206 commits

Author	SHA1	Message	Date
Ibrahim Serdar Acikgoz	deafd88fd5	MM-68762: Discoverable Private Channels — Server data layer (#36539) ... * MM-68762: Add Postgres migrations for discoverable private channels Three online-safe migrations introduce the schema that supports the Discoverable Private Channels feature (PRs 2-5 of MM-68430 will land behind it): - 000175 adds Channels.Discoverable BOOLEAN NOT NULL DEFAULT FALSE. Metadata-only on Postgres >= 11; no table rewrite. - 000176 creates a partial index on (TeamId) WHERE Discoverable AND Type='P' AND DeleteAt=0 using CREATE INDEX CONCURRENTLY (-- morph:nontransactional) so the build never blocks writes on the populated Channels table. - 000177 creates the ChannelJoinRequests table with three indexes, the important one being the partial unique index on (ChannelId, UserId) WHERE Status = 'pending'. That keeps the full audit history intact while still enforcing at-most-one active pending request per (channel, user). Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add FeatureFlagDiscoverableChannels (default false) Gates the per-channel Discoverable toggle and the channel-join-request flow. Default-OFF so all PRs in the MM-68430 series can land on master without exposing partial UX. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add Discoverable + ChannelJoinRequest models - Channel gains a Discoverable bool, ChannelPatch a *bool, both serialized as 'discoverable'. Patch() applies it, Auditable() logs it, and IsValid() rejects Discoverable=true on any non-private channel so a misconfigured patch can never produce a public discoverable channel. - New ChannelJoinRequest type captures the per-row state of a non-member's request: pending -> approved | denied | withdrawn. Rows are append-only with reviewer and timestamps so the table is also the audit trail. IsValid() enforces: * recognized status, * Message and DenialReason rune limits, * DenialReason only on denied rows (no orphan reasons), * reviewer + reviewed_at present for any terminal review (approved / denied) but not for self-service withdrawal. - Two new WebSocket event constants -- channel_join_request_created and channel_join_request_updated -- that later PRs broadcast on the admin queue and the requester's My Pending Requests panel. Unit tests cover Patch(), the new IsValid() rule on Discoverable, the PreSave/PreUpdate timestamp behavior on ChannelJoinRequest, and every IsValid branch including the reviewer-required-on-review invariant. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add discoverable-channel permissions Two new channel-scoped permissions, each independently rebindable from the System Console: - manage_private_channel_discoverability gates the per-channel toggle so admins can restrict who can flip discoverability without also handing out manage_private_channel_properties. - manage_channel_join_requests gates the queue list / approve / deny / count endpoints (added in PR 2). Both are added to the channel_admin role bootstrap so new deployments get them by default, and a new permissions migration (add_discoverable_channel_permissions) grants them to channel_admin, team_admin and system_admin scheme roles on existing deployments. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add ChannelJoinRequestStore and wire Discoverable into channel store - channelSliceColumns / channelToSlice / updateChannelT now include the new Discoverable column so Save() and Update() round-trip the field. Existing select paths inherit the column automatically because every read goes through channelSliceColumns. - New ChannelJoinRequestStore interface and SQL implementation: Save / Get / GetPendingForChannelAndUser / GetForChannel / GetForUser / Update / CountPending. Save translates the idx_channeljoinrequests_pending_unique partial unique index violation into store.ErrConflict so the app layer (PR 2) can return 409 without re-parsing pq errors. - Storetest suite at storetest/channel_join_request_store.go is invoked from sqlstore via the existing StoreTest harness; covers insert / partial-unique conflict / re-insert after withdrawal / NotFound / status filtering / pagination with TotalCount / Update / CountPending. - Mocks and retrylayer / timerlayer are regenerated via make store-mocks and go generate ./channels/store -- no hand-written generator output. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add TS types for Discoverable channels + join requests webapp/platform/types: - Channel.discoverable?: boolean alongside existing policy_enforced / policy_is_active so the web client sees the same wire shape the server emits. - ChannelJoinRequest, ChannelJoinRequestStatus, ChannelJoinRequestList, GetChannelJoinRequestsOptions for the API contract surfaced in PR 2. webapp/platform/client: - WebSocketEvents enum gains ChannelJoinRequestCreated and ChannelJoinRequestUpdated so PR 3 can hang WS handlers off them without redeclaring constants. These are model-only updates with no UI consumer yet; PR 3 introduces the toggle, request flow, and admin queue surfaces. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Split ChannelJoinRequests indexes into concurrent migrations The mattermost-govet concurrentIndex lint check enforces CREATE INDEX CONCURRENTLY on every CREATE INDEX statement, even on an empty freshly-created table where it would be a no-op. The original 000177 file inlined three CREATE INDEX statements; that failed check-style. Mirror the convention used by 000166_create_views + 000167_create_views_channel_id_delete_at_index: keep the CREATE TABLE in its own (transactional) file, and move each index into a separate nontransactional file that runs CREATE INDEX CONCURRENTLY. Verified locally against Postgres 15 that all four new migrations apply in order and the storetest suite (partial unique constraint + paged list + count) still passes. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Wire new permission migration into test fixtures Two CI test surfaces missed when the channel_admin role and the permission-migration list gained the new manage_private_channel_discoverability and manage_channel_join_requests entries: - testlib/store.go: the shared mocked SystemStore used by SetupWithStoreMock / SetupEnterpriseWithStoreMock needs an explicit GetByName expectation for every migration key (because the mock panics on unexpected calls). Add the new MigrationKeyAddDiscoverableChannelPermissions key so TestCreateOrUpdateAccessControlPolicy, the elasticsearch aggregation_job_test, and every other mock-store test stop panicking on server bootstrap. - cmd/mmctl/commands/permissions_test.go: TestResetPermissionsCmd hard-codes the channel_admin default permission list and expects PatchRole to be called with exactly that slice. Extend the expected slice with the two new permission ids so the mmctl reset path stays in sync with the role bootstrap. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Register new idx_channels_discoverable_team in TestGetSchemaDefinition The schema-dump test asserts an exact index count and definition map for the channels table. Migration 000176 added idx_channels_discoverable_team — a partial btree on (teamid) gated by discoverable=true AND type='P' AND deleteat=0. Bump the expected count from 12 to 13 and add the index's CREATE INDEX definition as produced by pg_indexes (note: type is cast to channel_type, the existing domain). Verified locally against Postgres 15. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Fix golangci-lint findings in ChannelJoinRequest store Two golangci-lint findings on the freshly-added files: - sqlstore/channel_join_request_store.go:133 (modernize): collapse the 'if page < 0 { page = 0 }' clamp into max(opts.Page, 0). - storetest/channel_join_request_store.go:243 (govet shadow): the inner Save loop redeclared err with :=, shadowing the outer err captured from the first CountPending call. Switch to plain assignment so the same err is reused. Verified locally with golangci-lint v2.11.4 across public/..., channels/app/..., channels/store/..., channels/testlib/... and cmd/mmctl/commands/... — 0 issues. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Sync channel_admin bootstrap with TestDoAdvancedPermissionsMigration app_test.go pins the exact list of permissions the channel_admin role is expected to hold after DoAdvancedPermissionsMigration completes. The role bootstrap in role.go grew two entries (manage_private_channel_discoverability and manage_channel_join_requests), so the test's expected slice needs the same two entries appended in the same order, otherwise assert.Equal fails on slice ordering. This is the same class of fix as the mmctl/permissions_test.go change in a previous commit -- two parallel test fixtures encode the channel_admin defaults and have to be updated in lockstep with the bootstrap. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Add English translations for new model error keys 12 keys were emitted by the new Discoverable + ChannelJoinRequest validation paths but had no en.json entry, which trips i18n-check on CI. Add the missing entries with one-line English copy that mirrors adjacent model errors (Invalid <field>., Create at must be a valid time., etc.). The new entries are: - model.channel.is_valid.discoverable.app_error - model.channel_join_request.is_valid.channel_id.app_error - model.channel_join_request.is_valid.create_at.app_error - model.channel_join_request.is_valid.denial_reason.app_error - model.channel_join_request.is_valid.denial_reason_status.app_error - model.channel_join_request.is_valid.id.app_error - model.channel_join_request.is_valid.message.app_error - model.channel_join_request.is_valid.reviewed_by.app_error - model.channel_join_request.is_valid.reviewer.app_error - model.channel_join_request.is_valid.status.app_error - model.channel_join_request.is_valid.update_at.app_error - model.channel_join_request.is_valid.user_id.app_error Generated through 'make i18n-extract'; verified clean with 'make i18n-check'. Per the workspace rule, only en.json was modified -- no other locale files. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Address CodeRabbit review: stable pagination + redact denial reason from audit log Two production-code findings from CodeRabbit on the freshly-added ChannelJoinRequest server code: - sqlstore/channel_join_request_store.go (GetForChannel / GetForUser): OrderBy("CreateAt DESC") alone is unstable when two rows share a millisecond (NewId is monotonic-ish but CreateAt is millisecond resolution), so offset paging could duplicate or skip rows between pages. Add Id DESC as a deterministic tie-breaker on both list queries. - model/channel_join_request.Auditable: the denial reason is admin-typed free text and could carry sensitive content. Mirror the existing has_message pattern by emitting has_denial_reason as a boolean presence flag instead of the raw value. Reviewer id, review timestamp, and status are still logged, so the audit trail keeps every piece needed for compliance review. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Tighten model tests per CodeRabbit review Two test-only findings from CodeRabbit: - TestChannelJoinRequestPreUpdateAdvancesUpdateAt previously asserted GreaterOrEqual(r.UpdateAt, originalCreate). Because validRequest initialises UpdateAt to GetMillis() (same call site as CreateAt), a no-op PreUpdate would still pass that check. Seed r.UpdateAt = 1 before calling PreUpdate() and assert Greater(r.UpdateAt, int64(1)) so any regression that drops the GetMillis assignment fails the test. - TestChannelIsValidDiscoverable did not cover ChannelTypeGroup. Add the case alongside ChannelTypeOpen and ChannelTypeDirect so the contract that 'only ChannelTypePrivate accepts Discoverable=true' is fully pinned across all four channel types. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> * MM-68762: Mock ChannelJoinRequest accessor in retrylayer test retrylayer_test.go's genStore() helper mocks every Store() accessor because retrylayer.New() wraps the entire surface. The new ChannelJoinRequest() method I added on Store was missing from the mock, so TestRetry/on_regular_error_should_not_retry panicked with 'Unexpected Method Call ChannelJoinRequest()' on Postgres shard 0. Add the mock alongside the other accessors. No production code change. Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com>	2026-05-15 21:04:32 +02:00
