regression: validate the subscription status on unban

[sampaiodiego]

Proposed changes (including videos or screenshots)

Issue(s)

Introduced by #40114
FGA-65

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes
  • Improved error handling during user unban operations in rooms. The system now correctly distinguishes between invite subscriptions and other non-banned subscription states, and returns an appropriate error message when attempting to unban users who were not actually banned from the room, ensuring more reliable operations.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4cae30d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The executeUnbanUserFromRoom function now explicitly handles three subscription states: invite subscriptions (save message and return), banned subscriptions (proceed with unban), and invalid states (throw error). This clarifies control flow and prevents unban operations on non-banned subscriptions.

Changes

Cohort / File(s)	Summary
Unban Logic Refinement apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts	Added isInviteSubscription import and conditional checks to distinguish invite subscriptions from banned subscriptions. Early return for invites, error throw for invalid states, and unban operations restricted to banned subscriptions only.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'regression: validate the subscription status on unban' directly reflects the main change: adding validation of subscription status during the unban operation to distinguish invite subscriptions from other non-banned states.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.79%. Comparing base (2632182) to head (4cae30d).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40237      +/-   ##
===========================================
- Coverage    69.84%   69.79%   -0.06%     
===========================================
  Files         3296     3296              
  Lines       119161   119165       +4     
  Branches     21460    21467       +7     
===========================================
- Hits         83233    83175      -58     
- Misses       32627    32693      +66     
+ Partials      3301     3297       -4     

Flag	Coverage Δ
e2e	59.80% <ø> (+0.02%)	⬆️
e2e-api	46.21% <ø> (-0.08%)	⬇️
unit	70.50% <ø> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts (1)

23-25: Remove implementation comments.

These comments encode behavior narrative in the implementation; prefer making the branch explicit via naming/tests instead.

♻️ Proposed cleanup

-	// if the subscription is an invite it means we were unbanned and then invited again, then
-	// the invite was accepted and we receive a leave event (meaning the user was unbanned), so
-	// at this point we just need send the message to say the user was unbanned.
 	if (isInviteSubscription(subscription)) {
 		await Message.saveSystemMessage('user-unbanned', rid, user.username, user, {
 			u: { _id: byUser._id, username: byUser.username },
 		});
@@
-	// if the subscription exists and is not an invite and not banned
 	if (!isBannedSubscription(subscription)) {
 		throw new Error('error-user-not-banned');
 	}

As per coding guidelines, **/*.{ts,tsx,js} should “Avoid code comments in the implementation”.

Also applies to: 34-34

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts` around
lines 23 - 25, Remove the narrative implementation comment block in
executeUnbanUserFromRoom.ts and instead make the branch intent explicit:
introduce a clearly named boolean or helper (e.g., wasInviteThenAccepted or
isUnbanViaInvite) used in the branch that currently has the comment so the code
documents the behavior without inline comments; update or add a unit/integration
test that covers the "invite-then-accepted -> leave -> unbanned" scenario to
ensure the behavior is explicit and covered.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts`:
- Around line 26-31: The isInviteSubscription branch in executeUnbanUserFromRoom
is allowing invited-but-never-banned users to create false 'user-unbanned'
messages; update executeUnbanUserFromRoom to first verify the target user was
actually banned before writing the system message (e.g., query the room
membership/ban record for previous ban state) and only call
Message.saveSystemMessage('user-unbanned', ...) when a prior ban is confirmed;
alternatively, if this branch must remain for federation/leave-event recovery,
add an explicit gate (a federation or leave-event flag passed into
unbanUserFromRoom/executeUnbanUserFromRoom) so isInviteSubscription is only used
in that trusted recovery context and not for ordinary invites.

---

Nitpick comments:
In `@apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts`:
- Around line 23-25: Remove the narrative implementation comment block in
executeUnbanUserFromRoom.ts and instead make the branch intent explicit:
introduce a clearly named boolean or helper (e.g., wasInviteThenAccepted or
isUnbanViaInvite) used in the branch that currently has the comment so the code
documents the behavior without inline comments; update or add a unit/integration
test that covers the "invite-then-accepted -> leave -> unbanned" scenario to
ensure the behavior is explicit and covered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a64a02f5-6111-4ecf-b705-9b91387eba7a

📥 Commits

Reviewing files that changed from the base of the PR and between 2632182 and 4cae30d.

📒 Files selected for processing (1)

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (2/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (4/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (1/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (3/4)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (3/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (2/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (4/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (5/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (1/5)
• GitHub Check: 🔨 Test API Livechat (EE) / MongoDB 8.0 coverage (1/1)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

🧠 Learnings (13)

📓 Common learnings

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39647
File: apps/meteor/app/api/server/v1/users.ts:891-899
Timestamp: 2026-03-15T14:31:23.493Z
Learning: In RocketChat/Rocket.Chat, `IUser.inactiveReason` in `packages/core-typings/src/IUser.ts` is typed as `'deactivated' | 'pending_approval' | 'idle_too_long'` (optional, no `null`), but the database stores `null` for newly created users. The Typia-generated `$ref: '#/components/schemas/IUser'` schema therefore correctly rejects `null` for `inactiveReason`. This causes the test "should create a new user with default roles" to fail when response validation is active (TEST_MODE). The fix is to add `| null` to `inactiveReason` in core-typings and rebuild Typia schemas in a separate PR. Do not flag this test failure as a bug introduced by the users.create OpenAPI migration (PR `#39647`). Do not suggest inlining a custom schema to work around it, as migration rules require using `$ref` when a Typia schema exists.

