chore: migrate five more client DDP callers to new REST endpoints#40724
Merged
Conversation
Contributor
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
🦋 Changeset detectedLatest commit: 8ec18f6 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughMigrates four DDP client methods ( ChangesDDP to REST Migration Batch 3
Sequence DiagramsequenceDiagram
participant Client
participant RestAPI
participant SharedHelper
participant SubscriptionsDB
participant NotifyListener
rect rgba(100, 149, 237, 0.5)
note over Client, NotifyListener: POST /v1/im.blockUser (block: true)
Client->>RestAPI: POST /v1/im.blockUser { roomId, block: true }
RestAPI->>RestAPI: lookup room by roomId, derive target uid
RestAPI->>SharedHelper: blockUserMethod(userId, { rid, blocked })
SharedHelper->>SubscriptionsDB: fetch both subscriptions (parallel)
SharedHelper->>SubscriptionsDB: setBlockedByRoomId(rid, userId, blocked)
SharedHelper->>NotifyListener: notifyOnSubscriptionChangedByRoomIdAndUserIds
RestAPI-->>Client: { success: true }
end
rect rgba(144, 238, 144, 0.5)
note over Client, NotifyListener: POST /v1/settings (bulk)
Client->>RestAPI: POST /v1/settings { settings: [{_id, value}] }
RestAPI->>SharedHelper: saveSettingsBulk(uid, settings, audit)
SharedHelper->>SharedHelper: check permissions, validate values by type
SharedHelper->>SubscriptionsDB: Settings.updateValueById each
SharedHelper->>NotifyListener: notifyOnSettingChangedById (if modified)
RestAPI-->>Client: 200 success
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ggazzo
commented
May 28, 2026
Comment on lines
+377
to
+383
| '/v1/users.block': { | ||
| POST: (params: UsersBlockParamsPOST) => void; | ||
| }; | ||
|
|
||
| '/v1/users.unblock': { | ||
| POST: (params: UsersUnblockParamsPOST) => void; | ||
| }; |
Member
Author
There was a problem hiding this comment.
it should be im.blockuser : true/false
ggazzo
commented
May 28, 2026
| }); | ||
| }); | ||
|
|
||
| // TODO migrate these three cases to POST /v1/settings.bulk once the deprecated DDP method is removed. |
Member
Author
There was a problem hiding this comment.
add tests for the new endpoints now
ggazzo
commented
May 28, 2026
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
packages/rest-typings/src/v1/users/UsersBlockParamsPOST.ts (1)
3-6: ⚡ Quick winUse domain-model indexed id types instead of raw
string.At Line 4-Line 5, prefer model-derived id types to keep REST typings aligned with core contracts.
Based on learnings: "In Rocket.Chat REST endpoint typings ... keep the established convention of deriving field types from the domain model (e.g., use IUser indexed access ...)."Suggested fix
+import type { ISubscription, IUser } from '`@rocket.chat/core-typings`'; import { ajv } from '../Ajv'; export type UsersBlockParamsPOST = { - rid: string; - userId: string; + rid: ISubscription['rid']; + userId: IUser['_id']; };🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/rest-typings/src/v1/users/UsersBlockParamsPOST.ts` around lines 3 - 6, The UsersBlockParamsPOST type currently uses raw strings for rid and userId; change those fields to use the domain model indexed id types instead (e.g., replace rid: string and userId: string with the room and user id types from the models such as IRoom['_id'] for rid and IUser['_id'] for userId) so the REST typings align with core contracts and established conventions.packages/rest-typings/src/v1/users/UsersUnblockParamsPOST.ts (1)
3-6: ⚡ Quick winUse domain-model indexed id types instead of raw
string.At Line 4-Line 5, align these ids with core model types to avoid REST typing drift.
Based on learnings: "In Rocket.Chat REST endpoint typings ... keep the established convention of deriving field types from the domain model (e.g., use IUser indexed access ...)."Suggested fix
+import type { ISubscription, IUser } from '`@rocket.chat/core-typings`'; import { ajv } from '../Ajv'; export type UsersUnblockParamsPOST = { - rid: string; - userId: string; + rid: ISubscription['rid']; + userId: IUser['_id']; };🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/rest-typings/src/v1/users/UsersUnblockParamsPOST.ts` around lines 3 - 6, The UsersUnblockParamsPOST type currently uses raw string for rid and userId; change these to use the domain-model indexed id types (e.g., set rid: IRoom['_id'] and userId: IUser['_id']) and add the corresponding imports for IUser and IRoom from the core/domain model module so the REST typing stays aligned with the established model types; update the UsersUnblockParamsPOST declaration to reference those indexed types instead of string.apps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts (1)
16-20: ⚡ Quick winRemove inline implementation comments in this TS function.
Line 16 and Line 20 add explanatory comments inside implementation; please drop them to stay aligned with repo style rules.
