From 4591df3565ed3335b8b57892c6c8e90a952a0eb7 Mon Sep 17 00:00:00 2001
From: Kevin Aleman <kaleman960@gmail.com>
Date: Mon, 20 Oct 2025 14:04:02 -0600
Subject: [PATCH 01/21] feat: Remove users from room when new attributes are
 added to the room (#37172)

---
 ee/packages/abac/src/index.ts | 50 +++++++++--------------------------
 1 file changed, 13 insertions(+), 37 deletions(-)

diff --git a/ee/packages/abac/src/index.ts b/ee/packages/abac/src/index.ts
index 4c1084f68b315..70c3f2af98c5f 100644
--- a/ee/packages/abac/src/index.ts
+++ b/ee/packages/abac/src/index.ts
@@ -170,13 +170,9 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async setRoomAbacAttributes(rid: string, attributes: Record<string, string[]>): Promise<void> {
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'teamDefault' | 'default'>>(
-			rid,
-			'p',
-			{
-				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
-			},
-		);
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
+			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
+		});
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -272,13 +268,9 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async updateRoomAbacAttributeValues(rid: string, key: string, values: string[]): Promise<void> {
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'teamDefault' | 'default'>>(
-			rid,
-			'p',
-			{
-				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
-			},
-		);
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
+			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
+		});
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -325,9 +317,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async removeRoomAbacAttribute(rid: string, key: string): Promise<void> {
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 'teamDefault' | 'default'>>(rid, 'p', {
-			projection: { abacAttributes: 1, default: 1, teamDefault: 1 },
-		});
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes'>>(rid, 'p', { projection: { abacAttributes: 1 } });
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -342,12 +332,6 @@ export class AbacService extends ServiceClass implements IAbacService {
 			return;
 		}
 
-		// if is the last attribute, just remove all
-		if (previous.length === 1) {
-			await Rooms.unsetAbacAttributesById(rid);
-			return;
-		}
-
 		await Rooms.removeAbacAttributeByRoomIdAndKey(rid, key);
 		this.logger.debug({
 			msg: 'Room ABAC attribute removed',
@@ -359,13 +343,9 @@ export class AbacService extends ServiceClass implements IAbacService {
 	async addRoomAbacAttributeByKey(rid: string, key: string, values: string[]): Promise<void> {
 		await this.ensureAttributeDefinitionsExist([{ key, values }]);
 
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'default' | 'teamDefault'>>(
-			rid,
-			'p',
-			{
-				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
-			},
-		);
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
+			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
+		});
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -392,13 +372,9 @@ export class AbacService extends ServiceClass implements IAbacService {
 	async replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[]): Promise<void> {
 		await this.ensureAttributeDefinitionsExist([{ key, values }]);
 
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'default' | 'teamDefault'>>(
-			rid,
-			'p',
-			{
-				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
-			},
-		);
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
+			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
+		});
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}

From 55aa068d469f77b8d23afa9bbe23ff6cef184e7b Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Fri, 3 Oct 2025 13:21:12 -0300
Subject: [PATCH 02/21] feat: add ABAC admin settings

---
 .../ABACUpsellModal/ABACUpsellModal.spec.tsx  |   9 +-
 .../client/views/admin/ABAC/AdminABACPage.tsx |  48 +++++++
 .../views/admin/ABAC/AdminABACRoute.tsx       |  63 +++++++++
 .../ABAC/AdminABACSettingToggle.spec.tsx      | 131 ++++++++++++++++++
 .../ABAC/AdminABACSettingToggle.stories.tsx   |  50 +++++++
 .../admin/ABAC/AdminABACSettingToggle.tsx     |  88 ++++++++++++
 .../views/admin/ABAC/AdminABACSettings.tsx    |  28 ++++
 .../client/views/admin/ABAC/AdminABACTabs.tsx |  24 ++++
 .../admin/ABAC/AdminABACWarningModal.tsx      |  48 +++++++
 .../AdminABACSettingToggle.spec.tsx.snap      |  60 ++++++++
 apps/meteor/client/views/admin/routes.tsx     |   9 ++
 .../meteor/client/views/admin/sidebarItems.ts |   5 +
 apps/meteor/ee/server/settings/abac.ts        |   1 +
 apps/meteor/tests/mocks/data.ts               |   1 +
 packages/i18n/src/locales/en.i18n.json        |  10 +-
 15 files changed, 569 insertions(+), 6 deletions(-)
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap

diff --git a/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx b/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx
index c2fd14fb4feb9..584b64aece7fb 100644
--- a/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx
+++ b/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx
@@ -4,11 +4,7 @@ import userEvent from '@testing-library/user-event';
 import { axe } from 'jest-axe';
 
 import ABACUpsellModal from './ABACUpsellModal';
-
-// Mock the hooks used by ABACUpsellModal
-jest.mock('../../../hooks/useHasLicenseModule', () => ({
-	useHasLicenseModule: jest.fn(() => false),
-}));
+import { createFakeLicenseInfo } from '../../../../tests/mocks/data';
 
 jest.mock('../../GenericUpsellModal/hooks', () => ({
 	useUpsellActions: jest.fn(() => ({
@@ -34,6 +30,9 @@ const appRoot = mockAppRoot()
 		Upgrade: 'Upgrade',
 		Cancel: 'Cancel',
 	})
+	.withEndpoint('GET', '/v1/licenses.info', async () => ({
+		license: createFakeLicenseInfo(),
+	}))
 	.build();
 
