refactor(client): factor out hasPermission / hasRole into pure factory

[ggazzo]

Summary

The client-side `hasPermission` / `hasAllPermission` / `hasAtLeastOnePermission` / `hasRole` / `userHasAllPermission` helpers used to reach into `Users`, `Permissions`, `Roles`, `Subscriptions`, `PermissionsCachedStore` and `userIdStore` through Meteor's Tracker bridge (`meteor/watch.ts`). The reactivity ran through `Tracker.autorun` inside `AuthorizationProvider`'s `createReactiveSubscriptionFactory` wrapper.

Split the helpers into two layers:

• `apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts` — pure factory. Takes accessors (`getCurrentUserId`, `getUserRoles`, `getPermission`, `getRoleScope`, `hasSubscriptionRole`, `isReady`) and returns the five functions. No store, no Meteor, no Tracker — trivially testable in isolation.
• `apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts` — binds the factory to live zustand store accessors via `getState()`. Each exported function reads fresh state on every call, so non-React callers (services, lib code, startup scripts) keep their previous "always-reflects-the-current-store" behaviour without going through Tracker.

`apps/meteor/app/authorization/client/hasPermission.ts` and `hasRole.ts` now just re-export the singleton's methods, so the 24 existing client callers do not change.

`apps/meteor/client/providers/AuthorizationProvider.tsx` no longer uses `createReactiveSubscriptionFactory`. It observes the four backing stores via `useSyncExternalStore` and feeds the snapshots into `createAuthorizationFunctions` inside `useMemo`; the context value's `getSnapshot` calls the resulting functions. The `subscribe` slot is a no-op because each store transition re-renders the provider, which rebuilds the context value, which is what React consumers ultimately observe.

No behaviour change for callers. The remaining `meteor/watch.ts` consumer (`client/lib/settings/settings.ts`) is migrated separately.

Test plan

• `yarn eslint` on the 5 changed files: 0 errors.
• `tsc --noEmit` on `apps/meteor` is clean.
• Manual: admin removes a permission from a role → buttons gated by that permission disappear without a reload (provider re-renders via `useSyncExternalStore` on `Permissions.use` changes).
• Manual: admin removes a role from the current user → role-gated UI updates without a reload.
• Manual: assign a Subscription-scoped role to a user via a room → `hasRole(uid, role, rid)` returns true in the affected room.
• Manual: smoke-test the 24 client callers via normal flows (room creation gating, slash commands, livechat sidenav, message editing, etc.).

Task: ARCH-2142

Summary by CodeRabbit

• New Features
  • Added a reusable authorization factory and a live authorization binding for non-React callers.
• Refactor
  • Centralized and unified authorization logic for role and permission checks.
  • Authorization provider updated to use store-backed evaluation and deliver consistent, reactive authorization queries.
  • Permission and role check utilities now re-export from the shared implementation for consistent behavior across callers.

[ggazzo]

/jira ARCH-2116

[changeset-bot]

⚠️ No Changeset found

Latest commit: 239e52f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e19671c1-842d-4745-93db-654e019d74b7

📥 Commits

Reviewing files that changed from the base of the PR and between 3f257ad and 239e52f.

📒 Files selected for processing (1)

• apps/meteor/client/providers/AuthorizationProvider.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/client/providers/AuthorizationProvider.tsx

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 🚢 Build Docker (amd64, account-service, presence-service, omnichannel-transcript-service, cove...
• GitHub Check: 🚢 Build Docker (arm64, rocketchat, coverage)
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build
• GitHub Check: 🔎 Code Check / Code Lint

---

Walkthrough

Authorization logic was extracted into a dependency-injected factory, bound to live zustand store accessors for non-React callers, client modules were reduced to thin re-exports of the live binding, and the React provider was updated to use store snapshots with the new factory.

Changes

Authorization Architecture Refactor

Layer / File(s)	Summary
Authorization Factory with Injected Dependencies apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts	New createAuthorizationFunctions factory exports AuthorizationDeps (injected accessors for user, roles, permissions, role scope, subscriptions, readiness) and AuthorizationFunctions (public checks: hasRole, hasAllPermission, hasAtLeastOnePermission, aliased hasPermission, userHasAllPermission). Implements scope-aware role checks, quantified permission evaluation with role filtering, and early validation gating.
Live Store Binding and Client Refactoring apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts, apps/meteor/app/authorization/client/hasPermission.ts, apps/meteor/app/authorization/client/hasRole.ts	Adds liveAuthorizationFunctions that implements AuthorizationDeps using live zustand store accessors and exports createAuthorizationFunctions(liveDeps). Simplifies hasPermission.ts and hasRole.ts to thin re-exports from the live binding.
Provider Integration with Store Snapshots apps/meteor/client/providers/AuthorizationProvider.tsx	AuthorizationProvider now builds authorization helpers via createAuthorizationFunctions using useSyncExternalStore snapshots for Users, Permissions, Roles, and per-call Subscriptions lookups, and exposes context query methods as [subscribe, selector] tuples delegating to the memoized auth helpers.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• tassoevan

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main refactoring: extracting authorization permission and role checking logic into a pure factory function, which is the core change across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• ARCH-2142: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts (1)

7-11: ⚡ Quick win

Drop the explanatory block comment.

This module-level prose describes intent rather than encoding it. The rationale fits better in the PR description or commit message; readers can infer the live-binding behavior from liveDeps and the factory call.