As per coding guidelines: "`**/*.{ts,tsx,js}` ... Avoid code comments in the implementation."Suggested fix
export const requestSubscriptionKeysMethod = async (userId: string): Promise<void> => { - // Get all encrypted rooms that the user is subscribed to and has no E2E key yet const subscriptions = await Subscriptions.findByUserIdWithoutE2E(userId).toArray(); const roomIds = subscriptions.map((subscription) => subscription.rid); - // For all subscriptions without E2E key, get the rooms that have encryption enabled const query = { e2eKeyId: { $exists: true,🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts` around lines 16 - 20, Remove the inline explanatory comments inside the implementation: delete the comment lines that describe "Get all encrypted rooms..." that sit above the Subscriptions.findByUserIdWithoutE2E(...) call and the comment before the following roomIds mapping ("For all subscriptions without E2E key..."); leave the code as-is (keep Subscriptions.findByUserIdWithoutE2E, subscriptions, and roomIds) but remove those two implementation comments to comply with the repository style guideline.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.changeset/ddp-migrate-batch3-callers.md:
- Line 2: The changeset .changeset/ddp-migrate-batch3-callers.md currently lists
only a patch bump for `@rocket.chat/meteor` but the PR adds new REST endpoints and
typing changes; update this changeset to use a minor bump and include
`@rocket.chat/rest-typings` in its package list so it matches the individual
endpoint changesets (rest-custom-sounds-delete.md,
rest-e2e-request-subscription-keys.md, rest-settings-bulk.md,
rest-users-block-unblock.md) that declare minor bumps for both
`@rocket.chat/meteor` and `@rocket.chat/rest-typings`.
In `@packages/rest-typings/src/v1/settings.ts`:
- Around line 102-106: The JSON schema for settings items allows missing "value"
but the TypeScript type SettingsBulkProps requires it; update the item schema
(the object that currently has properties "_id" and "value") so that "value" is
listed in the object's required array (in addition to "_id") and ensure
additionalProperties remains false so runtime validation matches the
SettingsBulkProps contract.
---
Nitpick comments:
In `@apps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts`:
- Around line 16-20: Remove the inline explanatory comments inside the
implementation: delete the comment lines that describe "Get all encrypted
rooms..." that sit above the Subscriptions.findByUserIdWithoutE2E(...) call and
the comment before the following roomIds mapping ("For all subscriptions without
E2E key..."); leave the code as-is (keep Subscriptions.findByUserIdWithoutE2E,
subscriptions, and roomIds) but remove those two implementation comments to
comply with the repository style guideline.
In `@packages/rest-typings/src/v1/users/UsersBlockParamsPOST.ts`:
- Around line 3-6: The UsersBlockParamsPOST type currently uses raw strings for
rid and userId; change those fields to use the domain model indexed id types
instead (e.g., replace rid: string and userId: string with the room and user id
types from the models such as IRoom['_id'] for rid and IUser['_id'] for userId)
so the REST typings align with core contracts and established conventions.
In `@packages/rest-typings/src/v1/users/UsersUnblockParamsPOST.ts`:
- Around line 3-6: The UsersUnblockParamsPOST type currently uses raw string for
rid and userId; change these to use the domain-model indexed id types (e.g., set
rid: IRoom['_id'] and userId: IUser['_id']) and add the corresponding imports
for IUser and IRoom from the core/domain model module so the REST typing stays
aligned with the established model types; update the UsersUnblockParamsPOST
declaration to reference those indexed types instead of string.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 21e66c7d-01f2-4381-9ab6-9c137b0fea6e
📒 Files selected for processing (29)
.changeset/ddp-migrate-batch3-callers.md.changeset/rest-custom-sounds-delete.md.changeset/rest-e2e-request-subscription-keys.md.changeset/rest-settings-bulk.md.changeset/rest-users-block-unblock.mdapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/users.tsapps/meteor/app/custom-sounds/server/lib/deleteCustomSound.tsapps/meteor/app/custom-sounds/server/methods/deleteCustomSound.tsapps/meteor/app/e2e/server/methods/requestSubscriptionKeys.tsapps/meteor/app/lib/server/functions/blockUser.tsapps/meteor/app/lib/server/functions/saveSettingsBulk.tsapps/meteor/app/lib/server/functions/unblockUser.tsapps/meteor/app/lib/server/methods/blockUser.tsapps/meteor/app/lib/server/methods/saveSettings.tsapps/meteor/app/lib/server/methods/unblockUser.tsapps/meteor/client/lib/e2ee/rocketchat.e2e.tsapps/meteor/client/providers/SettingsProvider.tsxapps/meteor/client/views/admin/customSounds/EditSound.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/tests/end-to-end/api/custom-sounds.tsapps/meteor/tests/end-to-end/api/methods.tspackages/rest-typings/src/v1/customSounds.tspackages/rest-typings/src/v1/settings.tspackages/rest-typings/src/v1/users.tspackages/rest-typings/src/v1/users/UsersBlockParamsPOST.tspackages/rest-typings/src/v1/users/UsersUnblockParamsPOST.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
- GitHub Check: 📦 Build Packages
- GitHub Check: cubic · AI code reviewer
- GitHub Check: CodeQL-Build
- GitHub Check: Hacktron Security Check
- GitHub Check: CodeQL-Build
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
apps/meteor/client/lib/e2ee/rocketchat.e2e.tspackages/rest-typings/src/v1/users/UsersBlockParamsPOST.tsapps/meteor/app/custom-sounds/server/lib/deleteCustomSound.tsapps/meteor/app/lib/server/functions/blockUser.tsapps/meteor/client/views/admin/customSounds/EditSound.tsxapps/meteor/tests/end-to-end/api/custom-sounds.tspackages/rest-typings/src/v1/customSounds.tspackages/rest-typings/src/v1/settings.tsapps/meteor/app/lib/server/functions/unblockUser.tsapps/meteor/tests/end-to-end/api/methods.tspackages/rest-typings/src/v1/users/UsersUnblockParamsPOST.tsapps/meteor/client/providers/SettingsProvider.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/lib/server/methods/blockUser.tsapps/meteor/app/lib/server/functions/saveSettingsBulk.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/custom-sounds/server/methods/deleteCustomSound.tsapps/meteor/app/api/server/v1/users.tsapps/meteor/app/lib/server/methods/unblockUser.tsapps/meteor/app/lib/server/methods/saveSettings.tspackages/rest-typings/src/v1/users.tsapps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts
🧠 Learnings (12)
📚 Learning: 2026-02-10T16:32:42.586Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.