 describe('ABACUpsellModal', () => {
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
new file mode 100644
index 0000000000000..015b94a1ca1c5
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
@@ -0,0 +1,48 @@
+import { Box, Button, Callout } from '@rocket.chat/fuselage';
+import { useRouteParameter } from '@rocket.chat/ui-contexts';
+import { Trans, useTranslation } from 'react-i18next';
+
+import AdminABACSettings from './AdminABACSettings';
+import AdminABACTabs from './AdminABACTabs';
+import { Page, PageContent, PageHeader } from '../../../components/Page';
+import { useExternalLink } from '../../../hooks/useExternalLink';
+
+type AdminABACPageProps = {
+	shouldShowWarning: boolean;
+};
+
+const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
+	const { t } = useTranslation();
+	const tab = useRouteParameter('tab');
+	const learnMore = useExternalLink();
+
+	return (
+		<Page flexDirection='row'>
+			<Page>
+				<PageHeader title={t('ABAC')}>
+					<Button icon='new-window' secondary onClick={() => learnMore('https://rocket.chat/docs/abac')}>
+						{t('ABAC_Learn_More')}
+					</Button>
+				</PageHeader>
+				{shouldShowWarning && (
+					<Box mi={24} mb={16}>
+						<Callout type='warning' title={t('ABAC_automatically_disabled_callout')}>
+							{/* TODO: get documentation URL */}
+							<Trans i18nKey='ABAC_automatically_disabled_callout_description'>
+								Renew your license to continue using all
+								<a href='https://rocket.chat/docs/abac' target='_blank'>
+									{' '}
+									ABAC capabilities without restriction.
+								</a>
+							</Trans>
+						</Callout>
+					</Box>
+				)}
+				<AdminABACTabs />
+				<PageContent>{tab === 'settings' && <AdminABACSettings />}</PageContent>
+			</Page>
+		</Page>
+	);
+};
+
+export default AdminABACPage;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
new file mode 100644
index 0000000000000..f4116d2cb3185
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
@@ -0,0 +1,63 @@
+import { usePermission, useSetModal, useCurrentModal, useRouter, useRouteParameter, useSettingStructure } from '@rocket.chat/ui-contexts';
+import type { ReactElement } from 'react';
+import { memo, useEffect } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import AdminABACPage from './AdminABACPage';
+import ABACUpsellModal from '../../../components/ABAC/ABACUpsellModal/ABACUpsellModal';
+import { useUpsellActions } from '../../../components/GenericUpsellModal/hooks';
+import PageSkeleton from '../../../components/PageSkeleton';
+// import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
+import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
+import SettingsProvider from '../../../providers/SettingsProvider';
+import NotAuthorizedPage from '../../notAuthorized/NotAuthorizedPage';
+import EditableSettingsProvider from '../settings/EditableSettingsProvider';
+
+const AdminABACRoute = (): ReactElement => {
+	const { t } = useTranslation();
+	// TODO: Check what permission is needed to view the ABAC page
+	const canViewABACPage = usePermission('manage-cloud');
+	const hasABAC = useHasLicenseModule('abac') === true;
+	const isModalOpen = !!useCurrentModal();
+	const tab = useRouteParameter('tab');
+	const router = useRouter();
+
+	// Check if setting exists in the DB to decide if we show warning or upsell
+	const ABACEnabledSetting = useSettingStructure('ABAC_Enabled');
+
+	if (!tab) {
+		router.navigate({
+			name: 'admin-ABAC',
+			params: { tab: 'settings' },
+		});
+	}
+
+	const { shouldShowUpsell, handleManageSubscription } = useUpsellActions(hasABAC);
+
+	const setModal = useSetModal();
+
+	useEffect(() => {
+		// WS has never activated ABAC
+		if (shouldShowUpsell && ABACEnabledSetting === undefined) {
+			setModal(<ABACUpsellModal onClose={() => setModal(null)} onConfirm={handleManageSubscription} />);
+		}
+	}, [shouldShowUpsell, setModal, t, handleManageSubscription, ABACEnabledSetting]);
+
+	if (isModalOpen) {
+		return <PageSkeleton />;
+	}
+
+	if (!canViewABACPage || (ABACEnabledSetting === undefined && !hasABAC)) {
+		return <NotAuthorizedPage />;
+	}
+
+	return (
+		<SettingsProvider>
+			<EditableSettingsProvider>
+				<AdminABACPage shouldShowWarning={ABACEnabledSetting !== undefined && !hasABAC} />
+			</EditableSettingsProvider>
+		</SettingsProvider>
+	);
+};
+
+export default memo(AdminABACRoute);
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx
new file mode 100644
index 0000000000000..937cbbef474bf
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx
@@ -0,0 +1,131 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { axe } from 'jest-axe';
+
+import AdminABACSettingToggle from './AdminABACSettingToggle';
+import { createFakeLicenseInfo } from '../../../../tests/mocks/data';
+import EditableSettingsProvider from '../settings/EditableSettingsProvider';
+
+const baseAppRoot = mockAppRoot()
+	.wrap((children) => <EditableSettingsProvider>{children}</EditableSettingsProvider>)
+	.withTranslations('en', 'core', {
+		ABAC_Enabled: 'Enable ABAC',
+		ABAC_Enabled_Description: 'Enable Attribute-Based Access Control',
+		ABAC_Warning_Modal_Title: 'Disable ABAC',
+		ABAC_Warning_Modal_Confirm_Text: 'Disable',
+		Cancel: 'Cancel',
+	})
+	.withEndpoint('GET', '/v1/licenses.info', () => ({
+		license: createFakeLicenseInfo({ activeModules: ['abac'] }),
+	}));
+
+describe('AdminABACSettingToggle', () => {
+	it('should render the setting toggle when setting exists', () => {
+		const { baseElement } = render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		});
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	it('should show warning modal when disabling ABAC', async () => {
+		const user = userEvent.setup();
+		render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		await user.click(toggle);
+
+		await waitFor(() => {
+			expect(screen.getByText('Disable ABAC')).toBeInTheDocument();
+		});
+
+		// TODO: discover how to automatically unmount all modals after each test
+		const cancelButton = screen.getByRole('button', { name: /cancel/i });
+		await user.click(cancelButton);
+	});
+
+	it('should not show warning modal when enabling ABAC', async () => {
+		const user = userEvent.setup();
+		render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false).build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		await user.click(toggle);
+
+		// The modal should not appear when enabling ABAC
+		expect(screen.queryByText('Disable ABAC')).not.toBeInTheDocument();
+	});
+
+	it('should show warning modal when resetting setting', async () => {
+		const user = userEvent.setup();
+		render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		});
+
+		const resetButton = screen.getByRole('button', { name: /reset/i });
+		await user.click(resetButton);
+
+		await waitFor(() => {
+			expect(screen.getByText('Disable ABAC')).toBeInTheDocument();
+		});
+
+		// TODO: discover how to automatically unmount all modals after each test
+		const cancelButton = screen.getByRole('button', { name: /cancel/i });
+		await user.click(cancelButton);
+	});
+
+	it('should have no accessibility violations', async () => {
+		const { container } = render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		});
+		const results = await axe(container);
+		expect(results).toHaveNoViolations();
+	});
+
+	it('should handle setting change correctly', async () => {
+		const user = userEvent.setup();
+		render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false).build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		expect(toggle).not.toBeChecked();
+
+		await user.click(toggle);
+		expect(toggle).toBeChecked();
+	});
+
+	it('should be disabled when abac license is not installed', () => {
+		const { baseElement } = render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot
+				.withSetting('ABAC_Enabled', true)
+				.withEndpoint('GET', '/v1/licenses.info', () => ({
+					license: createFakeLicenseInfo({ activeModules: [] }),
+				}))
+				.build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		expect(toggle).toBeDisabled();
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	it('should show reset button when value differs from package value', () => {
+		render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		});
+
+		expect(screen.getByRole('button', { name: /reset/i })).toBeInTheDocument();
+	});
+
+	it('should not show reset button when value matches package value', () => {
+		render(<AdminABACSettingToggle />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false).build(),
+		});
+
+		expect(screen.queryByRole('button', { name: /reset/i })).not.toBeInTheDocument();
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx
new file mode 100644
index 0000000000000..00848d53a8d1d
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx
@@ -0,0 +1,50 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import type { Meta, StoryObj } from '@storybook/react';
+
+import AdminABACSettingToggle from './AdminABACSettingToggle';
+import { createFakeLicenseInfo } from '../../../../tests/mocks/data';
+import EditableSettingsProvider from '../settings/EditableSettingsProvider';
+
+const meta: Meta<typeof AdminABACSettingToggle> = {
+	title: 'Admin/ABAC/AdminABACSettingToggle',
+	component: AdminABACSettingToggle,
+	parameters: {
+		layout: 'padded',
+	},
+	decorators: [
