Mattermost

Recent Commits

• Pablo Vélez (16 Jun 26)

  Mm 68846 masking from visual to canonical walker (#36772) * MM-68846 - add canonical CEL AST masking walker and model resolver interface * add canonical masking methods to PAP einterface and update mock * Migrate app-layer masking to canonical CEL AST walker * Remove Visual AST masking dead code and obsolete i18n key * Update simulation masking tests to mock MaskExpressionForCaller * reject persisted tokens and enforce merge shape match and add corresponding tests * MM-68900 - abac masking add e2e back * add missing config values and split the tests * implement coderabbit feedback * adjust timeout and disable button logic * enhance masking logic and tests for access control policies * refactor masking tests and database setup for improved field deletion handling * Enhance error handling in TestMergeStoredPolicyExpressions to verify error ID and status code * Refactor error handling in access control policy methods for clarity * Refactor masking logic and improve clarity in access control methods * Allow deny-all 'false' policies by dropping the redundant sentinel check in rejectMaskedTokens; add tests * Add masking-related error messages and update test descriptions with tags * Add error handling for uninitialized Policy Administration Point in access control

• cursor[bot] (16 Jun 26)

  Fix flaky TestStartServerPortUnavailable (#37047) * Fix flaky TestStartServerPortUnavailable The test blocked a port via localhost:0 and later configured the server to bind the same address. On dual-stack hosts Start() could still succeed by binding [::1] while the test listener only held 127.0.0.1. Configure the blocked address up front and hold both IPv4/IPv6 when available so the port-unavailable path is exercised deterministically. Tests-only change. Verified with `go test -run '^TestStartServerPortUnavailable$' -race -count=100` locally. Co-authored-by: mattermost-code <[email protected]> * Remove unused newServer helper after port-unavailable test refactor The flaky-test fix switched TestStartServerPortUnavailable to newServerWithConfig, leaving newServer unused and failing check-style. Co-authored-by: mattermost-code <[email protected]> * Remove redundant IPv6 test listener Co-authored-by: Miguel de la Cruz <[email protected]> --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: mattermost-code <[email protected]> Co-authored-by: Mattermost Build <[email protected]> Co-authored-by: Miguel de la Cruz <[email protected]>

• Eva Sarafianou (16 Jun 26)

  Update docs impact review workflow to Claude Sonnet 4.6 (#37071) Claude Sonnet 4 was retired; use the supported claude-sonnet-4-6 model. Co-authored-by: Cursor <[email protected]>

• Felipe Martin (16 Jun 26)

  [MM-69126] Fix custom emoji upload size and GIF frame limits (#36984) * [MM-69126] Fix custom emoji upload size and GIF frame limits * Assert 413 status and error ID in oversized emoji test * Raise max emoji GIF frames to 70 * Enforce emoji GIF frame limit on the direct-write path

• Roman Sergeev (15 Jun 26)

  fix: user account menu ellipsis fixes (#34663) Co-authored-by: r.sergeev <[email protected]>

• Harrison Healey (15 Jun 26)

  MM-69003 Update ESLint and related dependencies (#37039) * Remove everything * Re-add most ESLint plugins and run --fix * Additional fixes * Fix or disable linter warnings caused by require imports * Fix how prop types for SearchResults are defined * More additional fixes * Update deprecated stylistic rule names * Remove deprecated .eslintignore * Update eslint-plugin-react-hooks * Enable react-hooks/error-boundaries * Fix react-hooks/static-components wherever possible * Fix react-hooks/use-memo wherever possible * Disable warnings for new rules and update comment * Update eslint-plugin-no-only-tests * Update eslint dependencies in E2E test packages * Remove now-uneeded patch * Address Coderabbit feedback * Actually fix inverted tooltip logic

• cursor[bot] (15 Jun 26)