Applied to files:
apps/meteor/client/lib/e2ee/rocketchat.e2e.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.ts
📚 Learning: 2026-05-11T20:30:35.265Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:35.265Z
Learning: In Rocket.Chat’s Meteor client code, when calling `dispatchToastMessage` with `{ type: 'error' }`, pass the raw caught error object as `message` without manual normalization. `dispatchToastMessage` is designed to accept `message: unknown` for error toasts, so avoid converting errors to strings (e.g., `String(error)`) or extracting `error.message` before passing them.
Applied to files:
apps/meteor/client/lib/e2ee/rocketchat.e2e.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.
Applied to files:
apps/meteor/client/lib/e2ee/rocketchat.e2e.tspackages/rest-typings/src/v1/users/UsersBlockParamsPOST.tsapps/meteor/app/custom-sounds/server/lib/deleteCustomSound.tsapps/meteor/app/lib/server/functions/blockUser.tsapps/meteor/tests/end-to-end/api/custom-sounds.tspackages/rest-typings/src/v1/customSounds.tspackages/rest-typings/src/v1/settings.tsapps/meteor/app/lib/server/functions/unblockUser.tsapps/meteor/tests/end-to-end/api/methods.tspackages/rest-typings/src/v1/users/UsersUnblockParamsPOST.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/lib/server/methods/blockUser.tsapps/meteor/app/lib/server/functions/saveSettingsBulk.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/custom-sounds/server/methods/deleteCustomSound.tsapps/meteor/app/api/server/v1/users.tsapps/meteor/app/lib/server/methods/unblockUser.tsapps/meteor/app/lib/server/methods/saveSettings.tspackages/rest-typings/src/v1/users.tsapps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.
Applied to files:
apps/meteor/client/lib/e2ee/rocketchat.e2e.tspackages/rest-typings/src/v1/users/UsersBlockParamsPOST.tsapps/meteor/app/custom-sounds/server/lib/deleteCustomSound.tsapps/meteor/app/lib/server/functions/blockUser.tsapps/meteor/tests/end-to-end/api/custom-sounds.tspackages/rest-typings/src/v1/customSounds.tspackages/rest-typings/src/v1/settings.tsapps/meteor/app/lib/server/functions/unblockUser.tsapps/meteor/tests/end-to-end/api/methods.tspackages/rest-typings/src/v1/users/UsersUnblockParamsPOST.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/lib/server/methods/blockUser.tsapps/meteor/app/lib/server/functions/saveSettingsBulk.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/custom-sounds/server/methods/deleteCustomSound.tsapps/meteor/app/api/server/v1/users.tsapps/meteor/app/lib/server/methods/unblockUser.tsapps/meteor/app/lib/server/methods/saveSettings.tspackages/rest-typings/src/v1/users.tsapps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.
Applied to files:
apps/meteor/client/lib/e2ee/rocketchat.e2e.tspackages/rest-typings/src/v1/users/UsersBlockParamsPOST.tsapps/meteor/app/custom-sounds/server/lib/deleteCustomSound.tsapps/meteor/app/lib/server/functions/blockUser.tsapps/meteor/client/views/admin/customSounds/EditSound.tsxapps/meteor/tests/end-to-end/api/custom-sounds.tspackages/rest-typings/src/v1/customSounds.tspackages/rest-typings/src/v1/settings.tsapps/meteor/app/lib/server/functions/unblockUser.tsapps/meteor/tests/end-to-end/api/methods.tspackages/rest-typings/src/v1/users/UsersUnblockParamsPOST.tsapps/meteor/client/providers/SettingsProvider.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/lib/server/methods/blockUser.tsapps/meteor/app/lib/server/functions/saveSettingsBulk.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/custom-sounds/server/methods/deleteCustomSound.tsapps/meteor/app/api/server/v1/users.tsapps/meteor/app/lib/server/methods/unblockUser.tsapps/meteor/app/lib/server/methods/saveSettings.tspackages/rest-typings/src/v1/users.tsapps/meteor/app/e2e/server/methods/requestSubscriptionKeys.ts
📚 Learning: 2026-03-16T21:50:37.589Z
Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.
Applied to files:
.changeset/rest-custom-sounds-delete.md.changeset/rest-users-block-unblock.md.changeset/rest-settings-bulk.md.changeset/rest-e2e-request-subscription-keys.md.changeset/ddp-migrate-batch3-callers.md
📚 Learning: 2026-05-11T23:14:59.316Z
Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 40469
File: packages/rest-typings/src/v1/users.ts:337-337
Timestamp: 2026-05-11T23:14:59.316Z
Learning: In Rocket.Chat REST endpoint typings (e.g., packages/rest-typings/src/v1/users.ts and other rest-typings files), keep the established convention of deriving field types from the domain model (e.g., use IUser indexed access like IUser['statusExpiresAt']) rather than swapping individual fields to serialized primitives (like string) in an ad-hoc way. If a truly different “serialized” representation is needed, perform the refactor consistently across the codebase (not just a single endpoint/field) and ensure all related REST typings stay aligned with the shared serialization types.
Applied to files:
packages/rest-typings/src/v1/users/UsersBlockParamsPOST.tspackages/rest-typings/src/v1/customSounds.tspackages/rest-typings/src/v1/settings.tspackages/rest-typings/src/v1/users/UsersUnblockParamsPOST.tspackages/rest-typings/src/v1/users.ts
📚 Learning: 2026-03-27T14:52:56.865Z
Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.
