> "quarantined message"
- Update modal errors: "flagging" -> "quarantining" this message
- Update report title: "flagged" -> "submitted" a message for review
- Update e2e page object locator for renamed menu item
Made-with: Cursor
* Fix tests
* Fix quarantine icon alignment in post dot menu
Use AlertOutlineIcon React component with size={18} instead of raw
<i> tag to match the sizing of all other menu item icons.
Made-with: Cursor
* Fixed E2E tests
* Missing test fix
* Fix E2E tests
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* Add AGENTS.md with Cursor Cloud development environment instructions
- Documents service architecture (Go server + React webapp + PostgreSQL)
- Covers how to start services, run lint/tests/builds
- Notes key gotchas for dev setup (config auto-generation, client symlink, SMTP errors)
- Specifies Node.js 24.11 and Go 1.24.13 version requirements
Co-authored-by: Nick Misasi <nick13misasi@gmail.com>
* Update AGENTS.md with dual-repo enterprise development setup
- Document enterprise repo at $HOME/enterprise and plugin-agents at $HOME/mattermost-plugin-agents
- Add git authentication instructions for cross-repo operations with CURSOR_GH_TOKEN
- Document enterprise server build, run, and plugin deployment workflow
- Add cross-repo PR workflow instructions
- Include BUILD_ENTERPRISE_DIR usage for all make commands
Co-authored-by: Nick Misasi <nick13misasi@gmail.com>
* Rewrite AGENTS.md: add plugin config docs, move automatable steps to update script
- Add Agents plugin configuration section with full JSON structure and API usage
- Document ANTHROPIC_API_KEY requirement and config-must-be-object gotcha
- Remove instructions now handled by update script: config.override.mk, client
symlink, git insteadOf cleanup, remote URL cleanup
- Trim redundant sections for conciseness
Co-authored-by: Nick Misasi <nick13misasi@gmail.com>
* AGENTS.md: use make run/restart-server workflow, document TEAM EDITION gotcha
- Replace manual go build/run instructions with make run and make restart-server
- Emphasize BUILD_ENTERPRISE_DIR must be passed to every make command
- Document that 'TEAM EDITION' label is license-dependent, not build-dependent
- Add verification steps for confirming enterprise code is loaded
Co-authored-by: Nick Misasi <nick13misasi@gmail.com>
* AGENTS.md: add TEST_LICENSE/MM_LICENSE for enterprise licensing
- Pass MM_LICENSE=$TEST_LICENSE in make run and make restart-server commands
- Document that the license unlocks enterprise features and removes TEAM EDITION badge
- Simplify the TEAM EDITION gotcha to focus on the fix
Co-authored-by: Nick Misasi <nick13misasi@gmail.com>
* Rename AGENTS.md to AGENTS.CLOUD.md, gitignore AGENTS.md
AGENTS.md is a standard file that affects real editors. To avoid impacting
non-cloud workflows, the cloud-specific instructions now live in
AGENTS.CLOUD.md (committed) and the update script copies it to AGENTS.md
(gitignored) on startup so Cursor Cloud agents still pick it up.
Co-authored-by: Nick Misasi <nick13misasi@gmail.com>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* Add shared_channel_manager and secure_connection_manager built-in roles
Introduce two new delegated admin roles for granular Shared Channels
permission management, allowing admins to assign shared channel and
secure connection management to specific non-admin users without
granting full System Admin or System Manager access.
- shared_channel_manager: grants manage_shared_channels permission
- secure_connection_manager: grants manage_secure_connections permission
Includes server role definitions, app migrations, permissions migrations,
System Console UI support, and API permission tests.
#### Summary
Use the atomic `ConsumeOnce` pattern for guest magic link token consumption, consistent with how SSO code exchange tokens are already handled.
#### Ticket Link
https://mattermost.atlassian.net/browse/MM-67791
#### Release Note
```release-note
Improved token handling in the guest magic link authentication flow.
```
Change the /api/v4/users/{user_id}/auth endpoint to use
APISessionRequired instead of APISessionRequiredTrustRequester.
This endpoint is a JSON API called via XHR and does not need
the TrustRequester flag which is intended for directly-requested
resources like images and file downloads.
Made-with: Cursor