Jesse Hallam	d4fc0ecb1c	MM-68150: Upgrade golangci-lint to v2.12.2 (#36554) ... * Simplify invite_people email parsing Replace backwards in-place mutation loop with a straightforward forward filter into a new slice. Extract into parseEmailList so the logic can be unit tested directly. * MM-68150: Upgrade golangci-lint to v2.12.2 Remove //go:fix inline from NewPointer, which is a generic function not yet supported by the inline analyzer, and fix 11 slicesbackward modernize issues flagged by the new version. * MM-68150: Enable all linters by default; disable those with >20 existing issues Switch from opt-in (default: none) to opt-out (default: all) so new linters added to golangci-lint are evaluated automatically. Explicitly disable every linter that has more than 20 pre-existing violations, deferring those for later cleanup. Also disable a handful of linters whose violations are intentional patterns in this codebase (nilerr, dogsled, sqlclosecheck, iotamixing, predeclared, containedctx, iface, gocheckcompilerdirectives, promlinter, goprintffuncname, gomoddirectives). * MM-68150: Fix mirror linter issues Replace Write([]byte(s)) with WriteString(s), and FindIndex([]byte(s)) with FindStringIndex(s), to avoid unnecessary allocations. * MM-68150: Fix nosprintfhostport linter issue Use net.JoinHostPort to construct host:port strings instead of fmt.Sprintf with a manually formatted pattern. * MM-68150: Fix rowserrcheck and sqlclosecheck linter issues Check rows.Err() after iteration loops in schema_dump.go. In the sqlx_wrapper test, defer rows.Close() rather than closing inline. * MM-68150: Fix nilnesserr linter issues — wrong variable in error handlers In 11 places, a stale variable (often the outer err from a prior assignment) was used instead of the freshly-checked error variable (appErr, rowErr, jsonErr, writeErr, esErr). Each produces a typed-nil wrapped in a non-nil interface, silently discarding the real error. * MM-68150: Add i18n string for app.compile_csv_chunks.write_error --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-14 17:29:37 -04:00
Alejandro García Montoro	f604ec7a5c	MM-68662: Add Azure Blob Storage filestore backend (#36498) ... * Generalize file backend error types Replace S3FileBackendAuthError and S3FileBackendNoBucketError with backend-agnostic FileBackendAuthError and FileBackendNoBucketError so non-S3 drivers can return them and the admin "Test Connection" flow keeps surfacing useful messages. The old S3-prefixed names are kept as type aliases of the generic types so external code (plugins, historical consumers) continues to compile, and so existing S3 construction sites stay untouched. The type switch in connectionTestErrorToAppError now matches the generic types, with new i18n keys (test_connection_auth.app_error and test_connection_no_bucket.app_error) whose wording does not name S3. The old S3-specific i18n keys are dropped via `make i18n-extract` since they are no longer referenced from code; the api4 test that asserted on those keys is updated, and the Cypress `MM-T996 Amazon S3 connection error messaging` spec that asserted on the old user-facing string is updated to the new wording. ------ AI assisted commit * Pull in Azure SDK and uuid dependencies Bring in github.com/Azure/azure-sdk-for-go/sdk/azcore and .../sdk/storage/azblob (with .../sdk/internal as their indirect dependency). The two are needed by the upcoming Azure Blob Storage filestore backend and its lazy-Range-backed reader. The bump of golang.org/x/{crypto,net,sys,term,text} comes transitively from azblob's minimum versions. Also promotes github.com/google/uuid from indirect to direct, since the Azure backend uses it to generate block IDs that share the same wire format the SDK itself produces in UploadStream. ------ AI assisted commit * Add azureRangeReader, a seekable Range-backed blob reader A small standalone type that satisfies the FileBackend interface's ReadCloseSeeker + the broader io.ReaderAt contract on top of Azure Blob Storage HTTP Range requests. Lands as its own commit because the upcoming Azure FileBackend driver builds on it, and the reader itself is independently useful — and independently testable against a fake downloader without standing up an Azure client. Design notes: * Read opens an HTTP Range stream lazily at the current offset and reuses it for sequential reads. Seek to a different offset closes the open stream; the next Read re-opens it. * Seek to the same offset is a no-op and does not close the open stream, so callers like zip.NewReader that probe with redundant seeks don't kick off a fresh download. * ReadAt issues a dedicated ranged DownloadStream per call and does not touch the streaming cursor — matches the io.ReaderAt contract the bulk-import worker's zip.NewReader path relies on. * Close cancels the context (which any in-flight Azure call will observe and abort), stops the deadline timer, and closes the current body if any. It is safe to call when no body was ever opened. * CancelTimeout lets long-running consumers like the import worker opt out of the per-operation deadline that would otherwise kill multi-minute downloads partway through. The implementation talks to a small blobDownloader interface rather than *blob.Client directly so the unit tests can substitute a fake downloader that records every requested Range and tracks Close calls on the bodies it hands out. ------ AI assisted commit * Add Azure Blob Storage filestore driver Implements the FileBackend interface against Azure Blob Storage in a new azurestore.go (~520 LOC). The driver is not yet selectable via NewFileBackend's switch — that wiring lands in the next commit together with the admin config surface — but the driver itself is complete and self-contained behind the FileBackendSettings struct. Filesstore.go grows three pieces of supporting infrastructure that the driver consumes: * a `driverAzure = "azureblob"` constant alongside the existing driverS3 and driverLocal, * an Azure-specific block on FileBackendSettings (storage account, access key, container, path prefix, endpoint, SSL flag, request timeout), * a CheckMandatoryAzureFields validator that mirrors CheckMandatoryS3Fields. Behavioural notes that warrant calling out: * Reader returns the previously-added azureRangeReader, so reads stream lazily over HTTP Range and ReadAt is available for the bulk-import worker's zip.NewReader path. The deadline timer is armed before the initial GetProperties call so the HEAD itself is bounded. * WriteFile and AppendFile both go through StageBlock + CommitBlockList via a shared stageBlocks helper, never the SDK's UploadStream. UploadStream's small-payload fast path falls back to single-shot PutBlob, which leaves the resulting blob with no committed block list; a subsequent AppendFile that calls CommitBlockList on that blob would then clobber its content. Routing every write through the block-list mechanism keeps AppendFile correct regardless of payload size. * AppendFile stages the new chunk as one or more blocks and commits the existing committed block list plus the newly staged IDs. The new bytes go up exactly once — no re-download, no re-concatenate, no re-upload of the prior contents. * WriteFileContext does not wrap the caller-supplied context with its own timeout — that timeout is applied in WriteFile only, matching the S3 driver, so long-running TryWriteFileContext callers (like message-export bulk writes) opt out of the per-operation timeout the way the abstraction documents. Authentication is shared-key only for this drop; Microsoft Entra ID / managed identity is deferred to a follow-up. The endpoint is configurable so the same code targets the production Azure host (vhost style — {account}.blob.core.windows.net) or Azurite / Azure Government / sovereign clouds (path style — host[:port]/{account}). ------ AI assisted commit * Wire Azure backend into config, validation, and driver selection This commit registers the previously-added AzureFileBackend driver with the rest of the system. Until now the driver was usable only via direct construction; after this commit, `DriverName: "azureblob"` in config.json is a fully-supported deployment configuration. Five integration sites are touched: * `newFileBackend` in filesstore.go now dispatches `driverAzure` to NewAzureFileBackend, alongside the existing s3 and local cases. NewFileBackendSettingsFromConfig (and its export counterpart) gain an Azure branch that maps the model.FileSettings fields onto the Azure-specific FileBackendSettings fields. * `model.FileSettings` grows the user-facing Azure config schema: storage account, access key, container, path prefix, endpoint, SSL flag, request timeout, plus matching Export* fields for the dedicated export store. SetDefaults populates them so deployments that never opted into Azure don't carry nil pointers. `isValid` accepts the new ImageDriverAzure constant. * `Config.Sanitize()` masks AzureAccessKey and ExportAzureAccessKey the same way it masks AmazonS3SecretAccessKey, so the shared key never reaches an API consumer in plain text. * `desanitize()` restores the masked keys on a config write so a PATCH that doesn't touch the key doesn't clobber it with the FakeSetting placeholder. * `configSensitivePaths` covers both Azure key paths so audit diffs don't include them either. * `ConfigToFileBackendSettings` in the `mattermost db` CLI helper gets the Azure branch its production counterpart already has — without it, `mattermost db migrate` / `db downgrade` would