Applied to files:
apps/meteor/client/views/admin/customSounds/EditSound.tsxapps/meteor/client/providers/SettingsProvider.tsx
📚 Learning: 2026-02-23T17:53:06.802Z
Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.
Applied to files:
apps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/api/server/v1/users.ts
📚 Learning: 2026-02-24T19:09:01.522Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.
Applied to files:
apps/meteor/app/api/server/v1/e2e.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/api/server/v1/users.ts
📚 Learning: 2026-03-15T14:31:25.380Z
Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39647
File: apps/meteor/app/api/server/v1/users.ts:710-757
Timestamp: 2026-03-15T14:31:25.380Z
Learning: Do not flag this type/schema misalignment in the OpenAPI/migration review for apps/meteor/app/api/server/v1/users.ts. The UserCreateParamsPOST type intentionally uses non-optional fields: fields: string and settings?: IUserSettings without an AJV schema entry, carried over from the original rest-typings (PR `#39647`). Treat this as a known pre-existing divergence and document it as a separate follow-up fix; do not block or mark it as a review issue during the migration.
Applied to files:
apps/meteor/app/api/server/v1/users.ts
📚 Learning: 2026-03-16T23:33:11.443Z
Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: apps/meteor/app/api/server/v1/users.ts:862-869
Timestamp: 2026-03-16T23:33:11.443Z
Learning: In rockets OpenAPI/AJV migration reviews for RocketChat/Rocket.Chat, when reviewing migrations that involve apps/meteor/app/api/server/v1/users.ts, do not require or flag a missing query AJV schema for the fields consumed by parseJsonQuery() (i.e., fields, sort, query) as part of this endpoint's migration PR. The addition of global query-param schemas for parseJsonQuery() usage is a cross-cutting concern and out of scope for individual endpoint migrations. Only flag violations related to the specific scope of the migration, not the absence of a query schema for parseJsonQuery() in this file.
Applied to files:
apps/meteor/app/api/server/v1/users.ts
🔇 Additional comments (24)
.changeset/rest-custom-sounds-delete.md (1)
1-7: LGTM!.changeset/rest-e2e-request-subscription-keys.md (1)
1-7: LGTM!.changeset/rest-settings-bulk.md (1)
1-7: LGTM!.changeset/rest-users-block-unblock.md (1)
1-7: LGTM!apps/meteor/tests/end-to-end/api/custom-sounds.ts (1)
32-32: LGTM!apps/meteor/tests/end-to-end/api/methods.ts (1)
3217-3217: LGTM!packages/rest-typings/src/v1/customSounds.ts (1)
90-104: LGTM!packages/rest-typings/src/v1/users.ts (1)
11-19: LGTM!Also applies to: 377-383, 397-398
apps/meteor/app/custom-sounds/server/lib/deleteCustomSound.ts (1)
9-25: LGTM!apps/meteor/app/lib/server/functions/blockUser.ts (1)
8-35: LGTM!apps/meteor/app/lib/server/functions/saveSettingsBulk.ts (2)
1-14: LGTM!Also applies to: 38-129
85-91: Check whetherrangesettings should allow floating-point values
apps/meteor/app/lib/server/functions/saveSettingsBulk.ts(lines 85-91) validatestype: 'range'usingcheckInteger, so decimals would be rejected; the existingtype: 'range'settings found inapps/meteor/server/settings/accounts.tsdon’t specify fractional bounds/step, so this may be intentional—confirm thatcheckSettingValueBoundsand the range schema/UI expectations match integer-only behavior.apps/meteor/app/lib/server/functions/unblockUser.ts (1)
1-23: LGTM!apps/meteor/app/custom-sounds/server/methods/deleteCustomSound.ts (1)
15-27: LGTM!apps/meteor/app/lib/server/methods/blockUser.ts (1)
15-31: LGTM!apps/meteor/app/lib/server/methods/unblockUser.ts (1)
15-31: LGTM!apps/meteor/app/api/server/v1/custom-sounds.ts (1)
286-307: LGTM!apps/meteor/app/api/server/v1/e2e.ts (1)
200-217: LGTM!apps/meteor/app/api/server/v1/settings.ts (1)
18-18: LGTM!Also applies to: 21-21, 30-30, 410-433
apps/meteor/app/api/server/v1/users.ts (1)
26-27: LGTM!Also applies to: 57-57, 75-75, 1816-1854
apps/meteor/client/lib/e2ee/rocketchat.e2e.ts (1)
516-516: LGTM!apps/meteor/client/providers/SettingsProvider.tsx (1)
4-4: LGTM!Also applies to: 99-99, 109-109
apps/meteor/client/views/admin/customSounds/EditSound.tsx (1)
3-3: LGTM!Also applies to: 39-39, 79-79
apps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.ts (1)
3-10: LGTM!Also applies to: 31-33, 37-37
| @@ -0,0 +1,10 @@ | |||
| --- | |||
| '@rocket.chat/meteor': patch | |||
Contributor
There was a problem hiding this comment.
Version bump and package scope inconsistency.
This changeset declares a patch bump for @rocket.chat/meteor only, but the individual endpoint changesets (rest-custom-sounds-delete.md, rest-e2e-request-subscription-keys.md, rest-settings-bulk.md, rest-users-block-unblock.md) all declare minor bumps for both @rocket.chat/rest-typings and @rocket.chat/meteor. Since this PR adds new REST endpoints (new public API surface) and introduces new types/validators in @rocket.chat/rest-typings (per the stack context), this changeset should match the others.