  Fix flaky TestGetLinkMetadataFromCache (#37050) * Fix flaky TestGetLinkMetadataFromCache The link metadata LRU cache is a package-global singleton. Under fully parallel CI, TestGetLinkMetadataFromCache and TestGetLinkMetadata both call PurgeLinkCache and assert on cache contents concurrently, so one test can purge or overwrite entries while another is mid-assertion. Serialize link-cache test setup and purge operations with a package-level mutex so parallel tests no longer stomp on each other's cache state. Tests-only change. Verified with `go test -short -run '^TestGetLinkMetadataFromCache$' -count=5` locally. Co-authored-by: mattermost-code <[email protected]> * Combine link metadata cache tests into single non-parallel function Per reviewer feedback, replace the package-level mutex with merging TestGetLinkMetadataFromCache into TestGetLinkMetadata as a subtest group. This serializes cache access without a global lock. Co-authored-by: mattermost-code <[email protected]> --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: mattermost-code <[email protected]>

• Christopher Poile (15 Jun 26)

  [MM-68782] MBE Phase 8e: add hook registerComposerPlaceholder (#36584) * phase 8e * remove unregisterComposerPlaceholderSuffix The unregister method dispatched REMOVED_PLUGIN_COMPONENT_BY_ID, which was dropped along with the parallel unregisterChannelDecorator in the 8d fix pass. Restore is not warranted: plugin lifecycle already sweeps all registrations on uninstall and bundle-path-changed reload via REMOVED_WEBAPP_PLUGIN, and the matcher contract handles dynamic on/off without re-registration. Drop the unregister method and the unregister tests; move clearLoggedSuffixErrors into register so the log-once tracker still resets on re-registration. Replace the deleted tests with a REMOVED_WEBAPP_PLUGIN sweep test mirroring the 8b/8d pattern. See /Users/chris/git/pbe/phase-8-unregister-removal-plan.md for cross-phase rationale. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * collapse composer placeholder hook into a chainable transform Reworks the composer placeholder hook from registerComposerPlaceholderSuffix( {matcher, text}) into registerComposerPlaceholder({transform}). The plugin now supplies one callback, (placeholder, channel, state, intl) => string, that appends to, replaces, or returns the placeholder unchanged; the host chains all registered transforms (pluginId-alphabetical across plugins, registration order within one), each receiving the previous result. Folding the match condition into the callback removes the separate matcher while keeping the full Redux state available to plugins. - Move the resolver and hook out of the global selectors/ and hooks/ dirs into components/advanced_text_editor/ (composer_placeholder.ts, use_composer_placeholder.ts), beside the editor's other hooks. - Rename utils/matcher_error_log -> utils/plugin_error_log (createPluginErrorLog) and generalize it: a {subject, outcome} pair tailors the once-per-plugin message to the callback kind, and the unused slot parameter is dropped so keying is per-plugin. Update the channel-icon and channel-intro consumers; their behavior is unchanged (verified by their unmodified suites). --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

• cursor[bot] (15 Jun 26)

  Fix flaky TestUserHasJoinedChannel (#37052) Automatic Merge

• Jesse Hallam (15 Jun 26)

  Prevent plugins from changing the push notification transport type (#37059) * Prevent plugins from changing the push notification transport type * fixup! Prevent plugins from changing the push notification transport type

• Alejandro García Montoro (15 Jun 26)

  MM-69213: Validate Azure storage account names and use httpservice for custom endpoints (#37014) * Validate Azure storage account name format For the commercial and government clouds the storage account name becomes part of the service hostname, so enforce Azure's documented format (3 to 24 lowercase letters and digits) both in config validation and when building the service URL. Also treat an empty AzureCloud as commercial, consistent with the URL builder. * Route Azure custom endpoints through httpservice The Azure custom-cloud backend now issues requests through httpservice's transport rather than the SDK default, so they honor ServiceSettings.AllowedUntrustedInternalConnections like other outbound connections. The commercial and government clouds keep the SDK default transport, which Private Link deployments rely on. The allowlist value is plumbed into FileBackendSettings, and the host/IP checks are factored into a shared httpservice helper that MakeTransport now uses too.