+		(Story) => {
+			const AppRoot = mockAppRoot()
+				.wrap((children) => <EditableSettingsProvider>{children}</EditableSettingsProvider>)
+				.withTranslations('en', 'core', {
+					ABAC_Enabled: 'Enable ABAC',
+					ABAC_Enabled_Description: 'Enable Attribute-Based Access Control',
+					ABAC_Warning_Modal_Title: 'Disable ABAC',
+					ABAC_Warning_Modal_Confirm_Text: 'Disable',
+					Cancel: 'Cancel',
+				})
+				.withSetting('ABAC_Enabled', true, {
+					packageValue: true,
+					blocked: false,
+					public: true,
+					type: 'boolean',
+					i18nLabel: 'ABAC_Enabled',
+					i18nDescription: 'ABAC_Enabled_Description',
+				})
+				.withEndpoint('GET', '/v1/licenses.info', () => ({
+					license: createFakeLicenseInfo({ activeModules: [] }),
+				}))
+				.build();
+
+			return (
+				<AppRoot>
+					<Story />
+				</AppRoot>
+			);
+		},
+	],
+};
+
+export default meta;
+type Story = StoryObj<typeof AdminABACSettingToggle>;
+
+export const Default: Story = {};
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
new file mode 100644
index 0000000000000..dc9b3f527cd7a
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
@@ -0,0 +1,88 @@
+import type { SettingValue } from '@rocket.chat/core-typings';
+import { useSetModal, useSettingsDispatch } from '@rocket.chat/ui-contexts';
+import { useCallback, useEffect, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import type { EditableSetting } from '../EditableSettingsContext';
+import { useEditableSetting } from '../EditableSettingsContext';
+import AdminABACWarningModal from './AdminABACWarningModal';
+import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
+import MemoizedSetting from '../settings/Setting/MemoizedSetting';
+
+const AdminABACSettingToggle = () => {
+	const setting = useEditableSetting('ABAC_Enabled');
+	const setModal = useSetModal();
+	const dispatch = useSettingsDispatch();
+	const { t } = useTranslation();
+	const hasABAC = useHasLicenseModule('abac');
+
+	const [value, setValue] = useState<boolean>(setting?.value === true);
+
+	useEffect(() => {
+		setValue(setting?.value === true);
+	}, [setting]);
+
+	const onchange = useCallback(
+		(value: boolean) => {
+			if (!setting) {
+				return;
+			}
+
+			const handleChange = (value: boolean, setting: EditableSetting) => {
+				setValue(value);
+				dispatch([{ _id: setting._id, value }]);
+			};
+
+			if (value === false) {
+				return setModal(
+					<AdminABACWarningModal
+						onConfirm={() => {
+							handleChange(value, setting);
+							setModal();
+						}}
+						onCancel={() => setModal()}
+					/>,
+				);
+			}
+			handleChange(value, setting);
+		},
+		[dispatch, setModal, setting],
+	);
+
+	const onreset = useCallback(() => {
+		if (!setting) {
+			return;
+		}
+		const value = setting.packageValue as boolean;
+		setModal(
+			<AdminABACWarningModal
+				onConfirm={() => {
+					setValue(value);
+					dispatch([{ _id: setting._id, value }]);
+					setModal();
+				}}
+				onCancel={() => setModal()}
+			/>,
+		);
+	}, [dispatch, setModal, setting]);
+
+	if (!setting) {
+		return null;
+	}
+
+	return (
+		<MemoizedSetting
+			type='boolean'
+			_id={setting._id}
+			label={t(setting.i18nLabel)}
+			value={value}
+			packageValue={setting.packageValue === true}
+			hint={t(setting.i18nDescription || '')}
+			disabled={!hasABAC || setting.blocked}
+			hasResetButton={setting.packageValue !== setting.value}
+			onChangeValue={(value: SettingValue) => onchange(value === true)}
+			onResetButtonClick={() => onreset()}
+		/>
+	);
+};
+export default AdminABACSettingToggle;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
new file mode 100644
index 0000000000000..e7709218189af
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
@@ -0,0 +1,28 @@
+import { Box, Callout, Margins } from '@rocket.chat/fuselage';
+import { Trans } from 'react-i18next';
+
+import AdminABACSettingToggle from './AdminABACSettingToggle';
+
+const AdminABACSettings = () => {
+	return (
+		<Box maxWidth='x600' w='full' alignSelf='center'>
+			<Box>
+				<Margins block={24}>
+					<AdminABACSettingToggle />
+
+					<Callout>
+						{/* TODO: get documentation URL */}
+						<Trans i18nKey='ABAC_Enabled_callout'>
+							User attributes are synchronized via LDAP
+							<a href='https://rocket.chat' target='_blank'>
+								Learn more
+							</a>
+						</Trans>
+					</Callout>
+				</Margins>
+			</Box>
+		</Box>
+	);
+};
+
+export default AdminABACSettings;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx
new file mode 100644
index 0000000000000..4fc73a491f44e
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx
@@ -0,0 +1,24 @@
+import { Tabs, TabsItem } from '@rocket.chat/fuselage';
+import { useRouteParameter, useRouter } from '@rocket.chat/ui-contexts';
+import { useTranslation } from 'react-i18next';
+
+const AdminABACTabs = () => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const tab = useRouteParameter('tab');
+	const handleTabClick = (tab: string) => {
+		router.navigate({
+			name: 'admin-ABAC',
+			params: { tab },
+		});
+	};
+	return (
+		<Tabs>
+			<TabsItem selected={tab === 'settings'} onClick={() => handleTabClick('settings')}>
+				{t('Settings')}
+			</TabsItem>
+		</Tabs>
+	);
+};
+
+export default AdminABACTabs;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
new file mode 100644
index 0000000000000..107f069e1f8d0
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -0,0 +1,48 @@
+import { Box, Palette } from '@rocket.chat/fuselage';
+import { GenericModal } from '@rocket.chat/ui-client';
+import { useRouter } from '@rocket.chat/ui-contexts';
+import { Trans, useTranslation } from 'react-i18next';
+
+type AdminABACWarningModalProps = {
+	onConfirm: () => void;
+	onCancel: () => void;
+};
+
+const AdminABACWarningModal = ({ onConfirm, onCancel }: AdminABACWarningModalProps) => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const handleNavigate = () => {
+		router.navigate({
+			name: 'admin-ABAC',
+			params: {
+				tab: 'rooms',
+			},
+		});
+	};
+
+	return (
+		<GenericModal
+			title={t('ABAC_Warning_Modal_Title')}
+			icon={null}
+			// TODO: Check if this is the best way to do this
+			confirmText={<Box color={Palette.text['font-danger'].toString()}>{t('ABAC_Warning_Modal_Confirm_Text')}</Box>}
+			cancelText={t('Cancel')}
+			onConfirm={onConfirm}
+			onCancel={onCancel}
+			onClose={onCancel}
+			onDismiss={onCancel}
+		>
+			<Trans i18nKey='ABAC_Warning_Modal_Content'>
+				You will not be able to automatically or manually manage users in existing ABAC-managed rooms. To restore a room's default access
+				control, it must be removed from ABAC management in
+				<Box is='a' onClick={handleNavigate}>
+					{' '}
+					ABAC {'>'} Rooms'
+				</Box>
+				.
+			</Trans>
+		</GenericModal>
+	);
+};
+
+export default AdminABACWarningModal;
diff --git a/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap
new file mode 100644
index 0000000000000..83d70957e694a
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap
@@ -0,0 +1,60 @@
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
+
+exports[`AdminABACSettingToggle should render the setting toggle when setting exists 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field rcx-css-1gfu76s"
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-css-1u2ihfm"
+      >
+        <div
+          class="rcx-box rcx-box--full rcx-field"
+        >
+          <span
+            class="rcx-box rcx-box--full rcx-field__row rcx-css-ctk2ij"
+          >
+            <label
+              class="rcx-box rcx-box--full rcx-field__label rcx-label"
+              for="ABAC_Enabled"
+              title="ABAC_Enabled"
+            />
+            <div
+              class="rcx-box rcx-box--full rcx-css-127j9mz"
+            >
+              <button
+                class="rcx-box rcx-box--full rcx-button--small-square rcx-button--icon-danger rcx-button--square rcx-button--icon rcx-button rcx-css-1rtu0k9"
+                data-qa-reset-setting-id="ABAC_Enabled"
+                title="Reset"
+                type="button"
+              >
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-icon--name-undo rcx-icon rcx-css-4pvxx3"
+                >
+                  ❰
+                </i>
+              </button>
+              <label
+                class="rcx-box rcx-box--full rcx-toggle-switch"
+              >
+                <input
+                  checked=""
+                  class="rcx-box rcx-box--full rcx-toggle-switch__input"
+                  id="ABAC_Enabled"
+                  type="checkbox"
+                />
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-toggle-switch__fake"
+                />
+              </label>
+            </div>
+          </span>
+        </div>
+      </div>
+    </div>
+  </div>
+</body>
+`;
diff --git a/apps/meteor/client/views/admin/routes.tsx b/apps/meteor/client/views/admin/routes.tsx
index 233da80cd1088..55b06e6fa8f46 100644
--- a/apps/meteor/client/views/admin/routes.tsx
+++ b/apps/meteor/client/views/admin/routes.tsx
@@ -104,6 +104,10 @@ declare module '@rocket.chat/ui-contexts' {
 			pathname: '/admin/feature-preview';
 			pattern: '/admin/feature-preview';
 		};
+		'admin-ABAC': {
+			pathname: '/admin/ABAC';
+			pattern: '/admin/ABAC/:tab?/:context?/:id?';
+		};
 	}
 }
 
