fix: app actions ignoring role filters and i18n translation by juliajforesti · Pull Request #39868 · RocketChat/Rocket.Chat

juliajforesti · 2026-03-25T19:33:18Z

SUP-1010

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

Bug Fixes

Fixed app actions not respecting role-based access controls.
Fixed app action labels not displaying in the correct language.

dionisio-bot · 2026-03-25T19:33:22Z

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

changeset-bot · 2026-03-25T19:33:26Z

🦋 Changeset detected

Latest commit: a1d4ed8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

coderabbitai · 2026-03-25T19:33:26Z

Walkthrough

Added a changeset entry and fixed app action authorization in two hooks: corrected the hasAllRoles evaluation to properly invoke the predicate function and added i18n translation for action button labels. Comprehensive test suite validates the authorization filtering logic across multiple scenarios.

Changes

Cohort / File(s)	Summary
Changesets `.changeset/neat-bananas-behave.md`	Added changeset documenting patch version bump for `@rocket.chat/meteor` package fixing role filter and i18n translation handling in app actions.
Test Suite `apps/meteor/client/hooks/useApplyButtonFilters.spec.ts`	New comprehensive test suite for `useApplyButtonAuthFilter` hook validating role-based, permission-based, and combined filtering logic across multiple user authorization states.
Authorization Hook `apps/meteor/client/hooks/useApplyButtonFilters.ts`	Fixed `hasAllRoles` evaluation to properly invoke the predicate function by accessing `[1]()` on the `queryRole` result, aligning with existing "one role" logic.
User Dropdown Hook `apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts`	Added i18n translation for action button labels by calling `t(Utilities.getI18nKeyForApp(...))` on `labelI18n` values and updated hook dependencies accordingly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely summarizes the main changes: fixing app actions that ignore role filters and i18n translation, matching the changeset and code modifications.
Linked Issues check	✅ Passed	The PR addresses all coding requirements from SUP-1010: role filters are fixed in useApplyButtonAuthFilter, i18n translations are implemented in useUserDropdownAppsActionButtons, and comprehensive tests are added.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing role filters and i18n translation for app action buttons as specified in SUP-1010; no out-of-scope modifications were identified.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2026-03-25T19:45:06Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.60%. Comparing base (147fa09) to head (a1d4ed8).
⚠️ Report is 4 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39868      +/-   ##
===========================================
- Coverage    70.61%   70.60%   -0.01%     
===========================================
  Files         3257     3257              
  Lines       115789   115790       +1     
  Branches     21022    21034      +12     
===========================================
- Hits         81759    81749      -10     
- Misses       31968    31987      +19     
+ Partials      2062     2054       -8

Flag	Coverage Δ
e2e	`60.45% <0.00%> (-0.07%)`	⬇️
e2e-api	`48.14% <ø> (-0.06%)`	⬇️
unit	`71.15% <100.00%> (+0.02%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

cubic-dev-ai

No issues found across 4 files

coderabbitai

🧹 Nitpick comments (2)

apps/meteor/client/hooks/useApplyButtonFilters.spec.ts (1)
159-175: Consider adding a negative test case for hasOnePermission.

The suite includes a positive test for hasOnePermission but lacks a negative case where the user doesn't have any of the required permissions. This would mirror the pattern used for hasOneRole testing.
💡 Suggested additional test
it('should filter button when user does not have any required permission (hasOnePermission)', () => {
	const button: IUIActionButton = {
		appId: 'test-app',
		actionId: 'test-action',
		labelI18n: 'test_label',
		context: UIActionButtonContext.USER_DROPDOWN_ACTION,
		when: {
			hasOnePermission: ['manage-apps', 'manage-users'],
		},
	};

	const { result } = renderHook(() => useApplyButtonAuthFilter(), {
		wrapper: mockAppRoot().withJohnDoe().build(),
	});

	expect(result.current(button)).toBe(false);
});
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/client/hooks/useApplyButtonFilters.spec.ts` around lines 159 -
175, Add a negative test for hasOnePermission by creating a test case named like
"should filter button when user does not have any required permission
(hasOnePermission)" that constructs the same IUIActionButton with
when.hasOnePermission: ['manage-apps', 'manage-users'], uses renderHook(() =>
useApplyButtonAuthFilter()) with mockAppRoot().withJohnDoe().build() (i.e., no
permissions granted), and asserts result.current(button) is false; place this
alongside the existing positive hasOnePermission test to mirror the hasOneRole
negative case.
apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts (1)
29-29: LGTM on the i18n fix!

Correctly wraps the i18n key with t() for proper translation. The dependency array also correctly includes t.

However, the relevant code snippets show the same unfixed bug pattern in other hooks:

useMessageboxAppsActionButtons.ts (line 28): label: Utilities.getI18nKeyForApp(...) without t()

useAppsRoomStarActions.tsx (line 49): title: Utilities.getI18nKeyForApp(...) without t()

useAppsRoomActions.ts (line 29): title: Utilities.getI18nKeyForApp(...) without t()

useMessageActionAppsActionButtons.ts (line 40): label: Utilities.getI18nKeyForApp(...) without t()

Consider applying the same fix to these hooks for consistency.

Would you like me to open an issue to track fixing the i18n translation in these other hooks?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts` at line 29,
These hooks emit raw i18n keys instead of translated strings; in each listed
hook (useMessageboxAppsActionButtons, useAppsRoomStarActions,
useAppsRoomActions, useMessageActionAppsActionButtons) replace usages like
Utilities.getI18nKeyForApp(...) passed to label/title/content with
t(Utilities.getI18nKeyForApp(...)) so the key is translated, and ensure the
hook's useCallback/useMemo dependency array includes the t function; update the
relevant callback/memo where label/title/content is constructed to add t and run
tests/compile to confirm no missing deps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/meteor/client/hooks/useApplyButtonFilters.spec.ts`:
- Around line 159-175: Add a negative test for hasOnePermission by creating a
test case named like "should filter button when user does not have any required
permission (hasOnePermission)" that constructs the same IUIActionButton with
when.hasOnePermission: ['manage-apps', 'manage-users'], uses renderHook(() =>
useApplyButtonAuthFilter()) with mockAppRoot().withJohnDoe().build() (i.e., no
permissions granted), and asserts result.current(button) is false; place this
alongside the existing positive hasOnePermission test to mirror the hasOneRole
negative case.

In `@apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts`:
- Line 29: These hooks emit raw i18n keys instead of translated strings; in each
listed hook (useMessageboxAppsActionButtons, useAppsRoomStarActions,
useAppsRoomActions, useMessageActionAppsActionButtons) replace usages like
Utilities.getI18nKeyForApp(...) passed to label/title/content with
t(Utilities.getI18nKeyForApp(...)) so the key is translated, and ensure the
hook's useCallback/useMemo dependency array includes the t function; update the
relevant callback/memo where label/title/content is constructed to add t and run
tests/compile to confirm no missing deps.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68c8bccb-ca05-4169-bfb8-8d1c9acbcb21

📥 Commits

Reviewing files that changed from the base of the PR and between 147fa09 and a1d4ed8.

📒 Files selected for processing (4)

.changeset/neat-bananas-behave.md
apps/meteor/client/hooks/useApplyButtonFilters.spec.ts
apps/meteor/client/hooks/useApplyButtonFilters.ts
apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts
apps/meteor/client/hooks/useApplyButtonFilters.ts
apps/meteor/client/hooks/useApplyButtonFilters.spec.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

apps/meteor/client/hooks/useApplyButtonFilters.spec.ts

🧠 Learnings (27)

📓 Common learnings

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2026-03-14T14:58:58.834Z

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Applied to files:

.changeset/neat-bananas-behave.md
apps/meteor/client/hooks/useApplyButtonFilters.ts

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2025-11-19T12:32:29.696Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37547
File: packages/i18n/src/locales/en.i18n.json:634-634
Timestamp: 2025-11-19T12:32:29.696Z
Learning: Repo: RocketChat/Rocket.Chat
Context: i18n workflow
Learning: In this repository, new translation keys should be added to packages/i18n/src/locales/en.i18n.json only; other locale files are populated via the external translation pipeline and/or fall back to English. Do not request adding the same key to all locale files in future reviews.

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2026-02-24T19:36:55.089Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/page-objects/fragments/home-content.ts:60-82
Timestamp: 2026-02-24T19:36:55.089Z
Learning: In RocketChat/Rocket.Chat e2e tests (apps/meteor/tests/e2e/page-objects/fragments/home-content.ts), thread message preview listitems do not have aria-roledescription="message", so lastThreadMessagePreview locator cannot be scoped to messageListItems (which filters for aria-roledescription="message"). It should remain scoped to page.getByRole('listitem') or mainMessageList.getByRole('listitem').

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2025-11-19T18:20:07.720Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 37419
File: packages/i18n/src/locales/en.i18n.json:918-921
Timestamp: 2025-11-19T18:20:07.720Z
Learning: Repo: RocketChat/Rocket.Chat — i18n/formatting
Learning: This repository uses a custom message formatting parser in UI blocks/messages; do not assume standard Markdown rules. For keys like Call_ended_bold, Call_not_answered_bold, Call_failed_bold, and Call_transferred_bold in packages/i18n/src/locales/en.i18n.json, retain the existing single-asterisk emphasis unless maintainers request otherwise.

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

.changeset/neat-bananas-behave.md

📚 Learning: 2025-11-17T15:07:13.273Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 37398
File: packages/fuselage-ui-kit/src/surfaces/FuselageSurfaceRenderer.tsx:357-363
Timestamp: 2025-11-17T15:07:13.273Z
Learning: In packages/fuselage-ui-kit/src/surfaces/FuselageSurfaceRenderer.tsx, IconElement is a presentational, non-actionable element that does not require wrapping in AppIdProvider, similar to plain_text and mrkdwn renderers. Only actionable elements (those with actions, actionId, or interactive behavior) should be wrapped in AppIdProvider.

Applied to files:

apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts
apps/meteor/client/hooks/useApplyButtonFilters.ts
apps/meteor/client/hooks/useApplyButtonFilters.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts
apps/meteor/client/hooks/useApplyButtonFilters.ts
apps/meteor/client/hooks/useApplyButtonFilters.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

apps/meteor/client/hooks/useUserDropdownAppsActionButtons.ts
apps/meteor/client/hooks/useApplyButtonFilters.ts
apps/meteor/client/hooks/useApplyButtonFilters.spec.ts

📚 Learning: 2026-03-06T18:10:23.330Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:23.330Z
Learning: In the RocketChat/Rocket.Chat `packages/gazzodown` package and more broadly, the HTML `<code>` element has an implicit ARIA role of `code` per WAI-ARIA 1.3, and `testing-library/dom` / jsdom supports it. Therefore, `screen.getByRole('code')` / `screen.findByRole('code')` correctly locates `<code>` elements without needing an explicit `role="code"` attribute. Do NOT flag `findByRole('code')` as invalid in future reviews.

Applied to files:

apps/meteor/client/hooks/useApplyButtonFilters.ts

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

apps/meteor/client/hooks/useApplyButtonFilters.ts