fix: add missing permission check to feature-preview admin sidebar item

[Naetiksoni08]

Proposed changes

The feature-preview sidebar item in the admin panel was visible to regular users (role: user) because itspermissionGranted function only checked whether feature previews exist, without verifying if the
user actually has permission to access them.

Every other admin sidebar item uses hasPermission() to control visibility, but feature-preview was only doing:
defaultFeaturesPreview?.length > 0

This caused the sidebar item to appear for all users as long as any feature previews were configured — regardless of their role or permissions.

Code Fix:
// Before

permissionGranted: () => defaultFeaturesPreview?.length > 0

// After

permissionGranted: (): boolean =>
    hasPermission('manage-feature-preview') &&
    defaultFeaturesPreview?.length > 0

Before Fix

url-admin/feature-preview

url - admin/subscription or any other sidebar item

After Fix

url-admin/feature-preview

url - admin/subscription or any other sidebar item

Steps to test or reproduce

1. Create a regular user with role: user (no admin permissions)
2. Login as that regular user
3. Hit /admin/rooms → sidebar empty
4. Hit /admin/integrations → sidebar empty
5. Hit /admin/feature-preview → "Feature preview" visible
   in sidebar (before fix).
6. After fix → sidebar empty for feature-preview too

Further comments

During testing, an inconsistency was discovered in the admin
sidebar permission model:

• /admin/rooms → sidebar completely empty for regular user -> correct
• /admin/integrations → sidebar completely empty -> correct
• /admin/subscription → sidebar completely empty -> correct
• /admin/feature-preview → "Feature preview" still visible -> wrong

Every other sidebar item uses hasPermission() — feature-preview was the only exception. This also creates a security concern: any user who knows the URL can discover this admin feature exists, even without access. Sidebar items should never leak information about admin features to unauthorized users.

Summary by CodeRabbit

• Bug Fixes

  • Feature Preview admin sidebar item now enforces admin authorization and only appears for users with the required admin permission, preventing unauthorized users from seeing or accessing the Feature Preview area.

• Chores

  • Added a dedicated admin permission ("manage-feature-preview") to centrally control access to the Feature Preview area for stricter admin-only visibility and easier future management.

Task: COMM-157

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: ae989eb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-video-conf	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a missing permission check for the Feature Preview admin sidebar item: the item now requires the new manage-feature-preview permission and the presence of default feature previews to be shown. A changeset entry documents this patch.

Changes

Cohort / File(s)	Summary
Changeset Documentation \.changeset/funny-houses-peel.md	Adds a changeset entry declaring a patch release and documenting the permission-fix for the Feature Preview admin sidebar item.
Admin Sidebar Permission Logic apps/meteor/client/views/admin/sidebarItems.ts	Updates permissionGranted for Feature Preview from defaultFeaturesPreview?.length > 0 to hasPermission('manage-feature-preview') && defaultFeaturesPreview?.length > 0, making the check explicit and boolean-returning.
Permissions Registry apps/meteor/app/authorization/server/constant/permissions.ts	Adds new permission { _id: 'manage-feature-preview', roles: ['admin'] } to the exported permissions array.

Sequence Diagram(s)

sequenceDiagram
    participant Sidebar as SidebarItem (Client)
    participant Auth as PermissionService (Client)
    participant Server as Permissions Registry (Server)

    Sidebar->>Auth: permissionGranted? hasPermission('manage-feature-preview')
    Auth->>Server: check permission for current user
    Server-->>Auth: allow / deny (based on `{_id: 'manage-feature-preview'}`)
    Auth-->>Sidebar: boolean result
    Sidebar->>Sidebar: render item if result && defaultFeaturesPreview?.length > 0

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

community

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: add missing permission check to feature-preview admin sidebar item' directly and specifically describes the main change: adding a permission check to the feature-preview admin sidebar item.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dougfabris]

This permission doesn't exists

[cubic-dev-ai]

No issues found across 2 files

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/client/views/admin/sidebarItems.ts`:
- Around line 138-139: The sidebar permission check uses the string
'manage-feature-preview' (seen in permissionGranted: () =>
hasPermission('manage-feature-preview') && defaultFeaturesPreview?.length > 0)
but that permission is not registered in the permissions registry; add an entry
for 'manage-feature-preview' to the permissions export (the permissions
constant/registry in permissions.ts) and assign the appropriate roles (e.g.,
['admin']) following the same shape and pattern as other feature-management
permissions so hasPermission('manage-feature-preview') can succeed.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 133da0b and 51b49a8.

📒 Files selected for processing (2)

• .changeset/funny-houses-peel.md
• apps/meteor/client/views/admin/sidebarItems.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/views/admin/sidebarItems.ts

🧠 Learnings (2)

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• .changeset/funny-houses-peel.md

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/views/admin/sidebarItems.ts

🧬 Code graph analysis (1)

apps/meteor/client/views/admin/sidebarItems.ts (1)

packages/ui-client/src/hooks/useFeaturePreviewList.ts (1)

• defaultFeaturesPreview (21-31)

🔇 Additional comments (1)

.changeset/funny-houses-peel.md (1)

1-5: LGTM!