@@ -237,3 +241,8 @@ registerAdminRoute('/feature-preview', {
 	name: 'admin-feature-preview',
 	component: lazy(() => import('./featurePreview/AdminFeaturePreviewRoute')),
 });
+
+registerAdminRoute('/ABAC/:tab?/:context?/:id?', {
+	name: 'admin-ABAC',
+	component: lazy(() => import('./ABAC/AdminABACRoute')),
+});
diff --git a/apps/meteor/client/views/admin/sidebarItems.ts b/apps/meteor/client/views/admin/sidebarItems.ts
index 2c70d9e173cd8..6089f7368ee5f 100644
--- a/apps/meteor/client/views/admin/sidebarItems.ts
+++ b/apps/meteor/client/views/admin/sidebarItems.ts
@@ -64,6 +64,11 @@ export const {
 		icon: 'user-lock',
 		permissionGranted: (): boolean => hasAtLeastOnePermission(['access-permissions', 'access-setting-permissions']),
 	},
+	{
+		href: '/admin/ABAC',
+		i18nLabel: 'ABAC',
+		icon: 'team-lock',
+	},
 	{
 		href: '/admin/device-management',
 		i18nLabel: 'Device_Management',
diff --git a/apps/meteor/ee/server/settings/abac.ts b/apps/meteor/ee/server/settings/abac.ts
index e61c61f730c9b..f187e17703cdd 100644
--- a/apps/meteor/ee/server/settings/abac.ts
+++ b/apps/meteor/ee/server/settings/abac.ts
@@ -13,6 +13,7 @@ export function addSettings(): void {
 					public: true,
 					invalidValue: false,
 					section: 'ABAC',
+					i18nDescription: 'ABAC_Enabled_Description',
 				});
 			},
 		);
diff --git a/apps/meteor/tests/mocks/data.ts b/apps/meteor/tests/mocks/data.ts
index 1dde2432ca3be..ecdca6b206a23 100644
--- a/apps/meteor/tests/mocks/data.ts
+++ b/apps/meteor/tests/mocks/data.ts
@@ -233,6 +233,7 @@ export const createFakeLicenseInfo = (partial: Partial<Omit<LicenseInfo, 'licens
 		'custom-roles',
 		'accessibility-certification',
 		'outbound-messaging',
+		'abac',
 	]),
 	externalModules: [],
 	preventedActions: {
diff --git a/packages/i18n/src/locales/en.i18n.json b/packages/i18n/src/locales/en.i18n.json
index 9d37b1336e79a..1cdebc9ae729e 100644
--- a/packages/i18n/src/locales/en.i18n.json
+++ b/packages/i18n/src/locales/en.i18n.json
@@ -11,8 +11,16 @@
   "2_Erros_Information_and_Debug": "2 - Errors, Information and Debug",
   "@username": "@username",
   "@username_message": "@username <message>",
-  "ABAC": "Attribute Based Access Control (ABAC)",
+  "ABAC": "Attribute Based Access Control",
   "ABAC_Enabled": "Enable Attribute Based Access Control (ABAC)",
+  "ABAC_Enabled_Description": "Controls access to rooms based on user and room attributes.",
+  "ABAC_Enabled_callout": "User attributes are synchronized via LDAP. <1>Learn more</1>",
+  "ABAC_Learn_More": "Learn about ABAC",
+  "ABAC_automatically_disabled_callout": "ABAC automatically disabled",
+  "ABAC_automatically_disabled_callout_description": "Renew your license to continue using all <1>ABAC capabilities without restriction</1>.",
+  "ABAC_Warning_Modal_Title": "Deactivate ABAC ",
+  "ABAC_Warning_Modal_Confirm_Text": "Deactivate ABAC",
+  "ABAC_Warning_Modal_Content": "You will not be able to automatically or manually manage users in existing ABAC-managed rooms. To restore a room's default access control, it must be removed from ABAC management in <1>ABAC > Rooms</1>.",
   "abac-management": "Manage ABAC configuration",
   "abac_removed_user_from_the_room": "was removed by ABAC",
   "AI_Actions": "AI actions",