📝 Suggested fix
---
-'`@rocket.chat/meteor`': patch
+'`@rocket.chat/rest-typings`': minor
+'`@rocket.chat/meteor`': minor
---🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.changeset/ddp-migrate-batch3-callers.md at line 2, The changeset
.changeset/ddp-migrate-batch3-callers.md currently lists only a patch bump for
`@rocket.chat/meteor` but the PR adds new REST endpoints and typing changes;
update this changeset to use a minor bump and include `@rocket.chat/rest-typings`
in its package list so it matches the individual endpoint changesets
(rest-custom-sounds-delete.md, rest-e2e-request-subscription-keys.md,
rest-settings-bulk.md, rest-users-block-unblock.md) that declare minor bumps for
both `@rocket.chat/meteor` and `@rocket.chat/rest-typings`.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
5 issues found across 29 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/meteor/app/lib/server/functions/saveSettingsBulk.ts">
<violation number="1" location="apps/meteor/app/lib/server/functions/saveSettingsBulk.ts:56">
P1: Avoid appending a second `Site_Name` update when one is already present in the request; this can trigger concurrent writes to the same setting and produce nondeterministic final values.
(Based on your team's feedback about concurrency-related behavioral changes.) [FEEDBACK_USED]</violation>
<violation number="2" location="apps/meteor/app/lib/server/functions/saveSettingsBulk.ts:90">
P1: This new bounds-check call currently allows `0` to bypass min/max validation because the helper treats falsy values as absent. That can persist out-of-range numeric settings through the bulk endpoint.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| case 'range': | ||
| check(value, Number); | ||
| checkInteger(value); | ||
| checkSettingValueBounds(setting, value); |
Contributor
There was a problem hiding this comment.
P1: This new bounds-check call currently allows 0 to bypass min/max validation because the helper treats falsy values as absent. That can persist out-of-range numeric settings through the bulk endpoint.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/lib/server/functions/saveSettingsBulk.ts, line 90:
<comment>This new bounds-check call currently allows `0` to bypass min/max validation because the helper treats falsy values as absent. That can persist out-of-range numeric settings through the bulk endpoint.</comment>
<file context>
@@ -0,0 +1,129 @@
+ case 'range':
+ check(value, Number);
+ checkInteger(value);
+ checkSettingValueBounds(setting, value);
+ break;
+ case 'multiSelect':
</file context>
| const siteName = await Settings.findOneById('Site_Name'); | ||
|
|
||
| if (siteName?.value === siteName?.packageValue || siteName?.value === settings.get('Organization_Name')) { | ||
| params.push({ |
Contributor
There was a problem hiding this comment.
P1: Avoid appending a second Site_Name update when one is already present in the request; this can trigger concurrent writes to the same setting and produce nondeterministic final values.
(Based on your team's feedback about concurrency-related behavioral changes.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/lib/server/functions/saveSettingsBulk.ts, line 56:
<comment>Avoid appending a second `Site_Name` update when one is already present in the request; this can trigger concurrent writes to the same setting and produce nondeterministic final values.
(Based on your team's feedback about concurrency-related behavioral changes.) </comment>
<file context>
@@ -0,0 +1,129 @@
+ const siteName = await Settings.findOneById('Site_Name');
+
+ if (siteName?.value === siteName?.packageValue || siteName?.value === settings.get('Organization_Name')) {
+ params.push({
+ _id: 'Site_Name',
+ value: orgName.value,
</file context>
ggazzo
commented
May 28, 2026
| ); | ||
|
|
||
| API.v1.post( | ||
| 'settings.bulk', |
Member
Author
There was a problem hiding this comment.
I think this should be
Suggested change
| 'settings.bulk', | |
| 'settings', |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #40724 +/- ##
===========================================
- Coverage 70.14% 70.14% -0.01%
===========================================
Files 3355 3355
Lines 129266 129266
Branches 22371 22365 -6
===========================================
- Hits 90674 90668 -6
- Misses 35291 35302 +11
+ Partials 3301 3296 -5
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
apps/meteor/tests/end-to-end/api/settings.ts (1)
151-195: ⚡ Quick winAdd a bulk-settings 2FA enforcement test.
Given this endpoint enforces 2FA for relevant settings, this suite should include at least one case asserting rejection without valid 2FA context (and/or success with it) to protect that security contract.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/tests/end-to-end/api/settings.ts` around lines 151 - 195, Add a test case to this suite that verifies the bulk POST to post(api('settings')) rejects updates to a 2FA-protected setting when no valid 2FA context is present: call updatePermission('edit-privileged-setting', []) if needed, send a .post(api('settings')) request with a settings array that includes a known 2FA-enforced setting id (use the same request/.send pattern used for LDAP_Enable), and assert a 400 response and error matching /error-action-not-allowed/; also add a complementary case that supplies valid 2FA context (or required token) and asserts success to cover the allowed path. Ensure you reuse credentials and the same request helpers shown in the file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/meteor/tests/end-to-end/api/direct-message.ts`:
- Around line 107-114: The test "should fail when called on a non-DM room"
currently only asserts res.body.success is false; update the request assertion
to also check the HTTP status code expected for non-DM rejections (e.g., add
.expect(400) on the POST to im.blockUser before the body assertion) so the test
fails if the API starts returning a 2xx or other unexpected status; modify the
test around the request variable and im.blockUser call to include the explicit
.expect(status) assertion.
---
Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/settings.ts`:
- Around line 151-195: Add a test case to this suite that verifies the bulk POST
to post(api('settings')) rejects updates to a 2FA-protected setting when no
valid 2FA context is present: call updatePermission('edit-privileged-setting',
[]) if needed, send a .post(api('settings')) request with a settings array that
includes a known 2FA-enforced setting id (use the same request/.send pattern
used for LDAP_Enable), and assert a 400 response and error matching
/error-action-not-allowed/; also add a complementary case that supplies valid
2FA context (or required token) and asserts success to cover the allowed path.
