fix: add permission check to the autotransate.translateMessage endpoint

[julio-rocketchat]

Proposed changes (including videos or screenshots)

The autotranslate.translateMessage endpoint doesn't check if the user can access the room before proceeding with the translation. This could lead to attackers exploiting this endpoint to retrieve data they don't have access to. The issue, however, is medium to low severity since there's no trivial way of getting message IDs for private rooms and translation would have to be enabled and configured in the workspace.

This PR adds a canAccessRoomAsync check to the endpoint and an E2E test to ensure that it will return 403 Forbidden if the user is not part of the room.

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-372

Steps to test or reproduce

• N/A

Further comments

• N/A

Summary by CodeRabbit

• Bug Fixes
  • The auto-translate endpoint now validates user access to the room containing the message before processing translations. Unauthorized access requests will return a 403 Forbidden response.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: b18adfd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-composer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87ec7e55-6b73-4ce7-8634-997f83d08c23

📥 Commits

Reviewing files that changed from the base of the PR and between 082c2ec and b18adfd.

📒 Files selected for processing (3)

• .changeset/shaggy-kiwis-burn.md
• apps/meteor/app/api/server/v1/autotranslate.ts
• apps/meteor/tests/end-to-end/api/autotranslate.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 🔎 Code Check / Code Lint
• GitHub Check: 🔎 Code Check / TypeScript
• GitHub Check: 🔨 Test Unit / Unit Tests
• GitHub Check: 🔨 Test Storybook / Test Storybook
• GitHub Check: 📦 Meteor Build (coverage)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/api/server/v1/autotranslate.ts
• apps/meteor/tests/end-to-end/api/autotranslate.ts

🧠 Learnings (6)

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/shaggy-kiwis-burn.md

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/autotranslate.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/autotranslate.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/api/server/v1/autotranslate.ts
• apps/meteor/tests/end-to-end/api/autotranslate.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/api/server/v1/autotranslate.ts
• apps/meteor/tests/end-to-end/api/autotranslate.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/app/api/server/v1/autotranslate.ts
• apps/meteor/tests/end-to-end/api/autotranslate.ts

🔇 Additional comments (3)

.changeset/shaggy-kiwis-burn.md (1)

1-5: LGTM!

apps/meteor/app/api/server/v1/autotranslate.ts (1)

2-2: LGTM!

Also applies to: 7-7, 12-12, 129-129, 145-148

apps/meteor/tests/end-to-end/api/autotranslate.ts (1)

377-434: LGTM!

---

Walkthrough

This PR adds room access validation to the autotranslate.translateMessage API endpoint. The endpoint now checks whether the caller can access the room before translating a message, returning a 403 Forbidden response if access is denied. End-to-end tests verify the new authorization behavior.

Changes

Autotranslate room access authorization

Layer / File(s)	Summary
Changelog entry .changeset/shaggy-kiwis-burn.md	Patch version bump note documenting the addition of room access checks to the autotranslate endpoint.
API endpoint authorization guard apps/meteor/app/api/server/v1/autotranslate.ts	Imports canAccessRoomAsync and validateForbiddenErrorResponse; extends the endpoint response schema to include a 403 forbidden mapping; adds an authorization guard that loads the message's room and returns API.v1.forbidden() if the room is missing or the user cannot access it.
Room access test coverage apps/meteor/tests/end-to-end/api/autotranslate.ts	New test suite for the room access check: creates a private room and message owned by one user, then verifies that a second user receives a 403 Forbidden response when attempting to translate the message.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a permission check to the autotranslate.translateMessage endpoint, which is the primary fix across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• VLN-372: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.63%. Comparing base (082c2ec) to head (b18adfd).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40508      +/-   ##
===========================================
+ Coverage    69.60%   69.63%   +0.03%     
===========================================
  Files         3323     3323              
  Lines       122610   122610              
  Branches     21872    21872              
===========================================
+ Hits         85347    85384      +37     
+ Misses       33933    33889      -44     
- Partials      3330     3337       +7     

Flag	Coverage Δ
e2e	59.10% <ø> (+0.06%)	⬆️
e2e-api	47.14% <ø> (+0.82%)	⬆️
unit	70.35% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[julio-rocketchat]

/backport 8.4.2

[dionisio-bot]

Pull request #40547 added to Project: "Patch 8.4.2"

[julio-rocketchat]

/backport 8.3.4

[dionisio-bot]

Pull request #40548 added to Project: "Patch 8.3.4"

[julio-rocketchat]

/backport 8.2.4

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.2.4-40508
git cherry-pick ab4df958e947c9239f61efd85ac8acef9a7a189b
// solve the conflict
git push

after that just run /backport 8.2.4 again

[julio-rocketchat]

/backport 8.2.4

[dionisio-bot]

Pull request #40549 added to Project: "Patch 8.2.4"

[julio-rocketchat]

/backport 8.1.5

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.1.5-40508
git cherry-pick ab4df958e947c9239f61efd85ac8acef9a7a189b
// solve the conflict
git push

after that just run /backport 8.1.5 again

[julio-rocketchat]

/backport 8.1.5

[dionisio-bot]

Pull request #40550 added to Project: "Patch 8.1.5"

[julio-rocketchat]

/backport 8.0.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.0.6-40508
git cherry-pick ab4df958e947c9239f61efd85ac8acef9a7a189b
// solve the conflict
git push

after that just run /backport 8.0.6 again

[julio-rocketchat]

/backport 8.0.6

[dionisio-bot]

Pull request #40551 added to Project: "Patch 8.0.6"

[julio-rocketchat]

/backport 7.13.8

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.13.8-40508
git cherry-pick ab4df958e947c9239f61efd85ac8acef9a7a189b
// solve the conflict
git push

after that just run /backport 7.13.8 again

[julio-rocketchat]

/backport 7.13.8

[dionisio-bot]

Pull request #40552 added to Project: "Patch 7.13.8"

[julio-rocketchat]

/backport 7.10.12

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.10.12-40508
git cherry-pick ab4df958e947c9239f61efd85ac8acef9a7a189b
// solve the conflict
git push

after that just run /backport 7.10.12 again

[julio-rocketchat]

/backport 7.10.12

[dionisio-bot]

Pull request #40553 added to Project: "Patch 7.10.12"