* MM-66813 - Add server origin verification to mobile SSO callbacks
* Enhance mobile SSO security and deprecate code-exchange
* Update code-exchange deprecation to follow MM standards
* Use config SiteURL for srv param, fix flow terminology
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
The generation of notice-file is failing with
```
2026/02/16 10:20:39 NPM load failed @mattermost/shared
2026/02/16 10:20:39 Error occured while generating notice.txt @mattermost/shared:http status code 404 when downloading "https://registry.npmjs.org/@mattermost/shared"
```
This relates with https://github.com/mattermost/mattermost/pull/35065 because
the package is still local and isn't yet published in npm
So, this is ignores the shared package while it isn't published.
* fix guest user import when guest user doesn't have any memberships
This PR fixes an issue where a guest user without channel or team memberships
is not being imported and the importer will then throw an error and abort.
Key changes:
1. Updated validateGuestRoles function to allow system guests without any teams/channels
2. Improved error handling with specific error messages for different validation failures
3. Updated tests to reflect new behavior allowing system guests with no team memberships
4. Added new i18n error messages for better user feedback
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Extract i18n strings and update English locale
- Ran 'make i18n-extract' to extract translation strings from source code
- Alphabetically sorted translation keys in server/i18n/en.json
- Moved guest user validation error messages to proper alphabetical positions
- Removed obsolete/unused translation entries for cleaner locale file
Co-authored-by: Jesse Hallam <lieut-data@users.noreply.github.com>
* Revert "Extract i18n strings and update English locale"
This reverts commit 9d3887cb2e.
* actually fix i18n, needs enterprise access
* add integration test for importing guest user without team/channel memberships
---------
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Jesse Hallam <lieut-data@users.noreply.github.com>
Co-authored-by: Jesse Hallam <jesse@mattermost.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
The Active() check was incorrectly preventing the slash command from working on non-leader nodes in HA clusters. Active() only returns true on the cluster leader (which runs the sync loop), but slash commands can be routed to any node via the load balancer. A nil check is sufficient to verify the service is licensed and configured.
* MM-67312: Restrict Burn-on-Read for self DMs and bot users
* fix lint issues
* use utility function to make code more reliable
* add test case for deleted user and handle restrictively that scenario
* fix i18n
* Allow bots to send BoR; block only self-DMs & DMs with bots
* Refactor BoR validation to API layer with individual params
* adjust comment
* Fix BoR validation to fail-closed when context unavailable
* Fix variable shadowing in CreatePost burn-on-read validation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* remove translation entry
* fix linter
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Claude <noreply@anthropic.com>
* Draft changes for BoR post soft-deletion
* Handled the case for author's BoR post read receipt
* lint fix
* Updated text
* Updated tests
* review fixes
* review fixes
* Paginated and batched temperory post deletion
* Updated test
* unmocked store
* logged instead of erroring out
* i18n fix
* review fixes
* support for Elastic(Open)search CJK analysis plugins
* addresses PR review comments
* addresses PR comments
* moves CJK based tests to own file and adds some more
Dockerfile for open and elasticsearch are changed to install required
plugins for testing or running locally.
* properly sort error messages
* fix style issues
* removes trailing space
* Add default agent support and App Bar integration
- Add Agents section to App Bar, separating it from Core Products.
- Implement Default Agent logic in AtMentionProvider:
- Promote default agent to top of suggestions for empty '@' prefix.
- Filter duplicate agent entry from main list when default is shown.
- Add `AgentTag` component for UI distinction.
- Update `mattermost-plugin-ai` and `server/public` dependencies.
- Add unit tests for default agent suggestion logic.