From 4af41206b3d57d0c1ffc62102b969cf2cec50c48 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Fri, 10 Oct 2025 14:26:18 -0300
Subject: [PATCH 03/21] test: more settings tests

---
 .../ABAC/AdminABACSettingToggle.spec.tsx      |  69 ++++++-----
 .../ABAC/AdminABACSettingToggle.stories.tsx   |  27 ++++-
 .../admin/ABAC/AdminABACSettingToggle.tsx     |  13 ++-
 .../views/admin/ABAC/AdminABACSettings.tsx    |   4 +-
 .../AdminABACSettingToggle.spec.tsx.snap      | 107 +++++++++++++++++-
 5 files changed, 180 insertions(+), 40 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx
index 937cbbef474bf..f235bce08db84 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.spec.tsx
@@ -1,12 +1,21 @@
+import type { ISetting } from '@rocket.chat/apps-engine/definition/settings';
 import { mockAppRoot } from '@rocket.chat/mock-providers';
 import { render, screen, waitFor } from '@testing-library/react';
 import userEvent from '@testing-library/user-event';
 import { axe } from 'jest-axe';
 
 import AdminABACSettingToggle from './AdminABACSettingToggle';
-import { createFakeLicenseInfo } from '../../../../tests/mocks/data';
 import EditableSettingsProvider from '../settings/EditableSettingsProvider';
 
+const settingStructure = {
+	packageValue: false,
+	blocked: false,
+	public: true,
+	type: 'boolean',
+	i18nLabel: 'ABAC_Enabled',
+	i18nDescription: 'ABAC_Enabled_Description',
+} as Partial<ISetting>;
+
 const baseAppRoot = mockAppRoot()
 	.wrap((children) => <EditableSettingsProvider>{children}</EditableSettingsProvider>)
 	.withTranslations('en', 'core', {
@@ -15,26 +24,26 @@ const baseAppRoot = mockAppRoot()
 		ABAC_Warning_Modal_Title: 'Disable ABAC',
 		ABAC_Warning_Modal_Confirm_Text: 'Disable',
 		Cancel: 'Cancel',
-	})
-	.withEndpoint('GET', '/v1/licenses.info', () => ({
-		license: createFakeLicenseInfo({ activeModules: ['abac'] }),
-	}));
+	});
 
 describe('AdminABACSettingToggle', () => {
 	it('should render the setting toggle when setting exists', () => {
-		const { baseElement } = render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		const { baseElement } = render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
 		});
 		expect(baseElement).toMatchSnapshot();
 	});
 
 	it('should show warning modal when disabling ABAC', async () => {
 		const user = userEvent.setup();
-		render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
 		});
 
 		const toggle = screen.getByRole('checkbox');
+		await waitFor(() => {
+			expect(toggle).not.toBeDisabled();
+		});
 		await user.click(toggle);
 
 		await waitFor(() => {
@@ -48,8 +57,8 @@ describe('AdminABACSettingToggle', () => {
 
 	it('should not show warning modal when enabling ABAC', async () => {
 		const user = userEvent.setup();
-		render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false).build(),
+		render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false, settingStructure).build(),
 		});
 
 		const toggle = screen.getByRole('checkbox');
@@ -61,8 +70,8 @@ describe('AdminABACSettingToggle', () => {
 
 	it('should show warning modal when resetting setting', async () => {
 		const user = userEvent.setup();
-		render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
 		});
 
 		const resetButton = screen.getByRole('button', { name: /reset/i });
@@ -78,8 +87,8 @@ describe('AdminABACSettingToggle', () => {
 	});
 
 	it('should have no accessibility violations', async () => {
-		const { container } = render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		const { container } = render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
 		});
 		const results = await axe(container);
 		expect(results).toHaveNoViolations();
@@ -87,11 +96,11 @@ describe('AdminABACSettingToggle', () => {
 
 	it('should handle setting change correctly', async () => {
 		const user = userEvent.setup();
-		render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false).build(),
+		render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false, settingStructure).build(),
 		});
 
