From 9d42d281435fdcddd64bd4ddfd8ddc924419a140 Mon Sep 17 00:00:00 2001
From: Diego Sampaio <chinello@gmail.com>
Date: Fri, 27 Mar 2026 15:44:08 -0300
Subject: [PATCH] regression: populate permission to new federated-external
 role (#39854)

---
 .../server/functions/upsertPermissions.ts     |  2 +-
 apps/meteor/server/startup/migrations/xrun.ts | 38 ++++++++++++++++++-
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/app/authorization/server/functions/upsertPermissions.ts b/apps/meteor/app/authorization/server/functions/upsertPermissions.ts
index 2b6d93f60d3..015f14189f4 100644
--- a/apps/meteor/app/authorization/server/functions/upsertPermissions.ts
+++ b/apps/meteor/app/authorization/server/functions/upsertPermissions.ts
@@ -18,7 +18,7 @@ export const upsertPermissions = async (): Promise<void> => {
 		{ name: 'leader', scope: 'Subscriptions', description: 'Leader' },
 		{ name: 'owner', scope: 'Subscriptions', description: 'Owner' },
 		{ name: 'user', scope: 'Users', description: '' },
-		{ name: 'federated-external', scope: 'Users', description: 'External Federated User' },
+		{ name: 'federated-external', scope: 'Users', description: '' },
 		{ name: 'bot', scope: 'Users', description: '' },
 		{ name: 'app', scope: 'Users', description: '' },
 		{ name: 'guest', scope: 'Users', description: '' },
diff --git a/apps/meteor/server/startup/migrations/xrun.ts b/apps/meteor/server/startup/migrations/xrun.ts
index 0344649f999..8e552f034fa 100644
--- a/apps/meteor/server/startup/migrations/xrun.ts
+++ b/apps/meteor/server/startup/migrations/xrun.ts
@@ -1,4 +1,4 @@
-import { Settings } from '@rocket.chat/models';
+import { Permissions, Roles, Settings, Users } from '@rocket.chat/models';
 import type { UpdateResult } from 'mongodb';
 
 import { upsertPermissions } from '../../../app/authorization/server/functions/upsertPermissions';
@@ -55,10 +55,46 @@ const moveRetentionSetting = async () => {
 	await Settings.updateMany({ _id: { $in: Array.from(maxAgeSettingMap.keys()) } }, { $set: { value: -1 } });
 };
 
+async function setPermissionsToNewRole() {
+	const role = await Roles.findOneById('federated-external');
+
+	// if role was found it means it was already created with the permissions, so we can skip it
+	if (role) {
+		return;
+	}
+
+	// if federation was used before the new role was created, we need to update their roles with the new role
+	await Users.updateMany({ federated: true }, { $addToSet: { roles: 'federated-external' } });
+
+	const rolePermissions = [
+		'create-c',
+		'create-d',
+		'create-p',
+		'delete-own-message',
+		'leave-c',
+		'leave-p',
+		'mention-all',
+		'mention-here',
+		'start-discussion',
+		'start-discussion-other-user',
+		'view-c-room',
+		'view-d-room',
+		'view-p-room',
+		'preview-c-room',
+		'view-outside-room',
+		'mobile-upload-file',
+		'access-federation',
+	];
+
+	// since this is a one time query, no need to create a method in model class for it
+	await Permissions.updateMany({ _id: { $in: rolePermissions } }, { $addToSet: { roles: 'federated-external' } });
+}
+
 export const performMigrationProcedure = async (): Promise<void> => {
 	await migrateDatabase(version === 'latest' ? version : parseInt(version), subcommands);
 	// perform operations when the server is starting with a different version
 	await onServerVersionChange(async () => {
+		await setPermissionsToNewRole();
 		await upsertPermissions();
 		await ensureCloudWorkspaceRegistered();
 		await moveRetentionSetting();