Ensure you reuse credentials and the same request helpers shown in the file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5ea799b1-2b9a-452e-a95a-12db158e2a29
📒 Files selected for processing (19)
.changeset/ddp-migrate-batch3-callers.md.changeset/rest-im-block-user.md.changeset/rest-settings-post.mdapps/meteor/app/api/server/v1/custom-sounds.tsapps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.tsapps/meteor/app/lib/server/methods/blockUser.tsapps/meteor/app/lib/server/methods/saveSettings.tsapps/meteor/app/lib/server/methods/unblockUser.tsapps/meteor/client/providers/SettingsProvider.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/tests/end-to-end/api/custom-sounds.tsapps/meteor/tests/end-to-end/api/direct-message.tsapps/meteor/tests/end-to-end/api/settings.tsapps/meteor/tests/end-to-end/api/users.tspackages/rest-typings/src/v1/dm/DmBlockUserProps.tspackages/rest-typings/src/v1/dm/im.tspackages/rest-typings/src/v1/dm/index.tspackages/rest-typings/src/v1/settings.ts
💤 Files with no reviewable changes (1)
- apps/meteor/app/api/server/v1/custom-sounds.ts
✅ Files skipped from review due to trivial changes (3)
- .changeset/rest-im-block-user.md
- .changeset/rest-settings-post.md
- packages/rest-typings/src/v1/dm/index.ts
🚧 Files skipped from review as they are similar to previous changes (6)
- .changeset/ddp-migrate-batch3-callers.md
- apps/meteor/client/providers/SettingsProvider.tsx
- apps/meteor/app/lib/server/methods/saveSettings.ts
- apps/meteor/app/lib/server/methods/blockUser.ts
- apps/meteor/app/lib/server/methods/unblockUser.ts
- packages/rest-typings/src/v1/settings.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
- GitHub Check: cubic · AI code reviewer
- GitHub Check: 📦 Build Packages
- GitHub Check: CodeQL-Build
- GitHub Check: CodeQL-Build
- GitHub Check: Hacktron Security Check
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
apps/meteor/tests/end-to-end/api/users.tsapps/meteor/tests/end-to-end/api/direct-message.tspackages/rest-typings/src/v1/dm/im.tspackages/rest-typings/src/v1/dm/DmBlockUserProps.tsapps/meteor/tests/end-to-end/api/custom-sounds.tsapps/meteor/tests/end-to-end/api/settings.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.ts
🧠 Learnings (8)
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.
Applied to files:
apps/meteor/tests/end-to-end/api/users.tsapps/meteor/tests/end-to-end/api/direct-message.tspackages/rest-typings/src/v1/dm/im.tspackages/rest-typings/src/v1/dm/DmBlockUserProps.tsapps/meteor/tests/end-to-end/api/custom-sounds.tsapps/meteor/tests/end-to-end/api/settings.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.
Applied to files:
apps/meteor/tests/end-to-end/api/users.tsapps/meteor/tests/end-to-end/api/direct-message.tspackages/rest-typings/src/v1/dm/im.tspackages/rest-typings/src/v1/dm/DmBlockUserProps.tsapps/meteor/tests/end-to-end/api/custom-sounds.tsapps/meteor/tests/end-to-end/api/settings.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.ts
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.
Applied to files:
apps/meteor/tests/end-to-end/api/users.tsapps/meteor/tests/end-to-end/api/direct-message.tspackages/rest-typings/src/v1/dm/im.tspackages/rest-typings/src/v1/dm/DmBlockUserProps.tsapps/meteor/tests/end-to-end/api/custom-sounds.tsapps/meteor/tests/end-to-end/api/settings.tsapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.tsapps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.ts
📚 Learning: 2026-05-11T23:14:59.316Z
Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 40469
File: packages/rest-typings/src/v1/users.ts:337-337
Timestamp: 2026-05-11T23:14:59.316Z
Learning: In Rocket.Chat REST endpoint typings (e.g., packages/rest-typings/src/v1/users.ts and other rest-typings files), keep the established convention of deriving field types from the domain model (e.g., use IUser indexed access like IUser['statusExpiresAt']) rather than swapping individual fields to serialized primitives (like string) in an ad-hoc way. If a truly different “serialized” representation is needed, perform the refactor consistently across the codebase (not just a single endpoint/field) and ensure all related REST typings stay aligned with the shared serialization types.
Applied to files:
packages/rest-typings/src/v1/dm/im.tspackages/rest-typings/src/v1/dm/DmBlockUserProps.ts
📚 Learning: 2026-02-10T16:32:42.586Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.
Applied to files:
apps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.ts
📚 Learning: 2026-05-11T20:30:35.265Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:35.265Z
Learning: In Rocket.Chat’s Meteor client code, when calling `dispatchToastMessage` with `{ type: 'error' }`, pass the raw caught error object as `message` without manual normalization. `dispatchToastMessage` is designed to accept `message: unknown` for error toasts, so avoid converting errors to strings (e.g., `String(error)`) or extracting `error.message` before passing them.
Applied to files:
apps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.ts
📚 Learning: 2026-02-23T17:53:06.802Z
Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.
Applied to files:
apps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.ts
📚 Learning: 2026-02-24T19:09:01.522Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.