-		const toggle = screen.getByRole('checkbox');
+		const toggle = await screen.findByRole('checkbox', { busy: false });
 		expect(toggle).not.toBeChecked();
 
 		await user.click(toggle);
@@ -99,13 +108,8 @@ describe('AdminABACSettingToggle', () => {
 	});
 
 	it('should be disabled when abac license is not installed', () => {
-		const { baseElement } = render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot
-				.withSetting('ABAC_Enabled', true)
-				.withEndpoint('GET', '/v1/licenses.info', () => ({
-					license: createFakeLicenseInfo({ activeModules: [] }),
-				}))
-				.build(),
+		const { baseElement } = render(<AdminABACSettingToggle hasABAC={false} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
 		});
 
 		const toggle = screen.getByRole('checkbox');
@@ -113,17 +117,24 @@ describe('AdminABACSettingToggle', () => {
 		expect(baseElement).toMatchSnapshot();
 	});
 
+	it('should show skeleton when loading', () => {
+		const { baseElement } = render(<AdminABACSettingToggle hasABAC='loading' />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+		expect(baseElement).toMatchSnapshot();
+	});
+
 	it('should show reset button when value differs from package value', () => {
-		render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true).build(),
+		render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
 		});
 
 		expect(screen.getByRole('button', { name: /reset/i })).toBeInTheDocument();
 	});
 
 	it('should not show reset button when value matches package value', () => {
-		render(<AdminABACSettingToggle />, {
-			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false).build(),
+		render(<AdminABACSettingToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false, settingStructure).build(),
 		});
 
 		expect(screen.queryByRole('button', { name: /reset/i })).not.toBeInTheDocument();
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx
index 00848d53a8d1d..6c5626baa0dc1 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.stories.tsx
@@ -2,7 +2,6 @@ import { mockAppRoot } from '@rocket.chat/mock-providers';
 import type { Meta, StoryObj } from '@storybook/react';
 
 import AdminABACSettingToggle from './AdminABACSettingToggle';
-import { createFakeLicenseInfo } from '../../../../tests/mocks/data';
 import EditableSettingsProvider from '../settings/EditableSettingsProvider';
 
 const meta: Meta<typeof AdminABACSettingToggle> = {
@@ -23,16 +22,13 @@ const meta: Meta<typeof AdminABACSettingToggle> = {
 					Cancel: 'Cancel',
 				})
 				.withSetting('ABAC_Enabled', true, {
-					packageValue: true,
+					packageValue: false,
 					blocked: false,
 					public: true,
 					type: 'boolean',
 					i18nLabel: 'ABAC_Enabled',
 					i18nDescription: 'ABAC_Enabled_Description',
 				})
-				.withEndpoint('GET', '/v1/licenses.info', () => ({
-					license: createFakeLicenseInfo({ activeModules: [] }),
-				}))
 				.build();
 
 			return (
@@ -42,9 +38,28 @@ const meta: Meta<typeof AdminABACSettingToggle> = {
 			);
 		},
 	],
+	args: {
+		hasABAC: true,
+	},
 };
 
 export default meta;
 type Story = StoryObj<typeof AdminABACSettingToggle>;
 
-export const Default: Story = {};
+export const Default: Story = {
+	args: {
+		hasABAC: true,
+	},
+};
+
+export const Loading: Story = {
+	args: {
+		hasABAC: 'loading',
+	},
+};
+
+export const False: Story = {
+	args: {
+		hasABAC: false,
+	},
+};
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
index dc9b3f527cd7a..ebd5c886dfe6b 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
@@ -6,15 +6,18 @@ import { useTranslation } from 'react-i18next';
 import type { EditableSetting } from '../EditableSettingsContext';
 import { useEditableSetting } from '../EditableSettingsContext';
 import AdminABACWarningModal from './AdminABACWarningModal';
-import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
 import MemoizedSetting from '../settings/Setting/MemoizedSetting';
+import SettingSkeleton from '../settings/Setting/SettingSkeleton';
 
-const AdminABACSettingToggle = () => {
+type AdminABACSettingToggleProps = {
+	hasABAC: 'loading' | boolean;
+};
+
+const AdminABACSettingToggle = ({ hasABAC }: AdminABACSettingToggleProps) => {
 	const setting = useEditableSetting('ABAC_Enabled');
 	const setModal = useSetModal();
 	const dispatch = useSettingsDispatch();
 	const { t } = useTranslation();
-	const hasABAC = useHasLicenseModule('abac');
 
 	const [value, setValue] = useState<boolean>(setting?.value === true);
 
@@ -70,6 +73,10 @@ const AdminABACSettingToggle = () => {
 		return null;
 	}
 
+	if (hasABAC === 'loading') {
+		return <SettingSkeleton />;
+	}
+
 	return (
 		<MemoizedSetting
 			type='boolean'
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
index e7709218189af..bf48cf2d66ec4 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
@@ -2,13 +2,15 @@ import { Box, Callout, Margins } from '@rocket.chat/fuselage';
 import { Trans } from 'react-i18next';
 
 import AdminABACSettingToggle from './AdminABACSettingToggle';
+import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
 
 const AdminABACSettings = () => {
+	const hasABAC = useHasLicenseModule('abac');
 	return (
 		<Box maxWidth='x600' w='full' alignSelf='center'>
 			<Box>
 				<Margins block={24}>
-					<AdminABACSettingToggle />
+					<AdminABACSettingToggle hasABAC={hasABAC} />
 
 					<Callout>
 						{/* TODO: get documentation URL */}
diff --git a/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap
index 83d70957e694a..39af2d46aa2f0 100644
--- a/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap
+++ b/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACSettingToggle.spec.tsx.snap
@@ -1,5 +1,73 @@
 // Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
 