fail on Azure-configured deployments with "missing azure storage account setting". Finally, the shared FileBackendTestSuite is now wired against Azurite via TestAzureFileBackendTestSuite, which skips when CI_AZURITE_HOST is unreachable. The test-infra wiring (the docker service, the env vars, the start_dependencies entry) landed in a previous PR; this commit is what makes the suite actually exercise the Azure driver end to end. ------ AI assisted commit * Validate Azure timeout and path prefix in Config.IsValid Parity with the S3-side checks that already cover AmazonS3RequestTimeoutMilliseconds and AmazonS3PathPrefix. Without these, a zero/negative AzureRequestTimeoutMilliseconds passes validation and later creates immediately-expired request contexts, and leading/trailing whitespace in AzurePathPrefix produces blob keys that don't match what the admin configured. Same checks added for the Export* counterparts. The file_driver.app_error translation is updated to mention the new 'azureblob' option alongside 'local' and 'amazons3'. ------ AI assisted commit * Stream zip entries from the Azure backend writeZipEntry was calling ReadFile, which loads the entire blob into memory before writing it to the archive. For large blobs or deep directories this spikes RSS or OOMs the goroutine. Switch to Reader (the streaming azureRangeReader) and io.Copy into the zip entry so memory stays bounded regardless of blob size. ------ AI assisted commit * Use a backend-agnostic fallback for FileBackendNoBucketError The fallback Error() message was "no such bucket", which leaks S3 terminology when an Azure caller returns the type with no wrapped Err. Use "no such bucket or container" so logs and external error handling stay neutral across backends. ------ AI assisted commit * Defend Azure path prefix against directory traversal Reject ".." in AzurePathPrefix and ExportAzurePathPrefix at config validation time, since path.Join collapses traversal segments and a prefix like "../other-tenant" would otherwise escape the configured isolation boundary. Harden the prefix helper as a second line of defense: if the joined path no longer sits inside pathPrefix, fall back to joining the prefix with the base name of the caller-supplied path. That preserves the prefix invariant for plugin and import paths that the upload code does not sanitize uniformly. ------ AI assisted commit * Honor SkipVerify when constructing the Azure client FileBackendSettings.SkipVerify is plumbed through from the System Console the same way it is for S3, so admins toggling the flag for self-signed endpoints (Azurite, sovereign clouds) get the behavior they expect without having to drop SSL entirely and send the shared key in clear text. ------ AI assisted commit * Warn when the Azure request timeout falls back to its default Config.IsValid already rejects non-positive AzureRequestTimeoutMilliseconds for any path that goes through config validation, so this warn only fires for direct callers that bypass validation (tests, helpers). Logging the substitution turns a silent coercion into something an operator can correlate against unexpected request behavior. ------ AI assisted commit * Cap Azure request timeout at 10 minutes Reject AzureRequestTimeoutMilliseconds values above the ceiling so an operator (or someone who has admin access) cannot effectively disable timeouts by setting the value to math.MaxInt64. A hung Azure call then holds a goroutine open until the OS gives up. Applies the same bound to ExportAzureRequestTimeoutMilliseconds. S3 has the same gap; treating it is out of scope here but worth a follow-up. ------ AI assisted commit * Refuse AppendFile on blobs without a committed block list A blob written by another tool (Azure portal, azcopy, a migration script, a plugin using Put Blob) has its content in the blob but an empty committed-block list. Committing a new block list against such a blob silently replaces the existing content with only the appended bytes. Check the blob's properties before staging when the committed-block list is empty, and refuse with a clear error if the blob has content. Same hazard for an admin pointing the backend at an existing container with pre-existing files. Adds an integration test against Azurite to lock the behavior in. ------ AI assisted commit * Surface truncated reads from azureRangeReader Read closed the body cleanly and returned io.EOF even when the remote stream terminated before the blob's content length. Callers (and any retry layer above) then accepted a partial blob as complete. ReadAt unconditionally rewrote io.ErrUnexpectedEOF to io.EOF, which made truncated downloads indistinguishable from clean reads. That is exactly what zip.NewReader consumes for archive readers, so the bulk-import worker would silently import partial archives. Read now closes the body, nils it, and returns io.ErrUnexpectedEOF when EOF arrives before offset reaches size. ReadAt only collapses ErrUnexpectedEOF to EOF when the full count was delivered and the stream was consumed to the end of the blob. Otherwise the truncation propagates with context. Both code paths are exercised by new fakeDownloader-backed tests. ------ AI assisted commit * Move container provisioning out of Azure TestConnection Auto-creating the container inside TestConnection meant a typo in the System Console (mattermosst instead of mattermost) silently provisioned an unwanted container in the admin's Azure subscription, with no audit log and no warning. They'd discover it later when uploads landed somewhere unexpected. TestConnection now returns FileBackendNoBucketError when the container is missing, mirroring the S3 contract. A new MakeContainer method mirrors S3FileBackend.MakeBucket, and Server.Start dispatches via two capability interfaces (bucketMaker / containerMaker) instead of a hard S3 type assertion — so the NoBucket error is no longer silently swallowed for backends Server.Start has not been taught about. ------ AI assisted commit * Carry file backend auth detail through to AppError The Test Connection button collapsed every typed backend failure into the same generic i18n message. Operators trying to debug bad credentials or a missing bucket only saw "Unable to authenticate against the file storage backend" with no SDK code to grep for in their logs. Use errors.As so the typed checks survive future wrapping, and pass the underlying error string through the NewAppError details argument. The AppError serializer surfaces that detail to the admin console alongside the translated message, so a bad S3 InvalidAccessKeyId or an Azure AuthenticationFailed shows up in the toast without an i18n schema change. ------ AI assisted commit * Remove non-ascii characters from comments ------ AI assisted commit * Make linter happy ------ AI assisted commit * Harden Azure prefix boundary check strings.HasPrefix on the joined path is a string-level check, not a path-level one, so a configured prefix of "mattermost" accepts a joined result of "mattermost-evil/...". A crafted caller path like "../mattermost-evil/secrets" would collapse via path.Join to that exact sibling and slip through the boundary check, escaping the configured prefix scope. Require the joined path to be the cleaned prefix itself or to start with the prefix followed by a path separator. The fallback path.Join uses the same cleaned prefix for consistency. ------ AI assisted commit * Provision Azurite container in standalone test setup The shared FileBackendTestSuite's SetupTest already handles a missing container by detecting FileBackendNoBucketError from TestConnection and calling MakeContainer, but TestAzureFileBackendAppendRefusesNonBlockBlob bypasses SetupTest and calls TestConnection directly. On a fresh Azurite instance the test would fail before exercising the append-refusal logic. Extract a newAzuriteBackend(t) helper alongside azuriteSettings(t) that builds the backend and ensures the container exists, mirroring the suite's setup. Use errors.As for forward compatibility with future wrapping. ------ AI assisted commit * Fix grammar in email-settings i18n string "Email settings has unset values." -> "Email settings have unset values." ------ AI assisted commit * Make Azure MakeContainer idempotent Treat a ContainerAlreadyExists response as success so that two nodes racing through TestConnection plus MakeContainer at boot both converge instead of having the loser fail. Mirrors how the S3 backend handles the equivalent BucketAlreadyOwnedByYou case. ------ AI assisted commit * Narrow AzureEndpoint comment to path-style only The setting only builds path-style URLs, so it cannot reach sovereign clouds like Azure Government or Azure China, which require vhost-style endpoints. Update the comment to reflect what the code actually does and document that sovereign-cloud support is out of scope. ------ AI assisted commit	2026-05-14 16:59:18 +00:00
David Krauser	9f1fe90b69	Migrate CPA to the v2 Property System (#36180)	2026-05-14 12:46:07 -04:00
Jesse Hallam	e3fbf8711f	MM-68149: Upgrade to Go 1.26.2 (#36418) ... * MM-68149: upgrade to Go 1.26.2 Update go directive in go.mod and .go-version. * MM-68149: replace pointer helpers with Go 1.26 new() Go 1.26 extends the built-in new() to accept an initial value expression, making typed-pointer helpers like model.NewPointer(x), bToP(x), and boolPtr(x) redundant. Replace every call site with new(x) and remove the now-unused helper functions and their //go:fix inline directives. * MM-68149: apply go fix for reflect API and format-string changes - reflect.Ptr → reflect.Pointer (renamed in Go 1.18, deprecated alias removed in 1.26) - reflect range-over-struct: for i := 0; i < t.NumField(); i++ → for field := range t.Fields() and the equivalent for Methods() and interface types - Fix format-string concatenation and variadic-arg mismatches flagged by go vet * MM-68149: update JPEG fixtures and test infrastructure for Go 1.26 encoder Go 1.26 ships a new image/jpeg encoder that produces slightly different output. Regenerate all JPEG fixture files and switch the comparison helpers from byte-equality to pixel-level comparison with a small per-channel tolerance, so minor encoder drift across patch versions is handled automatically. Add -update-fixtures flag to make it easy to regenerate fixtures after future major Go upgrades. Document the update procedure in tests/README.md. * MM-68149: CI check that go fix ./... produces no changes * Fix real bugs flagged by CodeRabbit review - group.go: set newGroup.MemberCount not group.MemberCount (member count was populated on the wrong variable and lost before publish/return) - file_test.go: guard compareImage(GetFilePreview) on the preview slice length, not the thumbnail slice length (copy-paste error) - config_test.go: remove duplicate MinimumLength assignment * fixup! Fix real bugs flagged by CodeRabbit review	2026-05-12 15:59:12 +00:00