Applied to files:
apps/meteor/app/api/server/v1/im.tsapps/meteor/app/api/server/v1/settings.ts
🔇 Additional comments (9)
packages/rest-typings/src/v1/dm/DmBlockUserProps.ts (1)
1-24: LGTM!packages/rest-typings/src/v1/dm/im.ts (1)
3-3: LGTM!Also applies to: 80-82
apps/meteor/app/api/server/v1/settings.ts (1)
410-433: LGTM!apps/meteor/app/api/server/v1/im.ts (1)
12-12: LGTM!Also applies to: 30-32, 930-965, 992-993
apps/meteor/client/views/room/hooks/useUserInfoActions/actions/useBlockUserAction.ts (1)
30-31: LGTM!Also applies to: 35-35
apps/meteor/tests/end-to-end/api/custom-sounds.ts (2)
34-40: LGTM!
470-522: LGTM!apps/meteor/tests/end-to-end/api/direct-message.ts (1)
61-105: LGTM!apps/meteor/tests/end-to-end/api/users.ts (1)
250-264: LGTM!
Comment on lines
+107
to
+114
| it('should fail when called on a non-DM room', async () => { | ||
| await request | ||
| .post(api('im.blockUser')) | ||
| .set(credentials) | ||
| .send({ roomId: 'GENERAL', block: true }) | ||
| .expect((res) => { | ||
| expect(res.body).to.have.property('success', false); | ||
| }); |
Contributor
There was a problem hiding this comment.
Assert the HTTP status for non-DM rejection.
This case only checks success: false; add an explicit status expectation to prevent false positives if the error contract regresses.
Suggested tightening
it('should fail when called on a non-DM room', async () => {
await request
.post(api('im.blockUser'))
.set(credentials)
.send({ roomId: 'GENERAL', block: true })
+ .expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
});
});🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@apps/meteor/tests/end-to-end/api/direct-message.ts` around lines 107 - 114,
The test "should fail when called on a non-DM room" currently only asserts
res.body.success is false; update the request assertion to also check the HTTP
status code expected for non-DM rejections (e.g., add .expect(400) on the POST
to im.blockUser before the body assertion) so the test fails if the API starts
returning a 2xx or other unexpected status; modify the test around the request
variable and im.blockUser call to include the explicit .expect(status)
assertion.
Contributor
There was a problem hiding this comment.
2 issues found across 26 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/meteor/app/lib/server/functions/saveSettingsBulk.ts">
<violation number="1" location="apps/meteor/app/lib/server/functions/saveSettingsBulk.ts:56">
P1: Avoid appending a second `Site_Name` update when one is already present in the request; this can trigger concurrent writes to the same setting and produce nondeterministic final values.
(Based on your team's feedback about concurrency-related behavioral changes.) [FEEDBACK_USED]</violation>
<violation number="2" location="apps/meteor/app/lib/server/functions/saveSettingsBulk.ts:90">
P1: This new bounds-check call currently allows `0` to bypass min/max validation because the helper treats falsy values as absent. That can persist out-of-range numeric settings through the bulk endpoint.</violation>
</file>
<file name="apps/meteor/app/api/server/v1/settings.ts">
<violation number="1" location="apps/meteor/app/api/server/v1/settings.ts:411">
P1: Renaming the bulk settings endpoint from `/v1/settings.bulk` to `/v1/settings` is a breaking API change for existing REST clients. Keep the old route (or provide an alias) while migrating callers.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| ); | ||
|
|
||
| API.v1.post( | ||
| 'settings', |
Contributor
There was a problem hiding this comment.
P1: Renaming the bulk settings endpoint from /v1/settings.bulk to /v1/settings is a breaking API change for existing REST clients. Keep the old route (or provide an alias) while migrating callers.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/v1/settings.ts, line 411:
<comment>Renaming the bulk settings endpoint from `/v1/settings.bulk` to `/v1/settings` is a breaking API change for existing REST clients. Keep the old route (or provide an alias) while migrating callers.</comment>
<file context>
@@ -408,7 +408,7 @@ API.v1.post(
API.v1.post(
- 'settings.bulk',
+ 'settings',
{
authRequired: true,
</file context>
Contributor
|
Actionable comments posted: 0 |
1 similar comment
Contributor
|
Actionable comments posted: 0 |
This was referenced May 29, 2026
sampaiodiego
previously approved these changes
Jun 9, 2026
sampaiodiego
left a comment
sampaiodiego
left a comment
Member
There was a problem hiding this comment.
there a few minor items worth considering.
Comment on lines
+206
to
+208
| 200: ajv.compile<void>({ | ||
| type: 'object', | ||
| }), |
Member
There was a problem hiding this comment.
ideally the return type should be correctly enforced.
Suggested change
| 200: ajv.compile<void>({ | |
| type: 'object', | |
| }), | |
| 200: ajv.compile<void>({ | |
| type: 'object', | |
| properties: { | |
| success: { type: 'boolean', enum: [true] }, | |
| }, | |
| required: ['success'], | |
| additionalProperties: false, | |
| }), |
| await Promise.all( | ||
| params.map(async ({ _id, value }) => { | ||
| // Verify the _id passed in is a string. | ||
| check(_id, String); |
Member
There was a problem hiding this comment.
ideally we should have no check nor Meteor code inside this "pure" function
Extract blockUserMethod/unblockUserMethod into
app/lib/server/functions/ and reuse them from REST + DDP.
Body is { rid, userId }, mirroring users.resetE2EKey naming.