* Add missing files (server deps, types)
* Fix pre-commit check failures
- Fix TypeScript errors in test files:
- Add missing displayName property to defaultAgent in at_mention_provider test
- Add missing fetchAgents mock in textbox test
- Fix Go assignment mismatch in integration_action_test.go (CreatePostAsUser returns 3 values)
- Fix license copyright year in plugins/mattermost-ai/assets/embed.go
- Update i18n translations (add tag.default.agent)
- Regenerate Go serialized files, mmctl docs, and update go.mod/go.sum
* Update snapshot tests for textbox and at_mention_suggestion
* Undo mmctl docs changes
* Undo more changes
* revert package-lock.json
* Update dep for ai plugin
* Update again
* Update at_mention_provider to filter out agent duplicates and add .cursor/ to gitignore
- Filter agent usernames from priorityProfiles and localAndRemoteMembers to prevent duplicate entries in autocomplete suggestions
- Add .cursor/ directory to .gitignore
Co-authored-by: Cursor <cursoragent@cursor.com>
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
* Include log viewer (system console) in log root path validation
* Add informative message to log viewer when no logs are displayed
-----
Co-authored-by: Mattermost Build <build@mattermost.com>
* add authentication status to audit log for logouts
* improve audit log testing for other tests
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* AutoTranslate config settings
* comment out Agents provider
* Add auto translate timeout config validation
* i18n messages for autotranslation config validation
* fix test
* validate url for libreTranslate
* Feedback review
* Admin Console UI for Auto-Translation
* fix admin console conditional section display
* i18n
* removed unintentional change
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* update admin.general.localization.autoTranslateProviderDescription newline
* fix lint
* Fix types
* UX feedback review
* fix typo in i18n
* Fix AutoTranslation feature flag
* feedback review
* Fix test default values
* feedback review
* re-add isHidden property to feature discovery
* Database Migrations, Indexes and Methods for Auto-Translation
* i18n
* fix retrylayer and storetest
* Fix search query
* fix lint
* remove the request.CTX and modify Translation model
* fix lint and external url
* Add settings to playwright
* Add empty as a valid value for the Provider
* Update jsonb queries
* Fix queries and add model methods
* fix go lint
* go lint fix 2
* fix db migrations
* feedback review + store cache
* increase migration number
* cleanup autotranslation store cache
* use NULL as objectType for posts
* fix bad merge
* fix tests
* add missing i18n
* Active WebSocket Connection User Tracking
* copilot feedback and fix styles
* remove duplicate calls
* remove early return to mitigate timing attacks
* Switch prop bags column to boolean
* fix lint
* fix tests
* Remove database search
* use Builder methods
* review feedback
* AutoTranslation interface with Core Translation Logic
* update timeouts to use short/medium/long translations
* external exports
* add configured languages to autotranslations
* added post prop for detected language
* fix bugs for storing translation and call translation service
* clean up interface
* add translations to GetPost repsonses and in the create post response
* use metadata for translation information and add new column for state of a translation
* change websocket event name
* change metadata to a map
* single in memory queue in the cluster leader
* remove unused definition
* Revert "remove unused definition"
This reverts commit e3e50cef30.
* remove webhub changes
* remove last webhub bit
* tidy up interface
* Frontend integration
* tidy up
* fix api response for translations
* Add Agents provider for auto translations (#34706)
* Add LLM backed autotranslation support
* Remove AU changes
* Remove orphaned tests for deleted GetActiveUserIDsForChannel
The GetActiveUserIDsForChannel function was removed from PlatformService
as part of the autotranslations refactoring, but its tests were left behind
causing linter/vet errors. This removes the orphaned test code:
- BenchmarkGetActiveUserIDsForChannel
- TestGetActiveUserIDsForChannel
- waitForActiveConnections helper
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add missing i18n translations and fix linter errors
- Add 17 missing translation strings for autotranslation feature
- Fix shadow variable declarations in post.go and autotranslation.go
- Remove unused autoQueueMaxAge constant
- Remove unused setupWithFastIteration test function
- Use slices.Contains instead of manual loop
- Use maps.Copy instead of manual loop
- Remove empty if branch
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix tests
* Fixes for PR review
* add files
* Update webapp/channels/src/components/admin_console/localization/localization.scss
Co-authored-by: Matthew Birtch <mattbirtch@gmail.com>
* fixes
* Fixes
* Didn't save
* Add a translation
* Fix translations
* Fix shadow err
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Matthew Birtch <mattbirtch@gmail.com>
* tidy up code for review
* add support for editing posts
* i18n-extract
* i18n
* Rename show translations and add util to get message
* Fix get posts, migrations, websockets and configuration styles
* Fix CI
* i18n-extract
* Fix webapp tests
* Address UX feedback
* i18n-extract
* Fix lint
* updated shimmer animation, fixed issue with the width on compact icon buttons
* fix migrations
* fix markdown masking for bold, italics and strikethrough
* Address feedback
* Add missing changes
* Fix and add tests
* Fix circular dependencies
* lint
* lint
* lint and i18n
* Fix lint
* Fix i18n
* Minor changes
* Add check for whether the channel is translated or not for this user
* Fix lint and add missing change
* Fix lint
* Fix test
* Remove uneeded console log
* Fix duplicated code
* Fix small screen show translation modal
* Remove interactions on show translation modal
* Disable auto translation when the language is not supported
* Fix typo
* Fix copy text
* Fix updating autotranslation for normal users
* Fix autotranslate button showing when it shouldn't
* Fix styles
* Fix test
* Fix frontend member related changes
* Revert post improvements and remove duplicated code from bad merge
* Address feedback
* Fix test and i18n
* Fix e2e tests
* Revert lingering change from post improvements
* Fix lint
---------
Co-authored-by: Elias Nahum <nahumhbl@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: BenCookie95 <benkcooke@gmail.com>
Co-authored-by: Nick Misasi <nick.misasi@mattermost.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Matthew Birtch <mattbirtch@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* rebased all prev commits into one (see commit desc)
add UsePreferredUsername support to gitlab; tests
resort en.json
update an out of date comment
webapp i18n
simplify username logic
new arguments needed in tests
debug statements -- revert
* merge conflicts
* fix i18n
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* MM-67372: Filter SVG images from OpenGraph metadata to prevent DoS
This commit adds server-side filtering of SVG images from OpenGraph
metadata to mitigate a DoS vulnerability where malicious SVG images
in og:image tags can crash Chromium-based browsers and Safari.
