Skip to content

chore: Minor abac fixes#41004

Merged
dionisio-bot[bot] merged 3 commits into
developfrom
chore/abac-fixes
Jun 18, 2026
Merged

chore: Minor abac fixes#41004
dionisio-bot[bot] merged 3 commits into
developfrom
chore/abac-fixes

Conversation

@KevLehman

@KevLehman KevLehman commented Jun 18, 2026

Copy link
Copy Markdown
Member

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC3-24
https://rocketchat.atlassian.net/browse/ABAC3-27

Steps to test or reproduce

Further comments

  • Get first verified email
  • Try/catch around scopeRoomsForUser

Review in cubic

Summary by CodeRabbit

  • Bug Fixes

    • Improved error resilience in access control room scoping; system now returns safely redacted data when scoping operations fail.
  • New Features

    • Enhanced email verification handling in access control: verified email addresses are now prioritized and required for user identity matching across the platform.

@dionisio-bot

dionisio-bot Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

@changeset-bot

changeset-bot Bot commented Jun 18, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: ee40ef5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 27f6ce60-cd55-43c7-88a1-424772b03551

📥 Commits

Reviewing files that changed from the base of the PR and between 6033e93 and ee40ef5.

📒 Files selected for processing (6)
  • apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/clients/virtru/identity.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)
  • GitHub Check: cubic · AI code reviewer
  • GitHub Check: Hacktron Security Check
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (2/5)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (3/5)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (1/5)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (4/5)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (5/5)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (3/4)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (4/4)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (2/4)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (1/4)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/clients/virtru/identity.ts
  • apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
🧠 Learnings (6)
📚 Learning: 2025-12-10T21:00:43.645Z
Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:43.645Z
Learning: Adopt the monorepo-wide Jest testMatch pattern: <rootDir>/src/**/*.spec.{ts,js,mjs} (represented here as '**/src/**/*.spec.{ts,js,mjs}') to ensure spec files under any package's src directory are picked up consistently across all packages in the Rocket.Chat monorepo. Apply this pattern in jest.config.ts for all relevant packages to maintain uniform test discovery.

Applied to files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
📚 Learning: 2026-02-24T19:22:48.358Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/omnichannel/omnichannel-send-pdf-transcript.spec.ts:66-67
Timestamp: 2026-02-24T19:22:48.358Z
Learning: In Playwright end-to-end tests (e.g., under apps/meteor/tests/e2e/...), prefer locating elements by translated text (getByText) and ARIA roles (getByRole) over data-qa attributes. If translation values change, update the corresponding test locators accordingly. Never use data-qa locators. This guideline applies to all Playwright e2e test specs in the repository and helps keep tests robust to UI text changes and accessible semantics.

Applied to files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/clients/virtru/identity.ts
  • apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/clients/virtru/identity.ts
  • apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
📚 Learning: 2026-03-06T18:10:15.268Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

  • ee/packages/abac/src/clients/virtru/identity.spec.ts
  • ee/packages/abac/src/clients/virtru/identity.ts
  • apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
🔇 Additional comments (6)
ee/packages/abac/src/clients/virtru/identity.ts (1)

17-17: LGTM!

ee/packages/abac/src/clients/virtru/identity.spec.ts (1)

17-32: LGTM!

ee/packages/abac/src/pdp/VirtruPDP.spec.ts (1)

53-58: LGTM!

Also applies to: 241-243, 255-257, 310-310, 344-345

ee/packages/abac/src/store/VirtruAttributeStore.spec.ts (1)

23-25: LGTM!

Also applies to: 92-92, 177-181

apps/meteor/tests/end-to-end/api/abac.ts (1)

3157-3157: LGTM!

Also applies to: 3222-3222, 3287-3288, 3370-3370, 3418-3418, 3455-3455, 3498-3498, 3558-3558, 3619-3619, 3752-3756, 4279-4279

apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts (1)

2-29: LGTM!


Walkthrough

getUserEntityKey in identity.ts now selects only a verified email address as the ABAC entity key instead of the first email. All unit and E2E test fixtures are updated to supply verified: true. Separately, scopeAdminRoomsForAbac is refactored to use a typed redact helper and wraps its scoping logic in a try/catch that falls back to redacted rooms on failure.