Permission is per-room via RoomMemberActions.BLOCK — the same
check the DDP method already enforces; unblock has no permission
check today and the REST endpoint keeps parity to avoid a silent
regression.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Extract saveSettingsBulk into app/lib/server/functions/ and call it from both REST and DDP. The endpoint is auth-gated, enforces 2FA (disableRememberMe), and reuses the per-setting permission chain (edit-privileged-setting OR manage-selected-settings + per -id permission) the DDP method already enforced. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Export requestSubscriptionKeysMethod and reuse it from REST + DDP. No body — the server reads this.userId and fans out notify.e2e.keyRequest broadcasts for the caller's encrypted subscriptions, matching the DDP method's behavior. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ggazzo
force-pushed
the
chore/ddp-migrate-batch3
branch
from
6fe990e to
174e60a
Compare
sampaiodiego
previously approved these changes
Jun 15, 2026
- deleteCustomSound -> POST /v1/custom-sounds.delete - blockUser/unblockUser -> POST /v1/users.block / /v1/users.unblock - saveSettings -> POST /v1/settings.bulk - e2e.requestSubscriptionKeys -> POST /v1/e2e.requestSubscriptionKeys The DDP methods stay registered on the server for external SDK/ mobile clients with a deprecation log pointing at the REST route. Flag the two e2e specs that still drive these methods through /v1/method.call (custom-sounds + methods) with TODOs so they can be migrated when the DDP methods are removed in 9.0.0. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Move bulk settings save from POST /v1/settings.bulk to POST /v1/settings
to align with REST convention (sibling of the existing GET).
- Require 'value' in each settings.bulk item schema so runtime validation
matches the SettingsBulkProps contract.
- Drop the 404 response declaration from custom-sounds.delete (invalid
sound id is currently returned as a 400 by the shared error wrapper).
- Replace POST /v1/users.block and POST /v1/users.unblock with a single
POST /v1/im.blockUser toggle (body { roomId, block: boolean }) under
the im.* namespace, since the BLOCK directive is DM-only. The other
participant is derived from room.uids server-side.
DDP methods (blockUser, unblockUser, saveSettings) keep their
deprecation logs pointing at the renamed routes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- /custom-sounds.delete: 401, 400 (missing/empty _id), 403 (no manage-sounds), happy path + GET returns 404, error for invalid id. - /settings (POST bulk): 401, 400 (missing/empty/invalid item), happy path verifying values land via subsequent GET, fail without edit-privileged-setting permission. - /im.blockUser: 401, 400 (missing roomId/block), happy path verifies subscription.blocker flag flips, fail on non-DM room. - /e2e.requestSubscriptionKeys: 401 + success path. Switch the custom-sounds test helper to call the new REST endpoint directly (drops the method.call/deleteCustomSound TODO) and drop the corresponding saveSettings TODO from methods.ts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The route was registered via apps/meteor's declare-module augmentation of Endpoints, which sdk.rest.post's type doesn't pick up because @rocket.chat/api-client compiles against rest-typings only. Move the declaration into packages/rest-typings/src/v1/e2e.ts so sdk.rest.post sees it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The helper was driving the DDP saveSettings method through /api/v1/method.call/saveSettings. With the deprecation log now attached, TEST_MODE=true makes the method throw — so SAML beforeAll's resetTestData silently fails to apply the SAML configuration and the Login button never renders, failing the SAML e2e suite. Switch the helper to the new POST /v1/settings bulk endpoint introduced in this PR. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ggazzo
force-pushed
the
chore/ddp-migrate-batch3
branch
from
174e60a to
8ec18f6
Compare
sampaiodiego
approved these changes
Jun 15, 2026
Member
Author
|
/jira ARCH-2156 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Continues the DDP→REST sweep started in #40711. Adds five brand-new REST endpoints to replace the last batch of DDP methods that had direct client callers but no REST equivalent. The DDP methods stay registered on the server (so external SDK/mobile clients keep working) but each one now emits a
methodDeprecationLogger.method(NAME, '9.0.0', '/v1/...')line pointing at the new route, and delegates to a shared server function so the business logic isn't duplicated.New endpoints
deleteCustomSoundPOST /v1/custom-sounds.deletemanage-soundspermblockUser/unblockUserPOST /v1/users.block/POST /v1/users.unblockRoomMemberActions.BLOCKdirective; unblock keeps DDP's existing no-perm-check behavior (flagged below)saveSettingsPOST /v1/settings.bulktwoFactorRequired(disableRememberMe); same per-setting perm chain as the DDP methode2e.requestSubscriptionKeysPOST /v1/e2e.requestSubscriptionKeysnotify.e2e.keyRequestClient callers migrated
EditSound.tsx(useMethod→useEndpoint)useBlockUserAction.ts(binds both endpoints, keeps theisUserBlocked ? unblockUser : blockUserternary)SettingsProvider.tsx(now sends{ settings: [...] })rocketchat.e2e.ts(non-hook caller usessdk.rest.post)Known follow-ups
unblockUserhas no permission check today; this PR preserves that parity to avoid silent regression. Worth gating behindRoomMemberActions.BLOCK(or its unblock counterpart) in a follow-up.deleteCustomSound/saveSettingsthrough/v1/method.call(apps/meteor/tests/end-to-end/api/custom-sounds.ts,apps/meteor/tests/end-to-end/api/methods.ts). They keep working because the DDP methods stay registered; TODO comments are in place to migrate them when the deprecated DDP methods are removed in 9.0.0.Test plan
blocker/blockedflags flip, both endpoints emit subscription-changed broadcastsnotify.e2e.keyRequestfan-out🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
/v1/e2e.requestSubscriptionKeys,/v1/im.blockUser,/v1/settings(bulk), and/v1/custom-sounds.delete.Deprecations
e2e.requestSubscriptionKeys,blockUser,unblockUser,saveSettings,deleteCustomSound) now emit deprecation notices directing users to corresponding REST endpoints. Methods remain functional until version 9.0.0.Task: ARCH-2177