Jesse Hallam	016e2fd6fb	ci: compile mmctl e2e tests with requirefips when FIPS_ENABLED=true (#36267) ... * ci: compile mmctl e2e tests with requirefips when FIPS_ENABLED=true Without this, the mmctl test binary was compiled without the requirefips tag even in the FIPS container, leaving model.FIPSEnabled=false and PasswordSettings.MinimumLength=8. Short passwords like "somepass" passed validation and hashing silently succeeded, giving false confidence that the tests were FIPS-clean. * tests: fix short password in TestUserConvertCmdF for FIPS "Valid bot to user convert" reached ConvertBotToUser with "password" (8 chars), which fails MinimumLength=14 on FIPS builds.	2026-04-28 00:41:57 +00:00
Ben Schumacher	93ab9a4ccc	[MM-68351] Fix nil pointer panic in mmctl websocket command on connection failure (#36138) ... * fix(mmctl): prevent nil pointer panic in websocket command on connection failure When the WebSocket connection fails immediately, Listen() closes EventChannel via defer. Reading from a closed channel with a plain receive returns nil, causing a panic in ToJSON(). Switch to range so the loop exits cleanly, add a nil guard, and surface ListenError to the caller. Fixes MM-68351 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test(mmctl): add unit tests for websocket nil event and ListenError handling Extracts the event-processing loop into processWebSocketEvents to enable unit testing, and adds tests covering the nil-event skip and error surfacing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test(mmctl): add happy-path subtest for processWebSocketEvents Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-23 15:32:34 +02:00
Pavel Zeman	6fdef8c9cc	ci: enable fullyparallel mode for server tests (#35816) ... * ci: enable fullyparallel mode for server tests Replace os.Setenv, os.Chdir, and global state mutations with parallel-safe alternatives (t.Setenv, t.Chdir, test hooks) across 37 files. Refactor GetLogRootPath and MM_INSTALL_TYPE to use package-level test hooks instead of environment variables. This enables gotestsum --fullparallel, allowing all test packages to run with maximum parallelism within each shard. Co-authored-by: Claude <claude@anthropic.com> * ci: split fullyparallel from continue-on-error in workflow template - Add new boolean input 'allow-failure' separate from 'fullyparallel' - Change continue-on-error to use allow-failure instead of fullyparallel - Update server-ci.yml to pass allow-failure: true for test coverage job - Allows independent control of parallel execution and failure tolerance Co-authored-by: Claude <claude@anthropic.com> * fix: protect TestOverrideLogRootPath with sync.Mutex for parallel tests - Replace global var TestOverrideLogRootPath with mutex-protected functions - Add SetTestOverrideLogRootPath() and getTestOverrideLogRootPath() functions - Update GetLogRootPath() to use thread-safe getter - Update all test files to use SetTestOverrideLogRootPath() with t.Cleanup() - Fixes race condition when running tests with t.Parallel() Co-authored-by: Claude <claude@anthropic.com> * fix: configure audit settings before server setup in tests - Move ExperimentalAuditSettings from UpdateConfig() to config defaults - Pass audit config via app.Config() option in SetupWithServerOptions() - Fixes audit test setup ordering to configure BEFORE server initialization - Resolves CodeRabbit's audit config timing issue in api4 tests Co-authored-by: Claude <claude@anthropic.com> * fix: implement SetTestOverrideLogRootPath mutex in logger.go The previous commit updated test callers to use SetTestOverrideLogRootPath() but didn't actually create the function in config/logger.go, causing build failures across all CI shards. This commit: - Replaces the exported var TestOverrideLogRootPath with mutex-protected unexported state (testOverrideLogRootPath + testOverrideLogRootMu) - Adds exported SetTestOverrideLogRootPath() setter - Adds unexported getTestOverrideLogRootPath() getter - Updates GetLogRootPath() to use the thread-safe getter - Fixes log_test.go callers that were missed in the previous commit Co-authored-by: Claude <claude@anthropic.com> * fix(test): use SetupConfig for access_control feature flag registration InitAccessControlPolicy() checks FeatureFlags.AttributeBasedAccessControl at route registration time during server startup. Setting the flag via UpdateConfig after Setup() is too late — routes are never registered and API calls return 404. Use SetupConfig() to pass the feature flag in the initial config before server startup, ensuring routes are properly registered. Co-authored-by: Claude <claude@anthropic.com> * fix(test): restore BurnOnRead flag state in TestRevealPost subtest The 'feature not enabled' subtest disables BurnOnRead without restoring it via t.Cleanup. Subsequent subtests inherit the disabled state, which can cause 501 errors when they expect the feature to be available. Add t.Cleanup to restore FeatureFlags.BurnOnRead = true after the subtest completes. Co-authored-by: Claude <claude@anthropic.com> * fix(test): restore EnableSharedChannelsMemberSync flag via t.Cleanup The test disables EnableSharedChannelsMemberSync without restoring it. If the subtest exits early (e.g., require failure), later sibling subtests inherit a disabled flag and become flaky. Add t.Cleanup to restore the flag after the subtest completes. Co-authored-by: Claude <claude@anthropic.com> * Fix test parallelism: use instance-scoped overrides and init-time audit config Replace package-level test globals (TestOverrideInstallType, SetTestOverrideLogRootPath) with fields on PlatformService so each test gets its own instance without process-wide mutation. Fix three audit tests (TestUserLoginAudit, TestLogoutAuditAuthStatus, TestUpdatePasswordAudit) that configured the audit logger after server init — the audit logger only reads config at startup, so pass audit settings via app.Config() at init time instead. Also revert the Go 1.24.13 downgrade and bump mattermost-govet to v2.0.2 for Go 1.25.8 compatibility. * Fix audit unit tests * Fix MMCLOUDURL unit tests * Fixed unit tests using MM_NOTIFY_ADMIN_COOL_OFF_DAYS * Make app migrations idempotent for parallel test safety Change System().Save() to System().SaveOrUpdate() in all migration completion markers. When two parallel tests share a database pool entry, both may race through the check-then-insert migration pattern. Save() causes a duplicate key fatal crash; SaveOrUpdate() makes the second write a harmless no-op. * test: address review feedback on fullyparallel PR - Use SetLogRootPathOverride() setter instead of direct field access in platform/support_packet_test.go and platform/log_test.go (pvev) - Restore TestGetLogRootPath in config/logger_test.go to keep MM_LOG_PATH env var coverage; test uses t.Setenv so it runs serially which is fine (pvev) - Fix misleading comment in config_test.go: code uses t.Setenv, not os.Setenv (jgheithcock) Co-authored-by: Claude <claude@anthropic.com> * fix: add missing os import in post_test.go The os import was dropped during a merge conflict resolution while burn-on-read shared channel tests from master still use os.Setenv. Co-authored-by: Claude <claude@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com> Co-authored-by: wiggin77 <wiggin77@warpmail.net> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-08 20:48:36 -04:00
Jesse Hallam	71ca373de7	Generate instead of hard-coding test passwords, enforce new minimum for FIPS, shard CI, fix FIPS builds (#35905) ... * Replace hardcoded test passwords with model.NewTestPassword() Add model.NewTestPassword() utility that generates 14+ character passwords meeting complexity requirements for FIPS compliance. Replace all short hardcoded test passwords across the test suite with calls to this function. * Enforce FIPS compliance for passwords and HMAC keys FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses the password as the HMAC key internally, so short passwords cause PKCS5_PBKDF2_HMAC to fail. - Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants - Raise the password minimum length floor to 14 when compiled with requirefips, applied in SetDefaults only when unset and validated independently in IsValid - Return ErrMismatchedHashAndPassword for too-short passwords in PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error - Validate atmos/camo HMAC key length under FIPS and lengthen test keys accordingly - Adjust password validation tests to use PasswordFIPSMinimumLength so they work under both FIPS and non-FIPS builds * CI: shard FIPS test suite and extract merge template Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch name. Shard FIPS tests across 4 runners matching the normal Postgres suite. Extract the test result merge logic into a reusable workflow template to deduplicate the normal and FIPS merge jobs. * more * Fix email test helper to respect FIPS minimum password length * Fix test helpers to respect FIPS minimum password length * Remove unnecessary "disable strict password requirements" blocks from test helpers * Fix CodeRabbit review comments on PR #35905 - Add server-test-merge-template.yml to server-ci.yml pull_request.paths so changes to the reusable merge workflow trigger Server CI validation - Skip merge-postgres-fips-test-results job when test-postgres-normal-fips was skipped, preventing failures due to missing artifacts - Set guest.Password on returned guest in CreateGuestAndClient helper to keep contract consistent with CreateUserWithClient - Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength constants in NewTestPassword() to avoid drift if FIPS floor changes https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f * Rename FIPS test artifact to match server-ci-report pattern The server-ci-report job searches for artifacts matching "*-test-logs", so rename from postgres-server-test-logs-fips to postgres-server-fips-test-logs to be included in the report. --------- Co-authored-by: Claude <noreply@anthropic.com>	2026-04-08 16:49:43 -03:00
Jesse Hallam	f6d5d9e1bc	[MM-67859] Update license renewal and expiry email branding (#35701)	2026-04-04 20:30:36 -03:00
yy	38e26fbd2d	chore: fix typos in comments (#34960) ... Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-03 13:43:25 +00:00