Changeset is correctly formatted — patch bump is appropriate for a bug fix, and the description accurately reflects the change.

[Naetiksoni08]

Hi @dougfabris , thank you for the quick review!

You're absolutely right. I used 'manage-feature-preview' without verifying if it exists in the permissions registry.
I will check the existing permissions and either use an appropriate one or register this permission correctly.

I'll push an updated fix shortly.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/app/authorization/server/constant/permissions.ts (1)

208-214: ⚠️ Potential issue | 🟡 Minor

Pre-existing duplicate: remove-livechat-department is registered twice.

Lines 208 and 214 contain identical entries for remove-livechat-department. While harmless today because the roles are the same, this is dead weight and could silently cause a divergence bug if either copy's roles are edited independently in the future. Worth cleaning up in this pass since you're already touching the file.

🧹 Proposed fix

-	{ _id: 'remove-livechat-department', roles: ['livechat-manager', 'admin'] },
-
-	// New Media calls permissions
-	{ _id: 'allow-internal-voice-calls', roles: ['admin', 'user'] },
-	{ _id: 'allow-external-voice-calls', roles: ['admin', 'user'] },
-
-	{ _id: 'remove-livechat-department', roles: ['livechat-manager', 'admin'] },
+	{ _id: 'remove-livechat-department', roles: ['livechat-manager', 'admin'] },
+
+	// New Media calls permissions
+	{ _id: 'allow-internal-voice-calls', roles: ['admin', 'user'] },
+	{ _id: 'allow-external-voice-calls', roles: ['admin', 'user'] },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/authorization/server/constant/permissions.ts` around lines
208 - 214, The permission entry '_id: remove-livechat-department' is duplicated;
remove the redundant duplicate so only one { _id: 'remove-livechat-department',
roles: ['livechat-manager', 'admin'] } entry remains (remove the second
occurrence under the "New Media calls permissions" block) to avoid future
divergence if roles are edited independently.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@apps/meteor/app/authorization/server/constant/permissions.ts`:
- Around line 208-214: The permission entry '_id: remove-livechat-department' is
duplicated; remove the redundant duplicate so only one { _id:
'remove-livechat-department', roles: ['livechat-manager', 'admin'] } entry
remains (remove the second occurrence under the "New Media calls permissions"
block) to avoid future divergence if roles are edited independently.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 51b49a8 and 61aac43.

📒 Files selected for processing (1)

• apps/meteor/app/authorization/server/constant/permissions.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/authorization/server/constant/permissions.ts

🧠 Learnings (1)

📓 Common learnings

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

🔇 Additional comments (1)

apps/meteor/app/authorization/server/constant/permissions.ts (1)

221-221: LGTM — manage-feature-preview permission correctly registered.

The new entry follows the established manage-* naming convention, and roles: ['admin'] is the right default for this admin-only feature.

[Naetiksoni08]

Hi @dougfabris,

I have now registered 'manage-feature-preview' in the permissions registry with admin role, following the same pattern as other manage-* permissions like manage-sounds and manage-emoji.

[Naetiksoni08]

Hi @dougfabris, gentle ping on this PR!

I have addressed your feedback by registering 'manage-feature-preview' in the permissions registry with admin role in permissions.ts, following the same pattern as manage-sounds and manage-emoji.

Would really appreciate a re-review when you get a chance. Thank you!

[Naetiksoni08]

Hi @dougfabris , gentle ping on this PR! The permission has been registered following the same pattern as manage-sounds and manage-emoji. Would really appreciate a re-review when you get a chance. Thank you!

[dougfabris]

Hi there, thanks for the contribution 🚀

Please, hold on!

We're going to handle your pull request as soon as possible, theres a lot of contributions besides yours.
Keep mentioning the maintainers that much just creates noise and slow down even more the process!

[dougfabris]

please, replace this new permission in the AdminFeaturePreviewRoute as well

[dougfabris]

/jira COMM

[Naetiksoni08]

@dougfabris, Done I've also replaced the permission in AdminFeaturePreviewRoute to use manage-feature-preview instead of manage-cloud, so both the sidebar item and the route now check the same permission consistently.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.84%. Comparing base (b5a17fc) to head (ae989eb).
⚠️ Report is 9 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38934      +/-   ##
===========================================
+ Coverage    69.79%   69.84%   +0.04%     
===========================================
  Files         3296     3296              
  Lines       119173   119173              
  Branches     21484    21485       +1     
===========================================
+ Hits         83182    83241      +59     
+ Misses       32692    32622      -70     
- Partials      3299     3310      +11     

Flag	Coverage Δ
e2e	59.74% <100.00%> (+<0.01%)	⬆️
e2e-api	47.08% <ø> (+0.84%)	⬆️
unit	70.58% <ø> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pierre-lehnen-rc]

Missing i18n key for this new permission

[Naetiksoni08]

@pierre-lehnen-rc Done! Added the missing i18n key for the manage-feature-preview permission.

[Naetiksoni08]

Hey @dougfabris, just a gentle ping on this PR! 😊 I get that u guys might be busy. Happy to address any feedback or make changes if needed.