+exports[`AdminABACSettingToggle should be disabled when abac license is not installed 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field rcx-css-1gfu76s"
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-css-1u2ihfm"
+      >
+        <div
+          class="rcx-box rcx-box--full rcx-field"
+        >
+          <span
+            class="rcx-box rcx-box--full rcx-field__row rcx-css-ctk2ij"
+          >
+            <label
+              class="rcx-box rcx-box--full rcx-field__label rcx-label"
+              for="ABAC_Enabled"
+              title="ABAC_Enabled"
+            >
+              Enable ABAC
+            </label>
+            <div
+              class="rcx-box rcx-box--full rcx-css-127j9mz"
+            >
+              <button
+                class="rcx-box rcx-box--full rcx-button--small-square rcx-button--icon-danger rcx-button--square rcx-button--icon rcx-button rcx-css-1rtu0k9"
+                data-qa-reset-setting-id="ABAC_Enabled"
+                title="Reset"
+                type="button"
+              >
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-icon--name-undo rcx-icon rcx-css-4pvxx3"
+                >
+                  ❰
+                </i>
+              </button>
+              <label
+                class="rcx-box rcx-box--full rcx-toggle-switch"
+              >
+                <input
+                  checked=""
+                  class="rcx-box rcx-box--full rcx-toggle-switch__input"
+                  data-qa-setting-id="ABAC_Enabled"
+                  disabled=""
+                  id="ABAC_Enabled"
+                  type="checkbox"
+                />
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-toggle-switch__fake"
+                />
+              </label>
+            </div>
+          </span>
+          <span
+            class="rcx-box rcx-box--full rcx-field__hint"
+          >
+            Enable Attribute-Based Access Control
+          </span>
+        </div>
+      </div>
+    </div>
+  </div>
+</body>
+`;
+
 exports[`AdminABACSettingToggle should render the setting toggle when setting exists 1`] = `
 <body>
   <div>
@@ -19,7 +87,9 @@ exports[`AdminABACSettingToggle should render the setting toggle when setting ex
               class="rcx-box rcx-box--full rcx-field__label rcx-label"
               for="ABAC_Enabled"
               title="ABAC_Enabled"
-            />
+            >
+              Enable ABAC
+            </label>
             <div
               class="rcx-box rcx-box--full rcx-css-127j9mz"
             >
@@ -42,6 +112,7 @@ exports[`AdminABACSettingToggle should render the setting toggle when setting ex
                 <input
                   checked=""
                   class="rcx-box rcx-box--full rcx-toggle-switch__input"
+                  data-qa-setting-id="ABAC_Enabled"
                   id="ABAC_Enabled"
                   type="checkbox"
                 />
@@ -52,9 +123,43 @@ exports[`AdminABACSettingToggle should render the setting toggle when setting ex
               </label>
             </div>
           </span>
+          <span
+            class="rcx-box rcx-box--full rcx-field__hint"
+          >
+            Enable Attribute-Based Access Control
+          </span>
         </div>
       </div>
     </div>
   </div>
 </body>
 `;
+
+exports[`AdminABACSettingToggle should show skeleton when loading 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field"
+    >
+      <label
+        class="rcx-box rcx-box--full rcx-field__label rcx-label rcx-css-1exa5vl"
+      >
+        <span
+          class="rcx-skeleton rcx-skeleton--text rcx-css-1v1eapn"
+        />
+      </label>
+      <span
+        class="rcx-box rcx-box--full rcx-field__row"
+      >
+        <div
+          class="rcx-box rcx-box--full rcx-skeleton__input"
+        >
+          <span
+            class="rcx-skeleton rcx-skeleton--text rcx-css-1qcz93u"
+          />
+        </div>
+      </span>
+    </div>
+  </div>
+</body>
+`;

From 13f704ff6468b02f4b7bc96c2bdde8e8c0be0395 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Mon, 13 Oct 2025 15:13:23 -0300
Subject: [PATCH 04/21] review: useLayoutEffect

---
 .../client/views/admin/ABAC/AdminABACRoute.tsx   | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
index f4116d2cb3185..6e7f5e939ad11 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
@@ -1,6 +1,6 @@
 import { usePermission, useSetModal, useCurrentModal, useRouter, useRouteParameter, useSettingStructure } from '@rocket.chat/ui-contexts';
 import type { ReactElement } from 'react';
-import { memo, useEffect } from 'react';
+import { memo, useEffect, useLayoutEffect } from 'react';
 import { useTranslation } from 'react-i18next';
 
 import AdminABACPage from './AdminABACPage';
@@ -25,12 +25,14 @@ const AdminABACRoute = (): ReactElement => {
 	// Check if setting exists in the DB to decide if we show warning or upsell
 	const ABACEnabledSetting = useSettingStructure('ABAC_Enabled');
 
-	if (!tab) {
-		router.navigate({
-			name: 'admin-ABAC',
-			params: { tab: 'settings' },
-		});
-	}
+	useLayoutEffect(() => {
+		if (!tab) {
+			router.navigate({
+				name: 'admin-ABAC',
+				params: { tab: 'settings' },
+			});
+		}
+	}, [tab, router]);
 
 	const { shouldShowUpsell, handleManageSubscription } = useUpsellActions(hasABAC);
 

From d4eef8c6cdd6686501dae462957cb02a1fd2f31b Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Mon, 13 Oct 2025 15:16:21 -0300
Subject: [PATCH 05/21] review: Typos

---
 .../client/views/admin/ABAC/AdminABACSettingToggle.tsx    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
index ebd5c886dfe6b..7d7077e08364c 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettingToggle.tsx
@@ -25,7 +25,7 @@ const AdminABACSettingToggle = ({ hasABAC }: AdminABACSettingToggleProps) => {
 		setValue(setting?.value === true);
 	}, [setting]);
 
-	const onchange = useCallback(
+	const onChange = useCallback(
 		(value: boolean) => {
 			if (!setting) {
 				return;
@@ -52,7 +52,7 @@ const AdminABACSettingToggle = ({ hasABAC }: AdminABACSettingToggleProps) => {
 		[dispatch, setModal, setting],
 	);
 