• Andre Vasconcelos (15 Jun 26)

  MM-68960 Improving UX for custom selections (#36878) * MM-68960 Improving UX for custom selections - Keeping selection made stored client-side - Starting form with empty preset selection * Adding unit tests for new changes * MM-68954 Fixing style of classification header in settings modal * UX improvements - Removing extra 16px spacing below alert - Ensuring that the input of a newly added classification level automatically receives focus

• Felipe Martin (15 Jun 26)

  MM-68976 Preserve PluginSettings.SignaturePublicKeyFiles on config patch endpoint (#36868) * MM-68976 Preserve PluginSettings.SignaturePublicKeyFiles on config patch endpoint The full PUT /api/v4/config endpoint silently preserves PluginSettings.SignaturePublicKeyFiles (added in #13682), but the sparse PUT /api/v4/config/patch endpoint had no equivalent guard, so a session with sysconsole_write_plugins could modify the field through it. Mirror the full update endpoint's behavior by silently preserving the existing value in patchConfig, and add a regression test equivalent to the one in TestUpdateConfig. * MM-68976 Document SignaturePublicKeyFiles as non-modifiable in config API spec Both the update and patch config endpoints preserve PluginSettings.SignaturePublicKeyFiles; note this in the OpenAPI descriptions alongside the existing PluginSettings.EnableUploads note.

• Christopher Poile (15 Jun 26)

  [MM-68781] MBE Phase 8d: add hooks ChannelComposerBanner & ChannelIntro (#36581) * phase 8d * review: key PluggableErrorBoundary by channel + add missing-channel intro test Co-Authored-By: Claude Sonnet 4.6 (1M context) <[email protected]> * simplify: remove redundant channelId from call-site keys PluggableErrorBoundary now carries key={registration.id:channel.id} internally, so the outer ChannelDecoratorRenderer no longer needs a channel-scoped key to reset the boundary on navigation. Co-Authored-By: Claude Sonnet 4.6 (1M context) <[email protected]> * merge conflicts * more conflicts * remove unregisterChannelDecorator + REMOVED_PLUGIN_COMPONENT_BY_ID The unregister method dispatched an action whose reducer case was removed during Phase 8b's cleanup, making the call a silent no-op (surfaced by a failing CI test). Restore is not warranted: plugin lifecycle already sweeps all registrations on uninstall and bundle-path-changed reload via REMOVED_WEBAPP_PLUGIN, and the matcher contract handles dynamic on/off without re-registration. Drop the unregister method, the action constant, and the failing scoped-removal tests; move clearLoggedDecoratorErrors into register so the log-once tracker still resets on re-registration. Replace the deleted tests with a REMOVED_WEBAPP_PLUGIN sweep test mirroring the 8b pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * remove mount_overlay, left_of_channel_name; add after_channel_name * simplifications: remove slots, no after name decorator, intro fixed --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <[email protected]>

• Angelos Kyratzakos (15 Jun 26)

  Fix S3 MoveFile/CopyFile failing on files larger than 5GiB (#37035) * Fix S3 MoveFile/CopyFile failing on files larger than 5GiB S3FileBackend.MoveFile, CopyFile and DecodeFilePathIfNeeded used the minio-go CopyObject call, which performs a single server-side PUT-copy. S3 rejects copy sources larger than 5GiB, so any move/copy of a file over 5GiB fails with: The specified copy source is larger than the maximum allowable size for a copy source: 5368709120 This breaks, among other things, finalizing an `mmctl import upload` of an import archive larger than 5GiB on S3-backed installations (the upload streams fine, then the .tmp -> final rename fails). Extract the shared copy logic into a copyObject helper that picks the right S3 operation by source size: CopyObject for sources up to 5GiB, and ComposeObject (server-side multipart copy via UploadPartCopy) for larger sources, supporting objects up to 5TiB. Small files keep using a single CopyObject; only files over 5GiB pay for multipart. The size is checked explicitly rather than relying on ComposeObject's own single-copy fast path, which is only taken when the source range Start is -1, a value its input validation rejects (Start must be non-negative), so it is unreachable here. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> * Add unit tests for S3 copyObject copy-vs-compose routing Extract the copy-routing logic into copyObjectWithClient, which takes a small s3CopyClient interface (StatObject/CopyObject/ComposeObject) so it can be tested with a mock. The exported behavior of copyObject (and its callers MoveFile/CopyFile) is unchanged; *minio.Client satisfies the interface. Tests cover the three branches: - source > 5GiB -> ComposeObject (multipart copy), not CopyObject - source <= 5GiB -> CopyObject, not ComposeObject (incl. the boundary) - StatObject error -> propagated, neither copy is attempted Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> * make mocks --------- Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]> Co-authored-by: wiggin77 <[email protected]>

