admin setting to hide room owner on join of unauthenticated users

[danielwujecki]

Fixes #2843

Type

• Feature

Checklist

• Code updated to current develop branch head
• Passes CI checks
• Is a part of an issue
• Tests added for the bugfix or newly implemented feature, describe below why if not
• Changelog is updated
• Documentation of code and features exists

Changes

• Add migration and property for room.hide_owner_for_guests to RoomSettings.
• Add UI toggle switch to AdminSettings.vue under room settings.
• Update RoomHeader.vue and RoomDetailsList.vue to hide the owner's name for unauthenticated users if the setting is enabled.
• Add corresponding translation keys to all locale files.
• Update Config.php and Settings.php resources to expose the setting to the frontend.

Other information

How to test:

1. Enable the new setting in Admin Panel -> Settings -> Rooms.
2. Visit a room URL as a guest (unauthenticated). The owner's name should be hidden.
3. Visit the same URL as an authenticated user. The owner's name should be visible.

Summary by CodeRabbit

• New Features
  • Admin setting to hide room owner from unauthenticated users; toggle added to admin settings and reflected in room details.
• Bug Fixes
  • Permission checks made more robust to handle missing owner data safely.
• Tests
  • Backend and frontend tests/e2e updated to cover the new setting and owner-visibility scenarios.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 207cf22 and c732b06.

📒 Files selected for processing (3)

• app/Http/Resources/Room.php
• tests/Frontend/e2e/AdminSettingsEdit.cy.js
• tests/Frontend/e2e/RoomsViewGeneral.cy.js

---

Walkthrough

Adds a new RoomSettings boolean (hide_owner_for_guests) with migration, admin UI toggle, validation, translations, conditional owner visibility in Room responses and UI, and corresponding backend and frontend tests and changelog entry.

Changes

Cohort / File(s)	Summary
Settings core app/Settings/RoomSettings.php, database/settings/2026_02_16_085258_add_room_hide_owner_for_guests_to_room_settings.php, CHANGELOG.md	Adds hide_owner_for_guests property, migration adding room.hide_owner_for_guests (default false), and documents feature in changelog.
Settings API & validation app/Http/Controllers/api/v1/SettingsController.php, app/Http/Requests/UpdateSettings.php, app/Http/Resources/Settings.php	Wires new input room_hide_owner_for_guests into update flow, adds validation rule (required
Room resource & policy app/Http/Resources/Room.php, resources/js/components/RoomDetailsList.vue, resources/js/policies/RoomPolicy.js	Makes owner inclusion conditional based on authentication and new setting; Vue component hides owner block when not provided; policies use optional chaining for owner access.
Admin UI resources/js/views/AdminSettings.vue, lang/en/admin.php, lang/en/validation.php	Adds admin fieldset/toggle for room_hide_owner_for_guests and translation/validation label entries.
Frontend components & tests resources/js/components/RoomShareButton.vue, tests/Frontend/fixtures/settings.json	Minor template reordering in RoomShareButton; adds fixture value for new setting.
Backend tests tests/Backend/Feature/api/v1/Room/RoomTest.php, tests/Backend/Feature/api/v1/SettingsTest.php	Adds test_hide_owner_for_guests() (duplicate entry present) and updates settings tests to include the new boolean field in payloads and assertions.
Frontend e2e tests tests/Frontend/e2e/AdminSettingsEdit.cy.js, tests/Frontend/e2e/AdminSettingsView.cy.js, tests/Frontend/e2e/RoomsViewGeneral.cy.js	Adds and updates Cypress tests covering admin toggle, payloads ("0"/"1"), validation, and hiding owner in guest view.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Reimplement frontend tests with cypress #1844 — overlaps on AdminSettings.vue UI additions and Cypress coverage.
• Fix Admin-UI management bugs #1588 — overlaps on UpdateSettings validation and settings form handling.

