fix: hide 'Delete all closed chats' button when user lacks remove-closed-livechat-rooms permission

[MartinSchoeler]

Proposed changes (including videos or screenshots)

The "Delete all closed chats" menu item in the Omnichannel Contact Center kebab menu was always visible, regardless of whether the user had the remove-closed-livechat-rooms permission. While the backend correctly enforced the permission (returning error-unauthorized), the frontend did not gate the button's visibility.

This PR adds a usePermission('remove-closed-livechat-rooms') check in ChatsTableFilter.tsx to:

• Conditionally include the "Delete all closed chats" item in the kebab menu only when the user has the permission
• Hide the entire kebab menu ("More" button) when there are no permitted menu items

This follows the same pattern already used in ChatsTable.tsx for the single-room remove-closed-livechat-room permission check.

Unit tests are included to verify:

• The "More" kebab menu is shown when the user has the remove-closed-livechat-rooms permission
• The "More" kebab menu is hidden when the user lacks the permission
• The "Delete all closed chats" menu item appears inside the menu when the permission is granted

Steps to test or reproduce

1. Remove the remove-closed-livechat-rooms permission from all roles in Admin > Permissions
2. Navigate to Omnichannel Contact Center > Chats tab
3. Before fix: The kebab menu ("More") button is visible and clicking "Delete all closed chats" shows an unauthorized error
4. After fix: The kebab menu ("More") button is hidden entirely since the only action it contained is now gated by the permission
5. Re-add the permission to any role and verify the menu reappears with the "Delete all closed chats" option

Further comments

The change is minimal and isolated to ChatsTableFilter.tsx. Only one file is modified for the fix, adding one usePermission hook call and conditionally rendering the menu items and the menu component itself. A companion test file validates the permission gating behavior.

SUP-1031

  

Summary by CodeRabbit

• Bug Fixes
  • Enhanced access control in the chats directory: the "Delete all closed chats" option is now restricted to users with the required permissions. The actions menu displays only when available options are present for the current user.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ffef4584-10ec-497c-8b97-0ec96c34f830

📥 Commits

Reviewing files that changed from the base of the PR and between 6b2afb3 and ceff6e3.

📒 Files selected for processing (2)

• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx
• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.tsx

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx
• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.tsx

🧠 Learnings (3)

📚 Learning: 2026-03-06T18:10:15.268Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx

📚 Learning: 2026-03-27T14:52:56.865Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.

Applied to files:

• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx
• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.tsx

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx
• apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.tsx

🔇 Additional comments (5)

apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.tsx (3)

4-4: LGTM!

Also applies to: 19-19

---

39-53: LGTM!

---

73-73: LGTM!

apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx (2)

1-42: LGTM!

---

44-70: LGTM!

---

Walkthrough

ChatsTableFilter now gates the "delete all closed chats" feature behind the remove-closed-livechat-rooms permission. The component checks permission on render, conditionally includes the delete action in the menu, and renders the "More" dropdown only when actions are available. Tests verify this conditional behavior.

Changes

Permission-gated delete all closed chats

Layer / File(s)	Summary
Permission check and conditional rendering apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.tsx, apps/meteor/client/views/omnichannel/directory/chats/ChatsTable/ChatsTableFilter.spec.tsx	usePermission hook is imported and invoked to check remove-closed-livechat-rooms. menuItems conditionally includes the delete-all-closed-chats action only when permitted. The "More" dropdown (GenericMenu) renders only when menuItems is non-empty. Test suite validates that the menu and delete option appear exclusively when the user has the required permission.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a permission check to hide the 'Delete all closed chats' button when users lack the required permission, which matches the core modification in ChatsTableFilter.tsx.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SUP-1031: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: ceff6e3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.66%. Comparing base (6b2afb3) to head (ceff6e3).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40492      +/-   ##
===========================================
+ Coverage    69.64%   69.66%   +0.02%     
===========================================
  Files         3318     3318              
  Lines       121981   122048      +67     
  Branches     21791    21804      +13     
===========================================
+ Hits         84948    85020      +72     
- Misses       33701    33706       +5     
+ Partials      3332     3322      -10     

Flag	Coverage Δ
e2e	59.06% <66.66%> (+0.05%)	⬆️
e2e-api	46.25% <ø> (-0.09%)	⬇️
unit	70.45% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.