♻️ Proposed cleanup

-// Bind the pure factory to live zustand store accessors. Each accessor reads
-// fresh state on every call, so non-React callers (services, lib code, startup
-// scripts) keep their previous "always reflects the current store" contract
-// without going through Meteor's Tracker. React consumers should use the
-// AuthorizationContext instead, which injects React-reactive snapshots.
 const liveDeps: AuthorizationDeps = {

As per coding guidelines: "Avoid code comments in the implementation".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts` around
lines 7 - 11, Remove the module-level explanatory block comment at the top of
liveAuthorizationFunctions.ts; the rationale belongs in the PR/commit message,
not code. Keep the implementation as-is (the live binding is already expressed
by liveDeps and the factory invocation), so delete the multi-line prose and
leave only the code that defines liveDeps and the factory call (and keep short,
factual comments only if needed near liveDeps or AuthorizationContext).

apps/meteor/client/providers/AuthorizationProvider.tsx (1)

27-30: ⚡ Quick win

Remove the inline rationale block inside the component body.

The behavior is already clear from the four useSyncExternalStore calls below and the memoized auth/contextValue. Implementation-level prose belongs in the PR description, not in the render body.

♻️ Proposed cleanup

-	// Reactive snapshots of every store the authorization helpers read. The
-	// provider re-renders whenever any of them change, and the new context
-	// value (memoized below) flows down so consumers re-render through React
-	// instead of through Tracker.
 	const usersState = useSyncExternalStore(Users.use.subscribe, () => Users.use.getState());

As per coding guidelines: "Avoid code comments in the implementation".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/client/providers/AuthorizationProvider.tsx` around lines 27 - 30,
Remove the inline rationale comment block inside the AuthorizationProvider
component body; keep the four useSyncExternalStore calls and the memoized
auth/contextValue logic intact, but delete the explanatory prose that sits in
the render body (i.e., the comment describing reactive snapshots and why the
provider re-renders) so implementation-level commentary is removed from the
component and can live in the PR description instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts`:
- Around line 7-11: Remove the module-level explanatory block comment at the top
of liveAuthorizationFunctions.ts; the rationale belongs in the PR/commit
message, not code. Keep the implementation as-is (the live binding is already
expressed by liveDeps and the factory invocation), so delete the multi-line
prose and leave only the code that defines liveDeps and the factory call (and
keep short, factual comments only if needed near liveDeps or
AuthorizationContext).

In `@apps/meteor/client/providers/AuthorizationProvider.tsx`:
- Around line 27-30: Remove the inline rationale comment block inside the
AuthorizationProvider component body; keep the four useSyncExternalStore calls
and the memoized auth/contextValue logic intact, but delete the explanatory
prose that sits in the render body (i.e., the comment describing reactive
snapshots and why the provider re-renders) so implementation-level commentary is
removed from the component and can live in the PR description instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6ad4f82-ea37-4479-8691-b14a940356c1

📥 Commits

Reviewing files that changed from the base of the PR and between 6b2afb3 and a07381f.

📒 Files selected for processing (5)

• apps/meteor/app/authorization/client/hasPermission.ts
• apps/meteor/app/authorization/client/hasRole.ts
• apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts
• apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts
• apps/meteor/client/providers/AuthorizationProvider.tsx

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/authorization/client/hasRole.ts
• apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts
• apps/meteor/app/authorization/client/hasPermission.ts
• apps/meteor/client/providers/AuthorizationProvider.tsx
• apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts

🧠 Learnings (4)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/authorization/client/hasRole.ts
• apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts
• apps/meteor/app/authorization/client/hasPermission.ts
• apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/authorization/client/hasRole.ts
• apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts
• apps/meteor/app/authorization/client/hasPermission.ts
• apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/app/authorization/client/hasRole.ts
• apps/meteor/app/authorization/client/liveAuthorizationFunctions.ts
• apps/meteor/app/authorization/client/hasPermission.ts
• apps/meteor/client/providers/AuthorizationProvider.tsx
• apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts

📚 Learning: 2026-03-27T14:52:56.865Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.

Applied to files:

• apps/meteor/client/providers/AuthorizationProvider.tsx

🔇 Additional comments (5)

apps/meteor/app/authorization/lib/createAuthorizationFunctions.ts (1)

1-101: LGTM!

apps/meteor/client/providers/AuthorizationProvider.tsx (2)

31-47: LGTM!

---

51-67: ⚡ Quick win

No action needed; the scope handling is correct and intentional.

The review comment flagged an apparent inconsistency: queryRole passes scope directly to auth.hasRole() without coercing it to String(), while queryPermission, queryAtLeastOnePermission, and queryAllPermissions all coerce via scope ? String(scope) : undefined.

However, the type definitions show this difference is justified: queryRole's scope parameter is typed as IRoom['_id'], which resolves to string (or Branded<string> in the federated variant). The other three methods accept scope?: string | ObjectId. Since queryRole is semantically scoped to rooms and room IDs are always strings, no coercion is needed. The inconsistency in coercion reflects intentional type-level narrowing, not a bug.

apps/meteor/app/authorization/client/hasRole.ts (1)

1-3: LGTM!

apps/meteor/app/authorization/client/hasPermission.ts (1)

1-3: LGTM!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.61%. Comparing base (0ae9ab0) to head (3f257ad).
⚠️ Report is 4 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #40493   +/-   ##
========================================
  Coverage    69.61%   69.61%           
========================================
  Files         3324     3322    -2     
  Lines       122651   122612   -39     
  Branches     21864    21851   -13     
========================================
- Hits         85381    85361   -20     
+ Misses       33939    33915   -24     
- Partials      3331     3336    +5     

Flag	Coverage Δ
unit	70.33% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.