Suggested labels

enhancement, frontend, UI, tests, Complete - Waiting for review

Suggested reviewers

• SamuelWei
• danielmachill
• Sabr1n4W

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.73% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Out of Scope Changes check	❓ Inconclusive	Minor refactoring in RoomShareButton.vue and RoomPolicy.js for optional chaining (unrelated to core feature) and duplicate test method in RoomTest.php appear to be scope creep, but core functionality directly addresses the linked issue.	Review whether RoomShareButton.vue refactoring and duplicate test_hide_owner_for_guests() method are intentional or should be removed to keep the PR focused on the primary feature.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main feature: adding an admin setting to hide room owner from unauthenticated users.
Description check	✅ Passed	The description follows the template structure, specifies linked issue #2843, marks it as a Feature, includes most checklist items completed, lists key changes, and provides testing instructions.
Linked Issues check	✅ Passed	The code changes fully implement the linked issue requirements: new RoomSettings property and migration added, UI toggle in AdminSettings.vue, backend logic to hide owner from API response for guests, and translation keys for the new setting.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[samuelwei]

Thanks for your PR @danielwujecki

This fix is only hiding the name (visually), I would prefer hiding it from the API response. The frontend can check if the owner name is returned and show it.

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@app/Http/Controllers/api/v1/SettingsController.php`:
- Line 186: The assignment to RoomSettings::$hide_owner_for_guests uses
$request->input(), which can return raw strings and not reliably cast to a PHP
bool; replace the call with $request->boolean('room_hide_owner_for_guests') in
the SettingsController where $roomSettings->hide_owner_for_guests is set so the
value is properly converted to a boolean consistent with the other boolean
fields.

In `@CHANGELOG.md`:
- Around line 8-11: The entry "Add admin setting to hide room owner on join of
unauthenticated users" under the "[Unreleased]" section is missing a category
header; add a "### Added" header directly beneath "## [Unreleased]" and place
that bullet under it so the changelog follows the Keep a Changelog format
(locate the "[Unreleased]" section and the line containing the bullet to move
it).

In `@lang/ar/admin.php`:
- Line 391: The translation for the 'room_hide_owner_for_guests' key is still in
English; replace its value in the lang/ar/admin.php localization array with the
Arabic translation (e.g., "إخفاء مالك الغرفة عن المستخدمين غير المسجلين") so the
string matches the rest of the Arabic locale and preserves the same array key.

In `@lang/fa/admin.php`:
- Line 389: Replace the English value for the translation key
'room_hide_owner_for_guests' with a Persian translation so the Farsi locale is
consistent; update the value for 'room_hide_owner_for_guests' in the
lang/fa/admin.php translations to a proper Farsi string (e.g., "مخفی کردن مالک
اتاق از کاربران احراز هویت نشده").

[samuelwei]

Please remove all non-english locale changes, as they will be removed. All non-english locales are synced from PoEditor (one-way)

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

resources/js/components/RoomDetailsList.vue (1)

7-14: ⚠️ Potential issue | 🟠 Major

Frontend-only hiding is insufficient — owner data is still exposed in the API response.

As noted by reviewer samuelwei, the owner's name is still returned by the API and visible in network responses / browser dev tools. The backend should omit owner.name from the API response for unauthenticated users when the setting is enabled, and the frontend should conditionally render based on whether the field is present in the response rather than a separate flag.

This approach would also simplify this component — no need for the showRoomOwner prop if the API simply doesn't return the owner data.

🤖 Fix all issues with AI agents

In `@lang/de/admin.php`:
- Line 391: Remove the manual non-English locale entry by deleting the
'room_hide_owner_for_guests' => 'Eigentümer eines Raumes für Gäste verstecken'
array element from lang/de/admin.php so translations remain managed through
PoEditor; ensure no other manual German locale keys were added in the same file
and leave only keys that are synced from the canonical source or empty
placeholders if required by the loader.

[coderabbitai]

🧹 Nitpick comments (1)

app/Http/Resources/Room.php (1)

86-97: Good approach: owner data is properly excluded from the API response.

This correctly addresses the reviewer feedback to remove the owner from the API response rather than just hiding it in the frontend.

One minor note: the array on lines 95–96 is eagerly evaluated even when $showOwner is false. Consider using a closure to defer evaluation:

♻️ Suggested improvement

-        'owner' => $this->when($showOwner, [
-            'id' => $this->owner->id,
-            'name' => $this->owner->fullname,
-        ]),
+        'owner' => $this->when($showOwner, fn () => [
+            'id' => $this->owner->id,
+            'name' => $this->owner->fullname,
+        ]),

Since the owner relationship is likely already eager-loaded, this is a minor optimization, but it avoids unnecessary property access when the value will be discarded.

[danielwujecki]

Please remove all non-english locale changes, as they will be removed. All non-english locales are synced from PoEditor (one-way)

Done

This fix is only hiding the name (visually), I would prefer hiding it from the API response. The frontend can check if the owner name is returned and show it.

Good point, I improved this.

[samuelwei]

Please also run the code style fixers, see https://thm-health.github.io/PILOS/docs/development/code-style

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.27%. Comparing base (317d02e) to head (fbd1047).

Additional details and impacted files

@@              Coverage Diff              @@
##             develop    #2844      +/-   ##
=============================================
+ Coverage      96.77%   97.27%   +0.50%     
=============================================
  Files            440      177     -263     
  Lines          12479     6277    -6202     
  Branches        2073     2074       +1     
=============================================
- Hits           12076     6106    -5970     
+ Misses           403      171     -232     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (3)

app/Http/Resources/Room.php (1)

94-97: Use a Closure for lazy owner evaluation inside when().

PHP evaluates the array literal ['id' => $this->owner->id, ...] eagerly before passing it to when(). When $showOwner is false, $this->owner->id is still accessed (and any lazy-loaded relationship query is still fired), even though the value is immediately discarded. Wrapping in a Closure defers evaluation until the condition is true, which is the intended behaviour and the idiomatic Laravel pattern.

♻️ Proposed refactor

-            'owner' => $this->when($showOwner, [
-                'id' => $this->owner->id,
-                'name' => $this->owner->fullname,
-            ]),
+            'owner' => $this->when($showOwner, fn () => [
+                'id' => $this->owner->id,
+                'name' => $this->owner->fullname,
+            ]),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/Http/Resources/Room.php` around lines 94 - 97, The 'owner' array inside
Room resource's when() is being evaluated eagerly causing $this->owner (and its
lazy-loaded relation) to be accessed even when $showOwner is false; change the
second argument to when() to a Closure (use function() or fn() that returns
['id' => $this->owner->id, 'name' => $this->owner->fullname]) so the
$this->owner->id and $this->owner->fullname are only evaluated when $showOwner
is true.

tests/Frontend/e2e/RoomsViewGeneral.cy.js (1)

2109-2129: cy.interceptRoomFilesRequest() placed inside the fixture callback — inconsistent with the rest of the file.

Every other call to cy.interceptRoomFilesRequest() in this file is at the top-level of the test body (e.g., Lines 11, 439, 492). Placing it inside .then() works due to Cypress's command-queue semantics but can mislead readers into thinking intercept setup depends on the fixture contents.

♻️ Suggested normalisation

  it("hide room owner if not provided", function () {
+   cy.interceptRoomFilesRequest();
+
    cy.fixture("room.json").then((room) => {
-     cy.interceptRoomFilesRequest();
-
      delete room.data.owner;
      cy.intercept("GET", "api/v1/rooms/abc-def-123", {
        statusCode: 200,
        body: room,
      }).as("roomRequest");
    });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Frontend/e2e/RoomsViewGeneral.cy.js` around lines 2109 - 2129, Move the
cy.interceptRoomFilesRequest() call out of the cy.fixture("room.json").then(...)
callback and place it at the top-level of the test body (before calling
cy.intercept("GET", "api/v1/rooms/abc-def-123", ...) and before cy.visit(...))
so the intercept setup is consistent with other tests; update the test that uses
interceptRoomFilesRequest() and the room fixture modification (delete
room.data.owner) to only run inside the fixture callback while keeping
interceptRoomFilesRequest() as a top-level command.

tests/Frontend/e2e/AdminSettingsEdit.cy.js (1)

3078-3175: Missing 422 validation error coverage for room_hide_owner_for_guests in the error test.

The save changes errors test does not include the new field in any of the three required places:

1. 422 error body (lines 3078–3175): room_hide_owner_for_guests is absent, so the field's error-display path is never exercised.
2. Error display assertions (after line 3302): no cy.get('[data-test="room-hide-owner-field"]').should("include.text", ...) check.
3. Error-cleared assertions (after line 3489): no corresponding should("not.include.text", ...) check after the 500 response.