• Ibrahim Serdar Acikgoz (15 Jun 26)

  Fix Permission Policy tab 403 for channel admins when no policy exists (#36980)

• Christopher Poile (14 Jun 26)

  [MM-68797] MBE Phase 8c: registerChannelIconOverride follow-ups (#36576) * phase 8c * merge errors * PR comments

• Christopher Poile (14 Jun 26)

  [MM-68780] MBE Phase 8b: registerChannelIconOverride (#36575) * phase 8b * remove it.todo placeholders for two admin SVG sites The two admin SVG sites (secure-connection detail, shared-channels add modal) had no real test coverage because their `ChannelIcon` sub-component isn't exported and the parents are hostile to mount. The placeholder files held only `it.todo` calls and explanatory comments — they catch no regressions and depend on a forcing function (extraction) that won't happen without a forcing function. The rendering pattern is mechanical and identical to 10 other SVG sites with full override + fallback + prop-passthrough + default-absent coverage. An asymmetric regression at exactly these two sites is the only failure mode and would surface in review. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * test: guard consoleSpy restore in try/finally Ensures mockRestore() always runs even if the assertion throws, preventing the silenced console.error from leaking into later tests. Co-Authored-By: Claude Sonnet 4.6 (1M context) <[email protected]> * PR comments * more PR comments * trigger stuck tests * fix linting --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

• Pablo Vélez (13 Jun 26)

  fix the mocks and the store layer (#37049)

• cursor[bot] (12 Jun 26)

  Allow syncing any User Attribute field with LDAP/SAML and disable the editable toggle when synced (#37018) * Allow syncing any CPA field with LDAP/SAML and disable editable toggle when synced A custom profile attribute field could only be linked to LDAP/SAML sync when it was user-editable, and the editable toggle stayed enabled for synced fields. Toggling editable off silently stripped the link on save. Allow admin-managed fields to be synced (sync and admin-managed are no longer mutually exclusive on the server) and disable the editable toggle in the dot menu while a field is synced, since synced values come from the IdP and are never user-editable. Co-authored-by: mattermost-code <[email protected]> * Add tests for syncable admin-managed CPA fields and disabled editable toggle Co-authored-by: mattermost-code <[email protected]> * Strengthen sync test coverage: combined admin-managed+synced and SAML update path Co-authored-by: mattermost-code <[email protected]> * ci: re-trigger Enterprise CI after transient npm network failure Co-authored-by: mattermost-code <[email protected]> * Address PR feedback: 1 answered, 1 resolved, 0 declined --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: mattermost-code <[email protected]> Co-authored-by: Mattermost Build <[email protected]>

• Pablo Vélez (12 Jun 26)

  MM - 69063 - team abac backend and security gate (#36903) * MM-69063 - Add team ABAC model and constants foundation * Add team ABAC store EXISTS, channel Type retrofit, policy count split, and index migration * Add team ABAC app layer: access gate, hydrators, assign/unassign, cleanup, and GetTeamMembersToRemove store * Enforce team membership ABAC on join and hide policy governed teams from non-qualifying users in the directory * Add team_ids to access policy assign/unassign, expose per-team policy GET, and support abac_match_only for not_in_team user listing * Add team ABAC client methods, websocket handler, per-team System Console policy UI, and hide policy-governed teams from non-qualifying users * Make team ABAC mode-aware: advisory on public teams, strict on private, and surface governed private teams to qualifying users in directory listings * Flag-gate team ABAC mutation/read APIs and fix policy-save error handling, member-removal limit, team-id validation, export, and audit cleanup * coderabbit feedback; Broadcast team policy enforcement updates on policy create/update and activation, not only on delete * Update team access control policy schema to allow nullable policies and enhance test cases with channel counts * Enhance access control policy tests to include team policy search alongside channel policy search * Add team membership access control feature flag to docker-compose generation * Implement team access control policy checks and refactor related components * Audit-log team ABAC policy removal on team archive and delete --------- Co-authored-by: Mattermost Build <[email protected]>

• Maria A Nunez (12 Jun 26)

  Seed display names for session attribute fields (#37033) * Seed display names for session attribute fields Co-authored-by: maria.nunez <[email protected]> * Extract session attribute display names into named constants Co-authored-by: maria.nunez <[email protected]> --------- Co-authored-by: Cursor Agent <[email protected]>

