fix!: Scoped roles are assignable through admin users page

[gabriellsh]

Proposed changes (including videos or screenshots)

Scoped roles only work when assigned in the context of a room, so there's no reason to show them in the admin page.

Additionally, if the user has scoped roles assigned, they'll be hidden in the select, which in turn will remove them the next time the user's roles are edited.

To reinforce, this SHOULD not impact any existing features or "unintended use", since scoped roles are ignored when checking global permissions.

Issue(s)

CORE-909

Steps to test or reproduce

Further comments

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: b464b09

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 35 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/instance-status	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.18%. Comparing base (d3fb166) to head (b464b09).
⚠️ Report is 2445 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #34852   +/-   ##
========================================
  Coverage    59.18%   59.18%           
========================================
  Files         2821     2821           
  Lines        67598    67598           
  Branches     15045    15045           
========================================
  Hits         40011    40011           
  Misses       24773    24773           
  Partials      2814     2814           

Flag	Coverage Δ
unit	69.16% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

PR Preview Action v1.4.8
🚀 Deployed preview to https://RocketChat.github.io/Rocket.Chat/pr-preview/pr-34852/
on branch gh-pages at 2025-01-06 18:20 UTC

[MarcosSpessatto]

Does it make sense to add a test to ensure this?

[aleksandernsilva]

Considering that availableRoles is an array of objects, couldn't we use availableRoles.some(...) instead of isTruthy?

[aleksandernsilva]

Also, I don't know if this is a concern, but if availableRoles array is big enough I'd even consider creating a Set before. E.g const available = new Set(availableRoles.map(({ _id }) => _id) then using available.has(role).

[gabriellsh]

Yep that does make sense. I don't think there would be a difference between find and some performance wise, but it's way easier to read, thanks for catching this one.

I'm not sure it's necessary to make a set. I don't think roles ever exceed 50, and I think up to 100 this wouldn't be an issue. I'll do some manual perf testing just to make sure and come back to you, but I think that won't be necessary

[tassoevan]

@aleksandernsilva too many data transformations between array and Set to make it worthy, I think.

[gabriellsh]

Does it make sense to add a test to ensure this?

@MarcosSpessatto I didn't do any tests yet because I'm waiting on product to green light this change, since this is a suggestion of my own. I think it'll go through but I decided to no spend effort in tests until I was sure

[pierre-lehnen-rc]

To reinforce, this SHOULD not impact any existing features or "unintended use", since scoped roles are ignored when checking global permissions.

This premise mentioned on the PR description is not true - at least not for the backend side. If a scoped role is assigned to an user globally, its permissions will be granted globally.

It makes sense to block certain roles such as owner from being assigned globally, as they are specifically designed to give permissions to a room's owner. At the same time there are other scoped roles such as moderator that could work both ways, allowing an user to moderate a specific room and other users to moderate an entire workspace.

[gabriellsh]

As @pierre-lehnen-rc commented, scoped roles assigned globaly have different behaviors between FE & BE. We should first normalize this and make them work similarly before we can decide if we should move on with this.

Flagged this as a breaking change for now.