Miguel de la Cruz	58dd9e1bb4	Add property system app layer architecture (#35157) ... * Refactor property system with app layer routing and access control separation Establish the app layer as the primary entry point for property operations with intelligent routing based on group type. This architecture separates access-controlled operations (CPA groups) from standard operations, improving performance and code clarity. Architecture Changes: - App layer now routes operations based on group type: - CPA groups -> PropertyAccessService (enforces access control) - Non-CPA groups -> PropertyService (direct, no access control) - PropertyAccessService simplified to handle only CPA operations - Eliminated redundant group type checks throughout the codebase * Move access control routing into PropertyService This change makes the PropertyService the main entrypoint for property related operations, and adds a routing mechanism to decide if extra behaviors or checks should run for each operation, in this case, the property access service logic. To add specific payloads that pluggable checks and operations may need, we use the request context. When the request comes from the API, the endpoints are in charge of adding the caller ID to the payload, and in the case of the plugin API, on receiving a request, the server automatically tags the context with the plugin ID so the property service can react accordingly. Finally, the new design enforces all these checks migrating the actual property logic to internal, non-exposed methods, so any caller from the App layer needs to go through the service checks that decide if pluggable logic is needed, avoiding any possibility of a bypass. * Fix i18n * Fix bad error string * Added nil guards to property methods * Add check for multiple group IDs on value operations * Add nil guard to the plugin checker * Fix build error * Update value tests * Fix linter * Adds early return when content flaggin a thread with no replies * Fix mocks * Clean the state of plugin property tests before each run * Do not wrap appErr on API response and fix i18n * Fix create property field test * Remove the need to cache cpaGroupID as part of the property service * Split the property.go file into multiple * Not found group doesn't bypass access control check * Unexport SetPluginCheckerForTests * Rename plugin context getter to be more PSA specific --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2026-03-26 07:54:50 +00:00
Pavel Zeman	b416344931	ci: cache prepackaged plugins in mmctl tests (#35720) ... * ci: cache prepackaged plugins in mmctl tests Cache the prepackaged_plugins directory between mmctl test runs using actions/cache. The cache key is derived from a SHA-256 hash of the PLUGIN_PACKAGES lines in server/Makefile, so the cache automatically invalidates whenever any plugin version is bumped — no manual key updates needed. Uses actions/cache output (cache-hit) to skip the download step entirely on cache hits. Saves ~1-2 minutes per mmctl test run by avoiding repeated plugin downloads. Co-authored-by: Claude <claude@anthropic.com> * fix: align plugin cache key with actual downloaded packages Address CodeRabbit review: cache key was derived from all 15 plugins in the Makefile, but the download only fetched jira plugin. Now both the hash and the download use the same MMCTL_PLUGIN_PACKAGES value, defined once, preventing stale cache or unnecessary invalidation. Co-authored-by: Claude <claude@anthropic.com> * Revert "fix: align plugin cache key with actual downloaded packages" This reverts commit 73303864bf. * Revert "ci: cache prepackaged plugins in mmctl tests" This reverts commit acd1ec757a. * prepackage the existing test plugin to speed up tests * fix: use public key for plugin signature verification in test --------- Co-authored-by: Claude <claude@anthropic.com> Co-authored-by: Jesse Hallam <jesse@mattermost.com>	2026-03-22 22:34:33 +08:00
Eva Sarafianou	5af5b6dfac	[MM-67744] Add -buildvcs=false to default GOFLAGS (#35587) ... * Add -buildvcs=false to default GOFLAGS This prevents Go from embedding VCS information into binaries, which avoids false positives in container vulnerability scanners like Trivy when using Go workspaces with enterprise dependencies. Also updates mmctl-build target to use $(GO) and $(GOFLAGS) for consistency with other build targets. Made-with: Cursor * Update comment wording Trigger PR sync to test Enterprise CI Made-with: Cursor * Trigger CI to test Enterprise CI fix Made-with: Cursor * Test Enterprise CI Made-with: Cursor * replace buildvcs metadata in mmctl * rm redundant -buildvcs=false in GitHub actions * update mmctl-docs to $(GO) * simplify getVersionInfo signature * use GOOS/GOARCH convention * export GOFLAGS for common use * Clarify version.go var block comment --------- Co-authored-by: Jesse Hallam <jesse@mattermost.com>	2026-03-20 10:28:36 -03:00
135yshr	314ed3756a	Fix import failures for Japanese filenames with dakuten on macOS (#35204) ... * 🐛 fix: normalize Unicode filenames in import attachment lookup Fix import failures for files with Japanese dakuten/handakuten characters (e.g., ガ, パ, べ) on macOS. macOS stores filenames in NFD (decomposed) form while Linux/Windows use NFC (composed) form. This mismatch caused attachment lookup failures when zip filenames and JSONL paths used different normalization forms. Changes: - Add NormalizeFilename utility function using golang.org/x/text/unicode/norm - Normalize filenames when building attachment maps from zip files - Normalize paths when looking up attachments in maps - Apply fixes to both server (import.go) and mmctl (validate.go) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * avoid duplicating normalizeFilename * add coverage for Korean filenames --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Jesse Hallam <jesse@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-18 12:16:55 +00:00
Indusha Semba	08f09274e8	mmctl: Add support for listing user roles through mmctl (#34064) ... Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Indusha Semba <indusha@Indushas-MacBook-Pro.local> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>	2026-03-18 11:43:13 +00:00
Domenico Rizzo	9dacec3672	[MM-29973] Adds E2E tests for mmctl plugin disable (#35464)	2026-03-18 11:05:46 +00:00
Doug Lauder	3e38cbc5ca	Add --workers flag to mmctl import process to control concurrency (#35582) ... * Add --workers flag to mmctl import process to control concurrency The bulk import worker count was hardcoded to runtime.NumCPU(), causing high database load on the master during imports on live systems. This is particularly impactful for incremental Slack imports where all users are re-imported each time, generating 8-15 DB operations per user against the master (due to LockToMaster). The new --workers flag allows administrators to reduce concurrency (e.g., --workers 1) to minimize impact on live users at the cost of longer import duration. Defaults to 0 which preserves the existing runtime.NumCPU() behavior. * Add max workers limit, capped at CPU Count * 4	2026-03-13 21:30:32 -04:00
Felipe Martin	7e7a1b582f	fix: only match root-level JSONL files when importing a zip (#35481) ... * fix: only match root-level JSONL files when importing a zip When importing a Mattermost export zip, the code iterated over all files to find the first .jsonl by extension. Exported attachments under data/ could themselves be .jsonl files, causing the import to pick an attachment as the manifest instead of the actual root-level JSONL file. Extract an IsRootJsonlFile helper in the imports package and use it in the import process worker, mmctl validator, and bulk import test to restrict the search to files with no directory component. * test: add integration test for import with nested JSONL decoy file Verify that BulkImportWithPath correctly picks the root-level JSONL manifest and ignores a decoy .jsonl inside a subdirectory, covering the fix from ad7f230f06.	2026-03-05 15:20:17 +01:00
Domenico Rizzo	8dbfb87877	MM-29974 Adds e2e tests to the plugin list command (#34866) ... * Adds e2e tests to the plugin list command Adds end-to-end tests to the pluginListCmdF function. These tests verify scenarios where appropriate permissions are not available, plugins are disabled, and success cases. * Updates plugin list command E2E tests Removes the `pluginArg` from `pluginListCmdF` calls within end-to-end tests. Ensures test cases accurately evaluate the `pluginListCmdF` behavior when no specific plugin name is provided as an argument, improving test coverage for default listing scenarios. Relates to MM-29974 * Simplifies plugin test defer cleanup Refactors defer statements in plugin E2E tests to directly call `s.th.App.UpdateConfig`. Removes redundant anonymous function wrappers, making the test cleanup code cleaner and more concise. Relates to MM-29974 --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-03-03 07:40:58 +00:00
Harrison Healey	6cd2df33ea	MM-67335 Fix export files having mismatched permissions (#35182) ... * MM-67335 Fix export files having mismatched permissions * Update test output when failing	2026-02-11 11:04:58 -05:00
Ben Schumacher	cbc9406815	[MM-67114] Add mmctl license get command (#34878) ... Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-10 08:26:59 +01:00
David Krauser	1cfe3d92b6	[MM-66836] Integrate PropertyAccessService into API and app layers (#34818) ... Updates all Custom Profile Attribute endpoints and app layer methods to pass caller user IDs through to the PropertyAccessService. This connects the access control service introduced in #34812 to the REST API, Plugin API, and internal app operations. Also updates the OpenAPI spec to document the new field attributes (protected, source_plugin_id, access_mode) and adds notes about protected field restrictions.	2026-02-06 18:06:51 -05:00
Daniel Espino García	2bd29c0359	Add the ability to patch channel autotranslations (#35078) ... * Add the ability to patch channel autotranslations * Fix lint * Update docs * Fix CI * Fix CI * Fix mmctl test * Check whether the channel is translated for the user when checking user enabled * Fix wrong uses of patch acrros e2e and frontend * Fix test * Fix wording * Fix tests and column name * Move group constrained test so they don't mess with the basic entities * Fix patch sending too much information	2026-02-06 18:19:06 +01:00
Ibrahim Serdar Acikgoz	22e4e9c171	Improve mmctl output by filtering escape sequences (#35191)	2026-02-05 15:32:35 +01:00