Changes

ABAC Verified Email Resolution and Admin Rooms Hardening

Layer / File(s) Summary
Verified email entity key logic and unit test
ee/packages/abac/src/clients/virtru/identity.ts, ee/packages/abac/src/clients/virtru/identity.spec.ts
getUserEntityKey changed to return the first verified email address; new unit test covers unverified-only and mixed-verified cases.
Unit test fixture propagation
ee/packages/abac/src/pdp/VirtruPDP.spec.ts, ee/packages/abac/src/store/VirtruAttributeStore.spec.ts
User email fixtures in VirtruPDP.spec.ts (factory default + individual test cases) and VirtruAttributeStore.spec.ts (beforeEach reset + per-test mocks) updated to include verified: true.
E2E test user creation with verified: true
apps/meteor/tests/end-to-end/api/abac.ts
All external PDP/ABAC end-to-end user creation calls updated to pass verified: true across permit/deny, invite, fail-closed, selective DENY, sync re-evaluation, abacAttributes visibility, makeAdmin, and wipe-on-transition setups.
scopeAdminRoomsForAbac redact helper and error fallback
apps/meteor/ee/server/hooks/abac/scopeAdminRoomsForAbac.ts
Extracted a typed redact helper using IRoom/IRoomAbacRedaction; user lookup and Abac.scopeRoomsForAdmin call wrapped in try/catch that returns redacted rooms on any failure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • RocketChat/Rocket.Chat#40634: Modifies the same scopeAdminRoomsForAbac.patch hook for ABAC admin room scoping and redaction behavior.
  • RocketChat/Rocket.Chat#40760: Overlaps on the same apps/meteor/tests/end-to-end/api/abac.ts file and the makeAdmin test helper in Virtru fixtures.

Suggested labels

type: chore

Suggested reviewers

  • tassoevan
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title 'chore: Minor abac fixes' is vague and generic, using non-descriptive terms like 'Minor' and 'fixes' that don't convey specific information about the changes. Revise the title to be more specific about the main changes, such as: 'chore: Add error handling and verified email logic to ABAC scoping and identity resolution'
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)
  • ABAC3-24: Request failed with status code 401
  • ABAC3-27: Request failed with status code 401

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@KevLehman KevLehman added this to the 8.6.0 milestone Jun 18, 2026
@codecov

codecov Bot commented Jun 18, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.11%. Comparing base (6033e93) to head (ee40ef5).

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##           develop   #41004      +/-   ##
===========================================
- Coverage    70.13%   70.11%   -0.02%     
===========================================
  Files         3358     3358              
  Lines       129563   129563              
  Branches     22405    22469      +64     
===========================================
- Hits         90866    90844      -22     
- Misses       35386    35406      +20     
- Partials      3311     3313       +2     
Flag Coverage Δ
e2e 59.32% <ø> (+0.01%) ⬆️
e2e-api 46.18% <ø> (-0.13%) ⬇️
unit 70.05% <ø> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@KevLehman KevLehman marked this pull request as ready for review June 18, 2026 17:13
@KevLehman KevLehman requested a review from a team as a code owner June 18, 2026 17:13

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 6 files

Re-trigger cubic

@KevLehman KevLehman added the stat: QA assured Means it has been tested and approved by a company insider label Jun 18, 2026
@dionisio-bot dionisio-bot Bot added the stat: ready to merge PR tested and approved waiting for merge label Jun 18, 2026

@hacktron-app hacktron-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Severity Count
HIGH 1

View full scan results

Comment thread ee/packages/abac/src/clients/virtru/identity.ts
@dionisio-bot dionisio-bot Bot added this pull request to the merge queue Jun 18, 2026
Merged via the queue into develop with commit 50ea823 Jun 18, 2026
83 of 85 checks passed
@dionisio-bot dionisio-bot Bot deleted the chore/abac-fixes branch June 18, 2026 19:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

stat: QA assured Means it has been tested and approved by a company insider stat: ready to merge PR tested and approved waiting for merge type: chore

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants