* Channel Info RHS: add rename-from-info and settings access
Add channel name editable area with pencil hover and wire to a lightweight Rename Channel modal; add Channel Settings item to RHS menu with permission checks; ensure navigation after rename uses relative path to avoid 404.
* linter changes
* add padding so field labels don't get cut off
* fixes for keyboard accessibility and tooltips
* don't show channel settings for DMs and GMs
* chore(i18n): run extract to reorder new keys and fix CI
Re-extracted webapp i18n to place newly added keys (editable tooltips and rename modal) in canonical order expected by translation tooling.
* use generic_btn.cancel/save for rename modal buttons
* chore(i18n): remove unused rename_channel.cancel/save keys
* updated tests to account for new elements in the info rhs
* add cypress test for new rhs info function
* fix linting issues
* fixed tests
* linter fixes
* tweak position of edit button
* style tweaks, remove subtitle from info rhs head (redundant now), update archived state
* added 'unarchive' button to archived notice, updated translations
* fixed tests that I broke in channel info header
* add url name to channel info view
* update to 'channel handle' instead of url name'
* change order of channel handle
* add copy button
* Update about_area_channel.test.tsx
* fixed test and brought back channel subtitle in header for consistency
* fixed header test
* make channel info rhs scrollable
* fix merge issue
* Fix lint
---------
Co-authored-by: yasserfaraazkhan <attitude3cena.yf@gmail.com>
This tells the TypeScript compiler (only used for type checking in the web app)
to use the `imports` and `exports` field of a package's `package.json` to find
modules. Those fields are standard in newer versions of Node.js, and hopefully
supporting them means that we'll have to do less work to configure tooling in
the future.
We could also get similar behaviour by using the `nodenext` option, but that
adds some additional requirements to include file extensions which ES Modules
technically require, but I don't think we need to enforce because other tooling
doesn't require them.
I wanted to make that change in all of the subpackages as well, but we can't do
that without having TypeScript output ES Modules which, unless we change their
build processes to generate multiple formats (like the shared package in
client package, or the types package which is more than I want to do at the
moment.
The changes to other files are either because they incorrectly imported types
from a file that isn't intentionally exposed by the plugin or it's because we
had a typo in a file path.
* Fix 500 errors on check-cws-connection in non-Cloud environments
The check-cws-connection endpoint was returning 500 errors in
self-hosted enterprise environments because:
1. The client only checked BuildEnterpriseReady before making the
request, which is true for all enterprise builds
2. The server handler didn't check for a Cloud license before
attempting to connect to CWS
3. The CWS URL is not configured in non-Cloud environments, causing
the connection check to fail
This fix:
- Server: Add IsCloud() license check to match other cloud endpoints,
returning 403 instead of 500 for non-Cloud licenses
- Client: Add Cloud license check to skip the request entirely in
non-Cloud environments
* Add unit tests for check-cws-connection license check
* Return JSON status from check-cws-connection endpoint
Change the check-cws-connection endpoint to return 200 with a JSON body
containing status (available/unavailable) instead of using HTTP error
codes. This allows the endpoint to be used for air-gap detection on
self-hosted instances, not just Cloud deployments.
* i18n
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* feat: run e2e full tests after successful smoke tests both in cypress and playwright
* fix lint check on jsdoc req in playwright test
* update smoke test filter
* update test filter for cypress tests
* update docker services, fix branch convention and rearrange secrets
* update e2e-test workflow docs
* reorganized
* fix lint
* fix playwright template
* fix results assertion
* add retest, e2e-test-verified, gh comments of failed tests, path filters, run e2e-tests check first and demote unstable tests
* run using master image for e2e-only changes, add ts/js actions for cypress and playwright calculations, add verified by label
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* MM-67279: Fix private channel enumeration via /mute slash command
Return the same error message when a user tries to mute a channel
they are not a member of as when the channel doesn't exist. This
prevents authenticated users from discovering private channels
by observing different error responses.
* update i18n
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* Improve rewrite menu guidance
Keep AI rewrite prompts visible on focus and clarify the empty-state instruction.
* Apply suggestions from code review
* Apply suggestion from @nickmisasi
* Fix rewrite menu test assertions
Update test expectations to match component string values after defaultMessage changes. Fix syntax error with unterminated string and correct placeholder text expectation.
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* Include last root, and most recent 10 posts in a thread with the rewrite system prompt
* Include user's names in the thread context for better reference
* Revert package-lock to master
* Fix tests
When the Type column was added to the Drafts table, it did not add a
DEFAULT value, so we need to handle the NULL values for the pre-existing
rows.
Co-authored-by: Mattermost Build <build@mattermost.com>
* [MM-66789] Fix arbitrary file read vulnerability in advanced logging
Add path validation to prevent reading files outside the logging root
directory via GetAdvancedLogs (used in support packet generation).