• Jesse Hallam (12 Jun 26)

  [MM-69228] Default the CJKSearch feature flag to true (#37032)

• Sudheer (12 Jun 26)

  Fix: Scroll pop caused because of delayed correction. (#36879) * Fix: Scroll pop caused because of delayed correction. * Debounce on resize Observer is causing a delayed scroll correction. causing scroll pop. Can be seen on a recurring visit to channel or on opening RHS. * Remove debounce from test * Remove the function of debounce * Refactor comment in list_item.tsx Removed debounce comment about the observer's functionality.

• Harrison Healey (11 Jun 26)

  MM-69003 Switch to using @stylistic/eslint-plugin for deprecated ESLint rules (#36770) * MM-69003 Switch to using @stylistic/eslint-plugin for deprecated ESLint rules * Run --fix on all web app packages These changes are mostly around TypeScript linting where the @stylistic versions are more accurate and therefore stricter about spacing and semicolons in TS types. * Run --fix on Cypress tests

• cursor[bot] (11 Jun 26)

  Fix flaky TestGetMattermostLog (#36927) * Fix flaky TestGetMattermostLog ReconfigureLogger can create mattermost.log as soon as file logging is enabled, racing the test's missing-file assertion. Flush and remove any auto-created log before that check. Apply the same MM-62438 teardown pattern to the path-validation subtest (disable file target, flush, then remove temp dirs) and flush after pointing FileLocation outside the root. Tests-only change. Verified with `go test -run '^TestGetMattermostLog$' -race -count=100` locally. Co-authored-by: mattermost-code <[email protected]> * Fix govet shadow in TestGetMattermostLog Reuse the existing err variable when removing the auto-created log file so golangci-lint passes. Co-authored-by: mattermost-code <[email protected]> --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: mattermost-code <[email protected]>

• Jesse Hallam (11 Jun 26)

  Stop shared channel sync error spam for deleted remote clusters (#36931) Filter GetUsersForUser against live remote clusters so orphaned user rows are no longer synced, and skip not-found remotes in processTask instead of retrying and logging an error.

• Elias Nahum (11 Jun 26)

  Route Calls pushes through a VoIP token if present (#36726) * Route Calls pushes through a VoIP token if present Add VoIP device id support so calls notifications can be delivered as iOS PushKit pushes, while standard pushes continue using the regular device token. * New SessionPropVoIPDeviceId + IsValidVoIPDeviceID validator * PushNotifyAppleReactNativeVoIP platform constant * voip_device_id accepted on PUT /users/sessions/device and on login * DoLogin refactored to accept LoginOptions struct; all four call sites (api4/user, channels/web/{saml,magic_link,oauth}) converted * sendPushNotificationToAllSessions: when SubType=calls, prefer Session.Props[voip_device_id]; fall back to standard DeviceId Tests cover the validator, the device-props endpoint (accept/reject), and the SubType=calls routing matrix. * Skip session per Calls plugin "answered_elsewhere" convention When the Calls plugin fans out a cancel-ring push to a user's other VoIP devices after they answer a call from one of them, it can't tell core which session to skip because the public plugin API doesn't expose a skip-session-id parameter. It encodes the auth-session-id on SenderId together with Category="answered_elsewhere". Core honors the convention and clears SenderId on the per-session copy before forwarding so the session id never reaches the proxy or device. Category is preserved on the wire so the mobile client can pick CXCallEndedReason.answeredElsewhere. The matching side lives in mattermost-plugin-calls' push_notifications.go; both sides cross-reference the constant. * delay voip token audit until session props are set * capture voip audit failed case * Promote VoIP token to a column; dispatch by Transport; harden revocation * ai feedback review * feedback review * feedback review * fix tests * update openAPI * update serialized session model --------- Co-authored-by: Jesse Hallam <[email protected]>

• Devin Binnie (11 Jun 26)

  Fixes for the session attributes manifest (#37012) * Fixes for the session attributes manifest * Test fix * Fix test

• cursor[bot] (11 Jun 26)

  Fix flaky TestPreparePostForClient/files (#36992) Automatic Merge