fix: ensures the translateMessage Meteor method validates access and type

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-374

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes

  • Strengthened server-side validation for message translation: ensures callers are authenticated, validates inputs, verifies message existence, and enforces room access permissions to prevent unauthorized translations and return clearer errors.

• Tests

  • Added end-to-end tests for the translation method covering invalid input, unauthorized access, and expected error responses.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: cfbf57d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-composer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

The PR hardens the autoTranslate.translateMessage DDP method by adding server-side user authentication, argument validation, message/room resolution, and room access checks before translation. End-to-end tests assert error responses for invalid input and unauthorized callers.

Changes

autoTranslate.translateMessage server-side authorization

Layer / File(s)	Summary
Method server-side validation and authorization apps/meteor/app/autotranslate/server/methods/translateMessage.ts, .changeset/neat-trams-juggle.md	Adds imports, requires a logged-in user, validates message?._id and targetLanguage, fetches the message and room, verifies access via canAccessRoomAsync, and calls translateMessage with the fetched message; throws error-invalid-user, error-message-not-found, or error-not-allowed. Release notes updated.
Test coverage for method validation and access control apps/meteor/tests/end-to-end/api/autotranslate.ts	Adds methodCall import and a new method-call test suite that sets up users and a private room/message, then verifies invalid messageId and non-member caller return HTTP 400 with the expected error payloads.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40508: Adds complementary server-side room access checks to the autoTranslate.translateMessage HTTP API endpoint alongside this DDP method hardening.

Suggested labels

type: bug

Suggested reviewers

• ricardogarim

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding validation for access and input types to the translateMessage Meteor method, which is the core focus of all three modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• VLN-374: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.62%. Comparing base (055ca13) to head (cfbf57d).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40528      +/-   ##
===========================================
+ Coverage    69.61%   69.62%   +0.01%     
===========================================
  Files         3324     3324              
  Lines       122657   122657              
  Branches     21855    21847       -8     
===========================================
+ Hits         85384    85406      +22     
+ Misses       33936    33919      -17     
+ Partials      3337     3332       -5     

Flag	Coverage Δ
e2e	59.21% <ø> (+<0.01%)	⬆️
e2e-api	46.23% <ø> (-0.06%)	⬇️
unit	70.32% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (2)

apps/meteor/tests/end-to-end/api/autotranslate.ts (2)

479-499: 💤 Low value

Consider clarifying the test name.

The test name states "when messageId is not a string" but the actual test sends { _id: { $gt: '' } } as the first parameter. This tests both type validation (the _id property should be a string) and NoSQL injection prevention (rejecting MongoDB operators). Consider a more descriptive name such as "should fail when message parameter _id is not a string" or "should reject invalid types and operators in message _id" to better reflect what is being tested.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/autotranslate.ts` around lines 479 - 499,
Rename the test's description string in the it(...) block that calls
methodCall('autoTranslate.translateMessage') to more accurately reflect what's
being asserted; for example change "should fail when messageId is not a string"
to "should fail when message parameter _id is not a string" or "should reject
invalid types and operators in message _id" so the intent of validating the
message.params[0]._id (and rejecting MongoDB operator objects like { $gt: '' })
is clear.

---

437-523: ⚡ Quick win

Consider adding a positive test case for the method endpoint.

The new test suite covers error scenarios (invalid input and unauthorized access) which aligns with the PR objectives. However, adding at least one positive test case where an authorized room member successfully calls the method with valid parameters would provide more complete coverage of the method endpoint's behavior and ensure the happy path works correctly.

Example test structure

it('should successfully translate message when user is a room member with valid parameters', (done) => {
  void request
    .post(methodCall('autoTranslate.translateMessage'))
    .set(credA)
    .send({
      message: JSON.stringify({
        msg: 'method',
        id: 'id',
        method: 'autoTranslate.translateMessage',
        params: [{ _id: privateMessage._id }, 'en'],
      }),
    })
    .expect('Content-Type', 'application/json')
    .expect(200)
    .expect((res) => {
      expect(res.body).to.have.a.property('success', true);
    })
    .end(done);
});

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/autotranslate.ts` around lines 437 - 523,
Add a positive "happy path" test that verifies an authorized room member can
successfully call autoTranslate.translateMessage with valid params: use the
existing credA credentials and privateMessage._id (as used in the failing tests)
to POST to methodCall('autoTranslate.translateMessage') with params [{ _id:
privateMessage._id }, 'en'] and assert a 200 response and res.body.success ===
true; place this new it(...) alongside the other tests in the same describe
block so it runs after the setup in before() and before teardown in after().

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/autotranslate.ts`:
- Around line 479-499: Rename the test's description string in the it(...) block
that calls methodCall('autoTranslate.translateMessage') to more accurately
reflect what's being asserted; for example change "should fail when messageId is
not a string" to "should fail when message parameter _id is not a string" or
"should reject invalid types and operators in message _id" so the intent of
validating the message.params[0]._id (and rejecting MongoDB operator objects
like { $gt: '' }) is clear.
- Around line 437-523: Add a positive "happy path" test that verifies an
authorized room member can successfully call autoTranslate.translateMessage with
valid params: use the existing credA credentials and privateMessage._id (as used
in the failing tests) to POST to methodCall('autoTranslate.translateMessage')
with params [{ _id: privateMessage._id }, 'en'] and assert a 200 response and
res.body.success === true; place this new it(...) alongside the other tests in
the same describe block so it runs after the setup in before() and before
teardown in after().

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 45f92875-5ab8-4691-b178-ebf068de27cc

📥 Commits

Reviewing files that changed from the base of the PR and between 5b130cf and cfbf57d.

📒 Files selected for processing (1)

• apps/meteor/tests/end-to-end/api/autotranslate.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/tests/end-to-end/api/autotranslate.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/tests/end-to-end/api/autotranslate.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/tests/end-to-end/api/autotranslate.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/tests/end-to-end/api/autotranslate.ts

🔇 Additional comments (2)

apps/meteor/tests/end-to-end/api/autotranslate.ts (2)

6-6: LGTM!

---

501-522: LGTM!

[jonasflorencio]

/backport 8.4.2

[dionisio-bot]

Pull request #40539 added to Project: "Patch 8.4.2"

[jonasflorencio]

/backport 8.3.4

[dionisio-bot]

Pull request #40540 added to Project: "Patch 8.3.4"

[jonasflorencio]

/backport 8.2.4

[dionisio-bot]

Pull request #40541 added to Project: "Patch 8.2.4"

[jonasflorencio]

/backport 8.1.5

[dionisio-bot]

Pull request #40543 added to Project: "Patch 8.1.5"

[jonasflorencio]

/backport 8.0.6

[dionisio-bot]

Pull request #40544 added to Project: "Patch 8.0.6"

[jonasflorencio]

/backport 7.13.7

[dionisio-bot]

7.13.7 already exists in the project

[jonasflorencio]

/backport 7.13.8

[dionisio-bot]

Pull request #40545 added to Project: "Patch 7.13.8"

[jonasflorencio]

/backport 7.10.12

[dionisio-bot]

Pull request #40546 added to Project: "Patch 7.10.12"