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 37532
File: ee/packages/federation-matrix/src/FederationMatrix.ts:920-927
Timestamp: 2025-12-09T20:01:07.355Z
Learning: In Rocket.Chat's federation invite handling (ee/packages/federation-matrix/src/FederationMatrix.ts), when a user rejects an invite via federationSDK.rejectInvite(), the subscription cleanup happens automatically through an event-driven flow: Matrix emits a leave event back, which is processed by handleLeave() in ee/packages/federation-matrix/src/events/member.ts, and that function calls Room.performUserRemoval() to clean up the subscription. No explicit cleanup is needed in the reject branch of handleInvite() because the leave event handler takes care of it.
<!-- </add_learning>

Learnt from: Harxhit
Repo: RocketChat/Rocket.Chat PR: 39476
File: apps/meteor/server/methods/addAllUserToRoom.ts:0-0
Timestamp: 2026-03-09T18:39:21.178Z
Learning: In apps/meteor/server/methods/addAllUserToRoom.ts, the implementation uses a single cursor pass (Users.find(userFilter).batchSize(100)) that collects both the full user objects (collectedUsers: IUser[]) and their usernames (usernames: string[]) in one iteration. `beforeAddUserToRoom` is then called once with the full usernames batch (preserving batch-validation semantics), and the subsequent subscription/message processing loop iterates over the same stable `collectedUsers` array — no second DB query is made. This avoids any race condition between validation and processing while preserving the original batch-validation behavior.

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

📚 Learning: 2026-03-09T18:39:21.178Z

Learnt from: Harxhit
Repo: RocketChat/Rocket.Chat PR: 39476
File: apps/meteor/server/methods/addAllUserToRoom.ts:0-0
Timestamp: 2026-03-09T18:39:21.178Z
Learning: In apps/meteor/server/methods/addAllUserToRoom.ts, the implementation uses a single cursor pass (Users.find(userFilter).batchSize(100)) that collects both the full user objects (collectedUsers: IUser[]) and their usernames (usernames: string[]) in one iteration. `beforeAddUserToRoom` is then called once with the full usernames batch (preserving batch-validation semantics), and the subsequent subscription/message processing loop iterates over the same stable `collectedUsers` array — no second DB query is made. This avoids any race condition between validation and processing while preserving the original batch-validation behavior.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2025-12-09T20:01:07.355Z

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 37532
File: ee/packages/federation-matrix/src/FederationMatrix.ts:920-927
Timestamp: 2025-12-09T20:01:07.355Z
Learning: In Rocket.Chat's federation invite handling (ee/packages/federation-matrix/src/FederationMatrix.ts), when a user rejects an invite via federationSDK.rejectInvite(), the subscription cleanup happens automatically through an event-driven flow: Matrix emits a leave event back, which is processed by handleLeave() in ee/packages/federation-matrix/src/events/member.ts, and that function calls Room.performUserRemoval() to clean up the subscription. No explicit cleanup is needed in the reject branch of handleInvite() because the leave event handler takes care of it.
<!-- </add_learning>

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2026-03-11T22:04:20.529Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2026-04-18T12:32:50.305Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 38623
File: apps/meteor/app/lib/server/functions/cleanRoomHistory.ts:146-149
Timestamp: 2026-04-18T12:32:50.305Z
Learning: In `apps/meteor/app/lib/server/functions/cleanRoomHistory.ts` (PR `#38623`), the read-receipt cleanup (both `ReadReceipts.removeByMessageIds` and `ReadReceiptsArchive.removeByMessageIds`) is intentionally only performed in the limited prune path (`limit && selectedMessageIds`). The unlimited/delete-all path (`limit === 0`) deliberately skips cleaning up orphaned read receipts in both hot and cold storage — this is by design. Do not flag this as a bug or missing cleanup in future reviews.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2026-04-17T18:33:24.670Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39858
File: apps/meteor/tests/e2e/apps/uikit-interactions.spec.ts:123-151
Timestamp: 2026-04-17T18:33:24.670Z
Learning: In RocketChat/Rocket.Chat (`apps/meteor/tests/e2e/apps/uikit-interactions.spec.ts`), `executeBlockActionHandler` invocations originating from a **modal** surface intentionally do NOT include a `block_action_room` (room property) in the interaction payload. Modals are not scoped to a room, so no room id is available in that context. Do not flag the absence of a room assertion in the modal block-action test as a missing coverage bug; instead, document it explicitly with a `test.step` asserting the room entry is `undefined`.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: UserBridge.doGetUserRoomIds in packages/apps-engine/src/server/bridges/UserBridge.ts has a bug where it implicitly returns undefined when the app lacks read permission (missing return statement in the else case of the permission check).

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts

🔇 Additional comments (2)

apps/meteor/app/lib/server/functions/executeUnbanUserFromRoom.ts (2)

2-2: LGTM: precise guard import.

isInviteSubscription is the right local guard for the new branch, and IUser remains type-only.

---

35-37: Good: reject remaining non-banned states.

After the special invite branch, throwing error-user-not-banned prevents active/non-banned subscriptions from going through the destructive unban path.