Jesse Hallam	41e5c7286b	Remove vestigial MySQL support (#34865) ... * Remove legacy quoteColumnName() utility Since Mattermost only supports PostgreSQL, the quoteColumnName() helper that was designed to handle database-specific column quoting is no longer needed. The function was a no-op that simply returned the column name unchanged. Remove the function from utils.go and update status_store.go to use the "Manual" column name directly. * Remove legacy driver checks from store.go Since Mattermost only supports PostgreSQL, remove conditional checks for different database drivers: - Simplify specialSearchChars() to always return PostgreSQL-compatible chars - Remove driver check from computeBinaryParam() - Remove driver check from computeDefaultTextSearchConfig() - Simplify GetDbVersion() to use PostgreSQL syntax directly - Remove switch statement from ensureMinimumDBVersion() - Remove unused driver parameter from versionString() * Remove MySQL alternatives for batch delete operations Since Mattermost only supports PostgreSQL, remove the MySQL-specific DELETE...LIMIT syntax and keep only the PostgreSQL array-based approach: - reaction_store.go: Use PostgreSQL array syntax for PermanentDeleteBatch - file_info_store.go: Use PostgreSQL array syntax for PermanentDeleteBatch - preference_store.go: Use PostgreSQL tuple IN subquery for DeleteInvalidVisibleDmsGms * Remove MySQL alternatives for UPDATE...FROM syntax Since Mattermost only supports PostgreSQL, remove the MySQL-specific UPDATE syntax that joins tables differently: - thread_store.go: Use PostgreSQL UPDATE...FROM syntax in MarkAllAsReadByChannels and MarkAllAsReadByTeam - post_store.go: Use PostgreSQL UPDATE...FROM syntax in deleteThreadFiles * Remove MySQL alternatives for JSON and subquery operations Since Mattermost only supports PostgreSQL, remove the MySQL-specific JSON and subquery syntax: - thread_store.go: Use PostgreSQL JSONB operators for updating participants - access_control_policy_store.go: Use PostgreSQL JSONB @> operator for querying JSON imports - session_store.go: Use PostgreSQL subquery syntax for Cleanup - job_store.go: Use PostgreSQL subquery syntax for Cleanup * Remove MySQL alternatives for CTE queries Since Mattermost only supports PostgreSQL, simplify code that uses CTEs (Common Table Expressions): - channel_store.go: Remove MySQL CASE-based fallback in UpdateLastViewedAt and use PostgreSQL CTE exclusively - draft_store.go: Remove driver checks in DeleteEmptyDraftsByCreateAtAndUserId, DeleteOrphanDraftsByCreateAtAndUserId, and determineMaxDraftSize * Remove driver checks in migrate.go and schema_dump.go Simplify migration code to use PostgreSQL driver directly since PostgreSQL is the only supported database. * Remove driver checks in sqlx_wrapper.go Always apply lowercase named parameter transformation since PostgreSQL is the only supported database. * Remove driver checks in user_store.go Simplify user store functions to use PostgreSQL-only code paths: - Remove isPostgreSQL parameter from helper functions - Use LEFT JOIN pattern instead of subqueries for bot filtering - Always use case-insensitive LIKE with lower() for search - Remove MySQL-specific role filtering alternatives * Remove driver checks in post_store.go Simplify post_store.go to use PostgreSQL-only code paths: - Inline getParentsPostsPostgreSQL into getParentsPosts - Use PostgreSQL TO_CHAR/TO_TIMESTAMP for date formatting in analytics - Use PostgreSQL array syntax for batch deletes - Simplify determineMaxPostSize to always use information_schema - Use PostgreSQL jsonb subtraction for thread participants - Always execute RefreshPostStats (PostgreSQL materialized views) - Use materialized views for AnalyticsPostCountsByDay - Simplify AnalyticsPostCountByTeam to always use countByTeam * Remove driver checks in channel_store.go Simplify channel_store.go to use PostgreSQL-only code paths: - Always use sq.Dollar.ReplacePlaceholders for UNION queries - Use PostgreSQL LEFT JOIN for retention policy exclusion - Use PostgreSQL jsonb @> operator for access control policy imports - Simplify buildLIKEClause to always use LOWER() for case-insensitive search - Simplify buildFulltextClauseX to always use PostgreSQL to_tsvector/to_tsquery - Simplify searchGroupChannelsQuery to use ARRAY_TO_STRING/ARRAY_AGG * Remove driver checks in file_info_store.go Simplify file_info_store.go to use PostgreSQL-only code paths: - Always use PostgreSQL to_tsvector/to_tsquery for file search - Use file_stats materialized view for CountAll() - Use file_stats materialized view for GetStorageUsage() when not including deleted - Always execute RefreshFileStats() for materialized view refresh * Remove driver checks in attributes_store.go Simplify attributes_store.go to use PostgreSQL-only code paths: - Always execute RefreshAttributes() for materialized view refresh - Remove isPostgreSQL parameter from generateSearchQueryForExpression - Always use PostgreSQL LOWER() LIKE LOWER() syntax for case-insensitive search * Remove driver checks in retention_policy_store.go Simplify retention_policy_store.go to use PostgreSQL-only code paths: - Remove isPostgres parameter from scanRetentionIdsForDeletion - Always use pq.Array for scanning retention IDs - Always use pq.Array for inserting retention IDs - Remove unused json import * Remove driver checks in property stores Simplify property_field_store.go and property_value_store.go to use PostgreSQL-only code paths: - Always use PostgreSQL type casts (::text, ::jsonb, ::bigint, etc.) - Remove isPostgres variable and conditionals * Remove driver checks in channel_member_history_store.go Simplify PermanentDeleteBatch to use PostgreSQL-only code path: - Always use ctid-based subquery for DELETE with LIMIT * Remove remaining driver checks in user_store.go Simplify user_store.go to use PostgreSQL-only code paths: - Use LEFT JOIN for bot exclusion in AnalyticsActiveCountForPeriod - Use LEFT JOIN for bot exclusion in IsEmpty * Simplify fulltext search by consolidating buildFulltextClause functions Remove convertMySQLFullTextColumnsToPostgres and consolidate buildFulltextClause and buildFulltextClauseX into a single function that takes variadic column arguments and returns sq.Sqlizer. * Simplify SQL stores leveraging PostgreSQL-only support - Simplify UpdateMembersRole in channel_store.go and team_store.go to use UPDATE...RETURNING instead of SELECT + UPDATE - Simplify GetPostReminders in post_store.go to use DELETE...RETURNING - Simplify DeleteOrphanedRows queries by removing MySQL workarounds for subquery locking issues - Simplify UpdateUserLastSyncAt to use UPDATE...FROM...RETURNING instead of fetching user first then updating - Remove MySQL index hint workarounds in ORDER BY clauses - Update outdated comments referencing MySQL - Consolidate buildFulltextClause and remove convertMySQLFullTextColumnsToPostgres * Remove MySQL-specific test artifacts - Delete unused MySQLStopWords variable and stop_word.go file - Remove redundant testSearchEmailAddressesWithQuotes test (already covered by testSearchEmailAddresses) - Update comment that referenced MySQL query planning * Remove MySQL references from server code outside sqlstore - Update config example and DSN parsing docs to reflect PostgreSQL-only support - Remove mysql:// scheme check from IsDatabaseDSN - Simplify SanitizeDataSource to only handle PostgreSQL - Remove outdated MySQL comments from model and plugin code * Remove MySQL references from test files - Update test DSNs to use PostgreSQL format - Remove dead mysql-replica flag and replicaFlag variable - Simplify tests that had MySQL/PostgreSQL branches * Update docs and test config to use PostgreSQL - Update mmctl config set example to use postgres driver - Update test-config.json to use PostgreSQL DSN format * Remove MySQL migration scripts, test data, and docker image Delete MySQL-related files that are no longer needed: - ESR upgrade scripts (esr.*.mysql.*.sql) - MySQL schema dumps (mattermost-mysql-*.sql) - MySQL replication test scripts (replica-*.sh, mysql-migration-test.sh) - MySQL test warmup data (mysql_migration_warmup.sql) - MySQL docker image reference from mirror-docker-images.json * Remove MySQL references from webapp - Simplify minimumHashtagLength description to remove MySQL-specific configuration note - Remove unused HIDE_MYSQL_STATS_NOTIFICATION preference constant - Update en.json i18n source file * clean up e2e-tests * rm server/tests/template.load * Use teamMemberSliceColumns() in UpdateMembersRole RETURNING clause Refactor to use the existing helper function instead of hardcoding the column names, ensuring consistency if the columns are updated. * u.id -> u.Id * address code review feedback --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-20 21:01:59 +00:00
Alejandro García Montoro	5e99f12c3a	MM-67119: Remove unused Channel.Etag (#34951) ... * Remove unused Channel.Etag Computing the etag for a channel is complex due to user-specific data, so we remove the unused Etag function to avoid confusion until a performance need for it arises. * Remove etag from Client4.GetChannel and tests * make mocks * Fix missing GetChannel calls	2026-01-20 17:46:17 +01:00
Daniel Espino García	b5a816a657	Add audits for accessing posts without membership (#31266) ... * Add audits for accessing posts without membership * Fix tests * Use correct audit level * Address feedback * Add missing checks all over the app * Fix lint * Fix test * Fix tests * Fix enterprise test * Add missing test and docs * Fix merge * Fix lint * Add audit logs on the web socket hook for permalink posts * Fix lint * Fix merge conflicts * Handle all events with "non_channel_member_access" parameter * Fix lint and tests * Fix merge * Fix tests	2026-01-20 10:38:27 +01:00
Jesse Hallam	65d69b0498	Use testify ElementsMatch instead of sorting slices before comparison (#34899) ... Simplifies test code by using ElementsMatch which handles order-independent slice comparison. Removes custom sort implementations and manual sorting that was only needed for equality checks. Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-13 11:40:03 -04:00
Jesse Hallam	84e267e9e8	[MM-66789] Restrict ImportSettings.Directory changes via API and add validation (#34653) ... This change enhances security by preventing ImportSettings.Directory from being modified through the API and adds validation to prevent directory conflicts. Changes: - Restricted ImportSettings.Directory from being changed via API - Added validation to prevent directory conflicts with plugin directory - Added error message translation - Updated and added comprehensive tests Co-authored-by: Mattermost Build <build@mattermost.com>	2026-01-06 16:30:07 +00:00