Security controls:
- Validate file paths are within logging root before reading
- Support MM_LOG_PATH environment variable to allow system admins
to configure a custom logging root directory
- Resolve symlinks to prevent bypass attacks
- Detect and block path traversal attempts
Also adds:
- Audit logging for support packet generation
- Config-time validation that logs errors for paths outside logging
root (will become blocking in future version)
- Comprehensive test coverage for path validation
* Update server/channels/app/platform/log_test.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix linter errors
* Update server/channels/api4/system.go
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>
* Simplify unit tests for platform/log_test.go by moving some test logic to config/logger_test.go
* Fix unit tests requiring logging root to be set
* enforce LogSettings.FileLocation path validation; simplify path checking
* fix linter errors
* use dir in logging root for all unit test logging
* MM_LOG_PATH is set once, centrally, for all tests
* fix flaky test
* fix flaky test
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>
* MM-67274: Fix panic in getBrowserVersion with empty User-Agent version
Refactor getBrowserVersion to use a table-driven approach that
centralizes bounds checking, preventing panic when User-Agent strings
contain identifiers like "Mattermost Mobile/" with no version token.
* Refactor user agent tests to use structured test cases
Move expected values into the testUserAgent struct for clarity,
making it easier to see what each test case expects at a glance.
* Add Client4 route building functions
* Make DoAPIRequestWithHeaders add the API URL
This makes it consistent with the other DoAPIXYZ functions, which all
prepend the provided URL with the client's API URL.
* Use the new route building logic in Client4
* Address review comments
- clean renamed to cleanSegment
- JoinRoutes and JoinSegments joined in Join
- newClientRoute uses Join
* Fix new routes from merge
* Remove unused import
* Simplify error handling around clientRoute (#34870)
---------
Co-authored-by: Jesse Hallam <jesse@mattermost.com>
Co-authored-by: Jesse Hallam <jesse.hallam@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
Canonicalize IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to
their native IPv4 form in IsReservedIP before checking against reserved
IP ranges. This prevents attackers from bypassing SSRF protections by
using IPv4-mapped IPv6 literals to access internal services.
* remove permalink embeds when user loses access to orginating channel
* remove posts & embeds on team_leave event; simplify preview index.ts
* cleanup
* remove dead code
* more dead code elimination
* MM-67269 - Fix popout windows for subpath deployments
Popout windows were failing with 404 errors when Mattermost is served
from a subpath (e.g., https://company.com/mattermost). The popout
functions were constructing URLs without including the subpath prefix.
Changes:
- Updated popoutThread() and popoutRhsPlugin() to use getBasePath()
helper function which includes window.basename
- Added unit tests to verify popout URLs include subpath when configured
- Follows established pattern used throughout codebase (getSiteURL,
cookie paths, React Router)
This ensures popout windows open at the correct URL:
/subpath/_popout/... instead of /_popout/...
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
* Clear mocks and set default base path in tests
---------
Co-authored-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* Add pluggable ChannelHeaderIcon
* Add orchestration for post/channel/team citations in post render
* Updates to suit new format cor citations
* Fix linter
* Fix stylelint property order errors in _markdown.scss
* Fix TypeScript type errors
- Add missing ChannelHeaderIcon to initialComponents in plugins reducer
- Fix SelectProps generic to use 'false' instead of 'boolean' for isMulti in dropdown_input_hybrid
* Update channel_header snapshots to include ChannelHeaderIcon Pluggable
* PR feedback changes
* Add snapshots
* Add export for DatePicker
* PR Feedback
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* Add tooltip support and error handling for action buttons
- Add tooltip field to PostAction type definition
- Display tooltips on hover for action buttons
- Add comprehensive error handling for button actions
- Show error messages when actions fail
- Clear previous errors on subsequent actions
- Add tests for error handling functionality
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add E2E tests for action button error handling and tooltips
- Test error message display when action buttons fail
- Test error clearing when successful actions are performed
- Test tooltip display on action button hover
- Use scoped selectors to avoid test interference
- Cover complete error lifecycle and tooltip functionality
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Use WithTooltip component for action button tooltips
Replace native HTML title attribute with WithTooltip component to provide
consistent tooltip styling and behavior across the application.
Changes:
- Import and wrap ActionBtn with WithTooltip component
- Remove title attribute from ActionBtn
- Update E2E test to check for .tooltipContainer instead of title attribute
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix TypeScript errors and test patterns in message attachment tests
- Fix TypeScript type errors in mock event objects by using arrow functions instead of jest.fn()
- Update async test pattern to use process.nextTick() with done callback instead of await
- Update test snapshots to reflect error handling wrapper div
- Fix whitespace formatting in E2E test file
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
* updated actionError to accept react node, replace hardcoded error with FormattedMessage components
* Fix test to handle FormattedMessage in actionError state
Update test expectation to check for FormattedMessage React element
instead of plain string when no error message is provided. This aligns
with the recent change to support internationalization in error messages.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
* Disable tooltip interactions when no tooltip text is present
Adds disabled prop to WithTooltip component when action.tooltip is empty or undefined, preventing unnecessary tooltip event handlers from being attached to action buttons that don't have tooltips.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
* Add tests for action button tooltip behavior
Adds three test cases to verify tooltip functionality:
- Tooltip is disabled when action.tooltip is undefined
- Tooltip is disabled when action.tooltip is empty string
- Tooltip is enabled and displays correctly when action.tooltip has a value
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
* fix e2e test
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
* [MM-67290] Document that Elasticsearch backend type change requires server restart
* Update Elasticsearch settings test snapshots
Update snapshots to reflect the new help text for the backend type
setting that documents the server restart requirement.