Every other room-section field (room_limit, room_token_expiration, room_file_terms_of_use, etc.) has all three. The new field should follow the same pattern:

🧪 Suggested additions

 // In the 422 error body object:
   room_file_terms_of_use: [
     "The selected room file terms of use is invalid.",
   ],
+  room_hide_owner_for_guests: [
+    "The selected room hide owner for guests field is invalid.",
+  ],

 // After the room-file-terms-of-use display check:
   cy.get('[data-test="room-file-terms-of-use-field"]').should(
     "include.text",
     "The selected room file terms of use is invalid.",
   );
+  cy.get('[data-test="room-hide-owner-field"]').should(
+    "include.text",
+    "The selected room hide owner for guests field is invalid.",
+  );

 // After the room-file-terms-of-use clear check (post-500):
   cy.get('[data-test="room-file-terms-of-use-field"]').should(
     "not.include.text",
     "The selected room file terms of use is invalid.",
   );
+  cy.get('[data-test="room-hide-owner-field"]').should(
+    "not.include.text",
+    "The selected room hide owner for guests field is invalid.",
+  );

Also applies to: 3282-3305, 3469-3492

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Frontend/e2e/AdminSettingsEdit.cy.js` around lines 3078 - 3175, Add the
missing 422 validation error for the new field and its corresponding assertions:
include "room_hide_owner_for_guests": ["The selected room hide owner for guests
field is invalid."] in the cy.intercept POST body that's aliased as
saveChangesRequest (the big error object), add a UI assertion that checks
cy.get('[data-test="room-hide-owner-field"]').should("include.text", "The
selected room hide owner for guests field is invalid.") in the error-display
assertions section (near the other room_* checks), and add the matching cleared
assertion
cy.get('[data-test="room-hide-owner-field"]').should("not.include.text", ...) in
the error-cleared assertions after the 500 response so the field follows the
same pattern as room_limit/room_file_terms_of_use/etc.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@app/Http/Resources/Room.php`:
- Around line 94-97: The 'owner' array inside Room resource's when() is being
evaluated eagerly causing $this->owner (and its lazy-loaded relation) to be
accessed even when $showOwner is false; change the second argument to when() to
a Closure (use function() or fn() that returns ['id' => $this->owner->id, 'name'
=> $this->owner->fullname]) so the $this->owner->id and $this->owner->fullname
are only evaluated when $showOwner is true.

In `@tests/Frontend/e2e/AdminSettingsEdit.cy.js`:
- Around line 3078-3175: Add the missing 422 validation error for the new field
and its corresponding assertions: include "room_hide_owner_for_guests": ["The
selected room hide owner for guests field is invalid."] in the cy.intercept POST
body that's aliased as saveChangesRequest (the big error object), add a UI
assertion that checks
cy.get('[data-test="room-hide-owner-field"]').should("include.text", "The
selected room hide owner for guests field is invalid.") in the error-display
assertions section (near the other room_* checks), and add the matching cleared
assertion
cy.get('[data-test="room-hide-owner-field"]').should("not.include.text", ...) in
the error-cleared assertions after the 500 response so the field follows the
same pattern as room_limit/room_file_terms_of_use/etc.

In `@tests/Frontend/e2e/RoomsViewGeneral.cy.js`:
- Around line 2109-2129: Move the cy.interceptRoomFilesRequest() call out of the
cy.fixture("room.json").then(...) callback and place it at the top-level of the
test body (before calling cy.intercept("GET", "api/v1/rooms/abc-def-123", ...)
and before cy.visit(...)) so the intercept setup is consistent with other tests;
update the test that uses interceptRoomFilesRequest() and the room fixture
modification (delete room.data.owner) to only run inside the fixture callback
while keeping interceptRoomFilesRequest() as a top-level command.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fbd1047 and 207cf22.

📒 Files selected for processing (13)

• CHANGELOG.md
• app/Http/Controllers/api/v1/SettingsController.php
• app/Http/Resources/Room.php
• lang/en/validation.php
• resources/js/components/RoomShareButton.vue
• resources/js/policies/RoomPolicy.js
• resources/js/views/AdminSettings.vue
• tests/Backend/Feature/api/v1/Room/RoomTest.php
• tests/Backend/Feature/api/v1/SettingsTest.php
• tests/Frontend/e2e/AdminSettingsEdit.cy.js
• tests/Frontend/e2e/AdminSettingsView.cy.js
• tests/Frontend/e2e/RoomsViewGeneral.cy.js
• tests/Frontend/fixtures/settings.json

✅ Files skipped from review due to trivial changes (1)

• resources/js/components/RoomShareButton.vue

🚧 Files skipped from review as they are similar to previous changes (2)

• CHANGELOG.md
• resources/js/views/AdminSettings.vue