Changes:
- Add IsSVGImageURL() helper function in model package to detect SVG URLs
- Filter SVG images in parseOpenGraphMetadata() for regular HTML pages
- Filter SVG images in parseOpenGraphFromOEmbed() for oEmbed responses
- Add defense-in-depth filtering in TruncateOpenGraph() and getImagesForPost()
- Add comprehensive tests for all SVG filtering functionality
SVG detection is based on:
- File extension (.svg, .svgz) - case-insensitive
- MIME type (image/svg+xml)
Reference: https://issues.chromium.org/issues/40057345
* MM-67372: Filter SVG images from cache/DB and direct SVG URLs
This commit addresses remaining attack vectors for the SVG DoS vulnerability:
1. Cache/DB filtering: Apply TruncateOpenGraph when returning OpenGraph
from cache or database to filter stale data that was stored before
the initial fix was deployed.
2. Direct SVG URLs: Filter PostImage entries with Format="svg" to prevent
browser crashes when someone posts a direct link to an SVG file.
3. Embed creation: Skip creating image embeds for SVG images and create
link embeds instead.
4. New SVG detection: Return nil instead of creating PostImage when
fetching direct SVG URLs to prevent storing them in the database.
These changes ensure that even environments with pre-existing malicious
link metadata will be protected after a server restart.
* MM-67372: Fix test expectation for SVG image handling
* Removed duplicate logic in favor of already implemented FilterSVGImages in model
* Addressing PR comments
* Replacing exact match comparison with prefix check
* Added new test cases for unit tests
The reliance on ViewUsersRestrictions was causing a SQL bug, since the
original query did not join with the Users table. Instead, use
model.GroupSearchOpts to rely on AllowReference, which should be used to
filter the results in all cases, except when the user is a sysadmin (has
the PermissionSysconsoleReadUserManagementGroups permission).
Co-authored-by: Mattermost Build <build@mattermost.com>
Updates all Custom Profile Attribute endpoints and app layer methods to pass caller user IDs through to the PropertyAccessService. This connects the access control service introduced in #34812 to the REST API, Plugin API, and internal app operations.
Also updates the OpenAPI spec to document the new field attributes (protected, source_plugin_id, access_mode) and adds notes about protected field restrictions.
Custom profile attributes (properties) in Mattermost need to support security-critical use cases like Attribute-Based Access Control (ABAC), external identity system synchronization, and privacy-preserving collaboration. Without access controls on these properties, any user or component could modify property fields and values, making them unsuitable for security decisions. Additionally, different properties require different visibility patterns - some need to be publicly readable, some should only be visible to their managing system, and some require privacy-preserving visibility where users can only see shared values.
This change introduces the PropertyAccessService, a wrapper around PropertyService that enforces access control for all property operations. This service is introduced in isolation and is not yet hooked up to the Plugin API, REST API, or app layer. It provides the foundation for a single enforcement point that will apply access restrictions consistently across all code paths once integrated.
Option IDs are automatically generated for fields in the REST API, but plugins creating fields directly don't get this behavior. This change makes option ID generation consistent by automatically generating IDs for all select/multiselect options, regardless of whether they're created via REST API or plugin code. The option IDs are generated (if necessary) in the store layer right before saving, which is the same place we generate Field IDs if they don't exist.
* Add the ability to patch channel autotranslations
* Fix lint
* Update docs
* Fix CI
* Fix CI
* Fix mmctl test
* Check whether the channel is translated for the user when checking user enabled
* Fix wrong uses of patch acrros e2e and frontend
* Fix test
* Fix wording
* Fix tests and column name
* Move group constrained test so they don't mess with the basic entities
* Fix patch sending too much information
* Add endpoint to update channel member autotranslations
* Add several improvements and remove unneeded functions
* Add user id to audit record
* Ensure autotranslation is defined
* Update texts
* Fix merge
* Add new column for channel member autotranslations (#35111)
* Minor renamings
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Ben Cooke <benkcooke@gmail.com>
This commit reverts PR #30214, which addressed bug MM-60790 but caused a
performance regression tracked by MM-66782.
This revert has two implications:
1. The performance issue is solved.
2. The original bug is re-introduced.
Re-introducing the original bug seems not to be ideal, but I argue that
the original PR did not actually fix the bug:
- Before that PR, looking for a quoted string would return additional
results: the UX was slightly confusing, because when the user looked
for the word "stateful", the results would contain matches like
"states" (see MM-60790).
- After that PR, looking for a quoted string can timeout, so that the
list of results becomes empty. The UX here may be less confusing,
since the user simply doesn't find what they're looking for, and they
may assume that string is not present in any post, but it's completely
wrong: the result list is empty because the SQL query timed out and
thus the endpoint returned 0 results.
The solution to the original issue should be addressed via
Elasticsearch, which should provide a more refined and precise search
results.
For more information on the investigation on this issue and the
motivation behind the revert, see
https://mattermost.atlassian.net/wiki/x/IYAk_w
Co-authored-by: Mattermost Build <build@mattermost.com>