Ibrahim Serdar Acikgoz	084006c0ea	[MM-61758] Burn on read feature (#34703) ... * Add read receipt store for burn on read message types * update mocks * fix invalidation target * have consistent case on index creation * Add temporary posts table * add mock * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * add burn endpoint for explicitly burning messages * add translations * Added logic to associate files of BoR post with the post * Added test * fixes * disable pinning posts and review comments * MM-66594 - Burn on read UI integration (#34647) * MM-66244 - add BoR visual components to message editor * MM-66246 - BoR visual indicator for sender and receiver * MM-66607 - bor - add timer countdown and autodeletion * add the system console max time to live config * use the max expire at and create global scheduler to register bor messages * use seconds for BoR config values in BE * implement the read by text shown in the tooltip logic * unestack the posts from same receiver and BoR and fix styling * avoid opening reply RHS * remove unused dispatchers * persis the BoR label in the drafts * move expiration value to metadata * adjust unit tests to metadata insted of props * code clean up and some performance improvements; add period grace for deletion too * adjust migration serie number * hide bor messages when config is off * performance improvements on post component and code clean up * keep bor existing post functionality if config is disabled * Add read receipt store for burn on read message types * Add temporary posts table * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * avoid reacting to unrevealed bor messages * adjust migration number * Add read receipt store for burn on read message types * have consistent case on index creation * Add temporary posts table * add mock * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * add burn endpoint for explicitly burning messages * adjust post reveal and type with backend changes * use real config values, adjust icon usage and style * adjust the delete from from sender and receiver * improve self deleting logic by placing in badge, use burn endpoint * adjust websocket events handling for the read by sender label information * adjust styling for concealed and error state * update burn-on-read post event handling for improved recipient tracking and multi-device sync * replace burn_on_read with type in database migrations and model * remove burn_on_read metadata from PostMetadata and related structures * Added logic to associate files of BoR post with the post * Added test * adjust migration name and fix linter * Add read receipt store for burn on read message types * update mocks * have consistent case on index creation * Add temporary posts table * add mock * add transaction support * reflect review comments * wip: Add reveal endpoint * user check error id instead * wip: Add ws events and cleanup for burn on read posts * add burn endpoint for explicitly burning messages * Added logic to associate files of BoR post with the post * Added test * disable pinning posts and review comments * show attachment on bor reveal * remove unused translation * Enhance burn-on-read post handling and refine previous post ID retrieval logic * adjust the returning chunk to work with bor messages * read temp post from master db * read from master * show the copy link button to the sender * revert unnecessary check * restore correct json tag * remove unused error handling and clarify burn-on-read comment * improve type safety and use proper selectors * eliminate code duplication in deletion handler * optimize performance and add documentation * delete bor message for sender once all receivers reveal it * add burn on read to scheduled posts * add feature enable check * use master to avoid all read recipients race condition --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com> Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> * squash migrations into single file * add configuration for the scheduler * don't run messagehasbeenposted hook * remove parallel tests on burn on read * add clean up for closing opened modals from previous tests * simplify delete menu item rendering * add cleanup step to close open modals after each test to prevent pollution * streamline delete button visibility logic for Burn on Read posts * improve reliability of closing post menu and modals by using body ESC key --------- Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> Co-authored-by: Pablo Vélez <pablovv2012@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-12-11 07:59:50 +01:00
Nicolas Le Cam	d25da66be5	mmctl: allow filtering users by role and displaying user roles (#34051)	2025-11-25 09:24:15 +01:00
Scott Bishel	b1338853a1	Add cursor-based Posts Reporting API for compliance and auditing (#34252) ... * Add cursor-based Posts Reporting API for compliance and auditing Implements a new admin-only endpoint for retrieving posts with efficient cursor-based pagination, designed for compliance, auditing, and archival workflows. Key Features: - Cursor-based pagination using composite (time, ID) keys for consistent performance regardless of dataset size (~10ms per page at any depth) - Flexible time range queries with optional upper/lower bounds - Support for both create_at and update_at time fields - Ascending or descending sort order - Optional metadata enrichment (files, reactions, acknowledgements) - System admin only access (requires manage_system permission) - License enforcement for compliance features API Endpoint: POST /api/v4/reports/posts - Request: JSON body with channel_id, cursor_time, cursor_id, and options - Response: Posts map + next_cursor object (null when pagination complete) - Max page size: 1000 posts per request (MaxReportingPerPage constant) Implementation: - Store Layer: Direct SQL queries with composite index on (ChannelId, CreateAt, Id) - App Layer: Permission checks, optional metadata enrichment, post hooks - API Layer: Parameter validation, system admin enforcement, license checks - Data Model: ReportPostOptions, ReportPostOptionsCursor, ReportPostListResponse Code Quality Improvements: - Added MaxReportingPerPage constant (1000) to eliminate magic numbers - Removed unused StartTime field from ReportPostOptions - Added fmt import for dynamic error messages Testing: - 14 comprehensive store layer unit tests - 12 API layer integration tests covering permissions, pagination, filters - All tests passing Documentation: - POSTS_REPORTING.md: Developer reference with Go structs and usage examples - POSTS_REPORTING_API_SPEC.md: Complete technical specification - GET_POSTS_API_IMPROVEMENTS.md: Implementation analysis and design rationale - POSTS_TIME_RANGE_FEATURE.md: Archived time range feature for future use Performance: Cursor-based pagination maintains consistent ~10ms query time at any dataset depth, compared to offset-based pagination which degrades significantly (Page 1 = 10ms, Page 1000 = 10 seconds). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * lint fixes * lint fixes * gofmt * i18n-extract * Add Enterprise license requirement to posts reporting API Enforce Enterprise license (tier 20+) for the new posts reporting endpoint to align with compliance feature licensing. Professional tier is insufficient. Changes: - Add MinimumEnterpriseLicense check in GetPostsForReporting app layer - Add test coverage for license validation (no license and Professional tier) All existing tests pass with new license enforcement. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * i18n-extract * add licensing to api documentation * Test SSH signing * Add mmctl command for posts reporting API Adds mmctl report posts command to retrieve posts from a channel for administrative reporting purposes. Supports cursor-based pagination with configurable sorting, filtering, and time range options. Includes database migration for updateat+id index to support efficient cursor-based queries when sorting by update_at. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor posts reporting API cursor to opaque token and improve layer separation This addresses code review feedback by transforming the cursor from exposed fields to an opaque token and improving architectural layer separation. **Key Changes:** 1. **Opaque Cursor Implementation** - Transform cursor from split fields (cursor_time, cursor_id) to single opaque base64-encoded string - Cursor now self-contained with all query parameters embedded - When cursor provided, embedded parameters take precedence over request body - Clients treat cursor as opaque token and pass unchanged 2. **Field Naming** - Rename ExcludeChannelMetadataSystemPosts → ExcludeSystemPosts - Now excludes ALL system posts (any type starting with "system_") - Clearer and more consistent naming 3. **Layer Separation** - Move cursor decoding from store layer to model layer - Create ReportPostQueryParams struct for resolved parameters - Store layer receives pre-resolved parameters (no business logic) - Add ResolveReportPostQueryParams() function in model layer 4. **Code Quality** - Add type-safe constants (ReportingTimeFieldCreateAt, ReportingSortDirectionAsc, etc.) - Replace magic number 9223372036854775807 with math.MaxInt64 - Remove debug SQL logging (info disclosure risk) - Update mmctl to use constants and fix NextCursor pointer access 5. **Tests** - Update all 17 store test calls to use new resolution pattern - Add comprehensive test for DESC + end_time boundary behavior 6. **API Documentation** - Update OpenAPI spec to reflect opaque cursor format - Update all request/response examples - Clarify end_time behavior with sort directions **Files Changed:** - Model layer: public/model/post.go - App layer: channels/app/report.go - Store layer: channels/store/store.go, channels/store/sqlstore/post_store.go - Tests: channels/store/storetest/post_store.go - Mocks: channels/store/storetest/mocks/PostStore.go - API: channels/api4/report.go, channels/api4/report_test.go - mmctl: cmd/mmctl/commands/report.go - Docs: api/v4/source/reports.yaml 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix unhandled parse errors in cursor decoding Address security finding: cursor decoding was silently ignoring parse errors from strconv functions, which could lead to unexpected behavior when malformed cursors are provided. Changes: - Add explicit error handling for strconv.Atoi (version parsing) - Add explicit error handling for strconv.ParseBool (includeDeleted, excludeSystemPosts) - Add explicit error handling for strconv.ParseInt (timestamp parsing) - Return clear error messages indicating which field failed to parse This prevents silent failures where malformed values would default to zero-values (0, false) and potentially alter query behavior without warning. Addresses DryRun Security finding: "Unhandled Errors in Cursor Parsing" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix linting issues - Remove unused reportPostCursorV1 struct (unused) - Remove obsolete +build comment (buildtag) - Use maps.Copy instead of manual loop (mapsloop) - Modernize for loop with range over int (rangeint) - Apply gofmt formatting 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix gofmt formatting issues Fix alignment in struct literals and constant declarations: - Align map keys in report_test.go request bodies - Align struct fields in ReportPostOptions initialization - Align reporting constant declarations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update mmctl tests for opaque cursor and add i18n translations Update report_test.go to align with the refactored Posts Reporting API: - Replace split cursor flags (cursor-time, cursor-id) with single opaque cursor flag - Update field name: ExcludeChannelMetadataSystemPosts → ExcludeSystemPosts - Update all mock expectations to use new ReportPostOptionsCursor structure - Replace test cursor values with base64-encoded opaque cursor strings Add English translations for cursor decoding error messages in i18n/en.json. Minor API documentation fix in reports.yaml (remove "all" from description). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update mmctl tests for opaque cursor and add i18n translations Update report_test.go to align with the refactored Posts Reporting API: - Replace split cursor flags (cursor-time, cursor-id) with single opaque cursor flag - Update field name: ExcludeChannelMetadataSystemPosts → ExcludeSystemPosts - Update all mock expectations to use new ReportPostOptionsCursor structure - Replace test cursor values with base64-encoded opaque cursor strings Add English translations for cursor decoding error messages in i18n/en.json. Minor API documentation fix in reports.yaml (remove "all" from description). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * more lint fixes * remove index update files * Remove end_time parameter from Posts Reporting API Align with other cursor-based APIs in the codebase by removing the end_time parameter. The caller now controls when to stop pagination by simply not making another request, which is the same pattern used by GetPostsSinceForSync, MessageExport, and GetPostsBatchForIndexing. Changes: - Remove EndTime field from ReportPostOptions and ReportPostQueryParams - Remove EndTime filtering logic from store layer - Remove tests that used end_time parameter 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor posts reporting API for security and validation Address security review feedback by consolidating parameter resolution and validation in the API layer, with comprehensive validation of all cursor fields to prevent SQL injection and invalid queries. Changes: - Move parameter resolution from model to API layer for clearer separation - Add ReportPostQueryParams.Validate() with inline validation for all fields - Validate ChannelId, TimeField, SortDirection, and CursorId format - Add start_time parameter for time-bounded queries - Cap per_page at 100-1000 instead of rejecting invalid values - Export DecodeReportPostCursorV1() for API layer use - Simplify app layer to receive pre-validated parameters - Check channel existence when results are empty (better error messages) Testing: - Add 10 model tests for validation and malformed cursor scenarios - Add 4 API tests for cursors with invalid field values - Refactor 13 store tests to use buildReportPostQueryParams() helper - All 31 tests pass Documentation: - Update OpenAPI spec with start_time, remove unused end_time - Update markdown docs with start_time examples Security improvements: - Whitelist validation prevents SQL injection in TimeField/SortDirection - Format validation ensures ChannelId and CursorId are valid IDs - Single validation point for both cursor and options paths - Defense in depth: validation + parameterized queries + store layer whitelist 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Improve posts reporting query efficiency and safety Replace SELECT * and nested OR/AND conditions with explicit column selection and PostgreSQL row value comparison for better performance and maintainability. Changes: - Use postSliceColumns() instead of SELECT * for explicit column selection - Replace Squirrel OR/AND with row value comparison: (timeField, Id) > (?, ?) - Use fmt.Sprintf for safer string formatting in WHERE clause Query improvements: Before: WHERE (CreateAt > ?) OR (CreateAt = ? AND Id > ?) After: WHERE (CreateAt, Id) > (?, ?) Benefits: - Explicit column selection prevents issues if table schema changes - Row value comparison is more concise and better optimized by PostgreSQL - Follows existing patterns in post_store.go (postSliceColumns) - Standard SQL:2003 syntax 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Change posts reporting response from map to ordered array Replace the Posts map with an ordered array to preserve query sort order and provide a more natural API response for sequential processing. Changes: - ReportPostListResponse.Posts: map[string]*Post → []*Post - Store layer returns posts array directly (already sorted by query) - App layer iterates by index for metadata enrichment - Remove applyPostsWillBeConsumedHook call (not applicable to reporting) - Update API tests to iterate arrays instead of map lookups - Update store tests to convert array to map for deduplication checks - Remove unused "maps" import Benefits: - Preserves query sort order (ASC/DESC, create_at/update_at) - More natural for sequential processing/export workflows - Simpler response structure for reporting/compliance use cases - Aligns with message export/compliance patterns (no plugin hooks) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix linting issues in posts reporting tests Replace inefficient loops with append(...) for better performance. Changes: - Use append(postSlice, result.Posts...) instead of loop - Simplifies code and follows staticcheck recommendations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix store test AppError nil checking Use require.Nil instead of require.NoError for *AppError returns to avoid Go interface nil pointer issues. When DecodeReportPostCursorV1 returns nil *AppError and it's assigned to error interface, the interface becomes non-nil even though the pointer is nil. This causes require.NoError to fail incorrectly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-17 09:02:19 -07:00
Miguel de la Cruz	ef16fcfad2	Adds default values to the attrs of CPA fields and refactors the app layer (#34408) ... * Adds default values to the attrs of CPA fields and refactors the app layer * Fix mmctl tests * Fix types and linter * Fix model test --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-11-13 12:00:54 +01:00
Ben Schumacher	b2df9be70b	Fix errcheck linter errors in helpers (#31578)	2025-11-12 13:00:51 +01:00
Domenico Rizzo	a981291ea2	MM-42819 mmctl: informative errors on permanent deletions (#30230) ... Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>	2025-11-06 10:38:10 +01:00
Ben Schumacher	892a7c9c69	Use golangci-lints's build-in modernize linter (#34341)	2025-11-04 12:09:11 +01:00
Priyansh Naskar	7e5e5ac199	[MM-47826] Review convertUserToBot function to return an error in case of a failure (#21460) (#33534) ... Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>	2025-10-14 16:31:01 +02:00
Ben Schumacher	4006683af0	Improve mmctl test practices and error handling (#34079) ... Co-authored-by: Claude <noreply@anthropic.com>	2025-10-14 12:28:27 +02:00
Ben Schumacher	71579a85a6	[MM-64633] Rewrite Go client using Generics (#31805) ... Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>	2025-10-07 12:19:21 +02:00
Ben Schumacher	3df25e6904	[MM-65830] Fix mmctl system status exit code for health check failures (#33970) ... * [MM-65830] Fix mmctl system status exit code for health check failures Make mmctl system status return non-zero exit codes when health checks fail. This addresses the customer blocker issue where AWS ECS health checks were broken after the distroless Docker image change, as they rely on exit codes to determine service health. Changes: - Return error (non-zero exit) when server status != "OK" - Return error when database_status != "OK" - Return error when filestore_status != "OK" - Return success (exit code 0) only when all components are healthy - Add comprehensive test coverage for all health check scenarios - Maintain backward compatibility for missing status fields 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * [MM-65830] Refactor mmctl system status to exit silently on health failures Update mmctl system status to exit with code 1 when components are unhealthy without outputting error messages. This addresses the customer blocker where AWS ECS health checks were broken after the distroless Docker image change, as they rely on exit codes to determine service health. Changes: - Add withClientAndExitCode wrapper for commands returning (bool, error) - Modify systemStatusCmdF to return (bool, error) instead of error - Return (true, nil) when any component is unhealthy (causes exit code 1) - Return (false, nil) when all components are healthy (causes exit code 0) - Return (false, error) for actual API/network failures - Always print status information before checking health - Update comprehensive test coverage for all scenarios The refactored approach uses a clean adapter pattern that converts (bool, error) signatures to standard error returns while delegating to existing withClient infrastructure to avoid code duplication. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * [MM-65830] Ensure printer output is flushed before exit Add printer.Flush() call before os.Exit(1) in withClientAndExitCode wrapper to ensure all buffered output is properly written before the program exits. This ensures status information is always displayed to users even when exiting with non-zero exit codes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add godoc comment * Output content then error out --------- Co-authored-by: Claude <noreply@anthropic.com>	2025-10-06 10:49:46 +00:00
Miguel de la Cruz	3f675734bb	Updates buildFieldAttrs to preseve existing attrs when editing a field (#33991) ... * Updates buildFieldAttrs to preseve existing attrs when editing a field * Fix preserve option issue for select/multiselect type fields * Fix linter --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-10-01 11:00:06 +02:00
Miguel de la Cruz	a9b894b7c3	Move mmctl cpa subcommands under mmctl user attributes (#33975) ... Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-09-29 11:29:30 +00:00
Miguel de la Cruz	cd3f4483ee	Improves mmctl cpa subcommands' output to show human readable values instead of IDs (#33943) ... * Improves `mmctl cpa` subcommands' output to show human readable values instead of IDs * Adds mmctl docs updates * Fixed linter --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-09-26 10:56:01 +02:00
Harsh Aulakh	80410e99db	Add e2e tests for ConfigMigrateCmdF (#30161) ... * add e2e tests for ConfigMigrateCmdF * resolve review comments --------- Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-23 14:27:01 +02:00
Ben Schumacher	18eb1347db	[MM-64900] Migrate to use request.CTX instead of context.Context (#33541) ... * Migrate GetRoleByName * Migrate users GetUsers * Migrate Post and Thread store * Migrate channel store * Fix TestConvertGroupMessageToChannel * Fix TestGetMemberCountsByGroup * Fix TestPostStoreLastPostTimeCache	2025-09-18 16:14:24 +02:00
Miguel de la Cruz	aad2fa1461	Adds Custom Profile Attributes value commands to mmctl (#33881) ... Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2025-09-12 17:59:40 +02:00
Miguel de la Cruz	316712522c	Adds Custom Profile Attribute field commands to mmctl (#33789) ... * Adds Custom Profile Attribute field commands to mmctl * Fix linter * Refactor buildFieldAttrs * Reverse test to match implementation * Adds a confirmation prompt * Refactor the tests --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-11 18:38:21 +02:00
Ben Schumacher	3555665a02	Remove deprecated mmctl user email and username commands (#33754) ... - Removed UpdateUserEmailCmd and UpdateUsernameCmd commands - Deleted updateUserEmailCmdF and updateUsernameCmdF functions - Commands were deprecated in favor of 'mmctl user edit email/username' 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>	2025-09-08 13:36:25 +02:00
Jesse Hallam	de72b41232	relocate message export (#33805)	2025-08-27 23:22:05 +03:00