-	const onreset = useCallback(() => {
+	const onReset = useCallback(() => {
 		if (!setting) {
 			return;
 		}
@@ -87,8 +87,8 @@ const AdminABACSettingToggle = ({ hasABAC }: AdminABACSettingToggleProps) => {
 			hint={t(setting.i18nDescription || '')}
 			disabled={!hasABAC || setting.blocked}
 			hasResetButton={setting.packageValue !== setting.value}
-			onChangeValue={(value: SettingValue) => onchange(value === true)}
-			onResetButtonClick={() => onreset()}
+			onChangeValue={(value: SettingValue) => onChange(value === true)}
+			onResetButtonClick={() => onReset()}
 		/>
 	);
 };

From 79b00e8c50ba6b5a36abf9ed8c8124001c7afce4 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Mon, 13 Oct 2025 15:18:17 -0300
Subject: [PATCH 06/21] review: link rel

---
 apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx     | 2 +-
 apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
index 015b94a1ca1c5..e03716213fe42 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
@@ -30,7 +30,7 @@ const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
 							{/* TODO: get documentation URL */}
 							<Trans i18nKey='ABAC_automatically_disabled_callout_description'>
 								Renew your license to continue using all
-								<a href='https://rocket.chat/docs/abac' target='_blank'>
+								<a href='https://rocket.chat/docs/abac' rel='noopener noreferrer' target='_blank'>
 									{' '}
 									ABAC capabilities without restriction.
 								</a>
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
index bf48cf2d66ec4..8b6d11430c3d5 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
@@ -16,7 +16,7 @@ const AdminABACSettings = () => {
 						{/* TODO: get documentation URL */}
 						<Trans i18nKey='ABAC_Enabled_callout'>
 							User attributes are synchronized via LDAP
-							<a href='https://rocket.chat' target='_blank'>
+							<a href='https://rocket.chat' rel='noopener noreferrer' target='_blank'>
 								Learn more
 							</a>
 						</Trans>

From a7eb879a826b37c52c77e46a5b1d47cdc1d2eb1c Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Mon, 13 Oct 2025 15:20:58 -0300
Subject: [PATCH 07/21] review: permission

---
 apps/meteor/client/views/admin/sidebarItems.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/meteor/client/views/admin/sidebarItems.ts b/apps/meteor/client/views/admin/sidebarItems.ts
index 6089f7368ee5f..a47081ea24e62 100644
--- a/apps/meteor/client/views/admin/sidebarItems.ts
+++ b/apps/meteor/client/views/admin/sidebarItems.ts
@@ -68,6 +68,7 @@ export const {
 		href: '/admin/ABAC',
 		i18nLabel: 'ABAC',
 		icon: 'team-lock',
+		permissionGranted: (): boolean => hasPermission('manage-cloud'),
 	},
 	{
 		href: '/admin/device-management',

From 38d453782a195232942e1a5632d109e496796e82 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Mon, 13 Oct 2025 15:21:07 -0300
Subject: [PATCH 08/21] review: Trailing space

---
 packages/i18n/src/locales/en.i18n.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/i18n/src/locales/en.i18n.json b/packages/i18n/src/locales/en.i18n.json
index 1cdebc9ae729e..920d0dd53559f 100644
--- a/packages/i18n/src/locales/en.i18n.json
+++ b/packages/i18n/src/locales/en.i18n.json
@@ -18,7 +18,7 @@
   "ABAC_Learn_More": "Learn about ABAC",
   "ABAC_automatically_disabled_callout": "ABAC automatically disabled",
   "ABAC_automatically_disabled_callout_description": "Renew your license to continue using all <1>ABAC capabilities without restriction</1>.",
-  "ABAC_Warning_Modal_Title": "Deactivate ABAC ",
+  "ABAC_Warning_Modal_Title": "Deactivate ABAC",
   "ABAC_Warning_Modal_Confirm_Text": "Deactivate ABAC",
   "ABAC_Warning_Modal_Content": "You will not be able to automatically or manually manage users in existing ABAC-managed rooms. To restore a room's default access control, it must be removed from ABAC management in <1>ABAC > Rooms</1>.",
   "abac-management": "Manage ABAC configuration",

From 2b8713d02390ccb6d19adcf259baaf93e41bf9be Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Mon, 13 Oct 2025 15:34:39 -0300
Subject: [PATCH 09/21] review: remove comment

---
 apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
index 6e7f5e939ad11..1a3e84683ce46 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
@@ -7,7 +7,6 @@ import AdminABACPage from './AdminABACPage';
 import ABACUpsellModal from '../../../components/ABAC/ABACUpsellModal/ABACUpsellModal';
 import { useUpsellActions } from '../../../components/GenericUpsellModal/hooks';
 import PageSkeleton from '../../../components/PageSkeleton';
-// import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
 import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
 import SettingsProvider from '../../../providers/SettingsProvider';
 import NotAuthorizedPage from '../../notAuthorized/NotAuthorizedPage';

From c5561392212225fc1053095bfddb2cb248e6fb21 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 14 Oct 2025 14:54:53 -0300
Subject: [PATCH 10/21] chore: use new genericmodal variant

---
 .../client/views/admin/ABAC/AdminABACWarningModal.tsx       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
index 107f069e1f8d0..1ab3e62b160f5 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -23,9 +23,9 @@ const AdminABACWarningModal = ({ onConfirm, onCancel }: AdminABACWarningModalPro
 	return (
 		<GenericModal
 			title={t('ABAC_Warning_Modal_Title')}
-			icon={null}
-			// TODO: Check if this is the best way to do this
-			confirmText={<Box color={Palette.text['font-danger'].toString()}>{t('ABAC_Warning_Modal_Confirm_Text')}</Box>}
+			// @ts-expect-error - Remove this once https://github.com/RocketChat/Rocket.Chat/pull/37223 is merged and the branch synced
+			variant='danger-secondary'
+			confirmText={t('ABAC_Warning_Modal_Confirm_Text')}
 			cancelText={t('Cancel')}
 			onConfirm={onConfirm}
 			onCancel={onCancel}

From f5e2dac7deffde4ba120f1f40f991e46052b5bab Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 14 Oct 2025 15:53:13 -0300
Subject: [PATCH 11/21] ts

---
 apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
index 1ab3e62b160f5..2e841802d9200 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -1,4 +1,4 @@
-import { Box, Palette } from '@rocket.chat/fuselage';
+import { Box } from '@rocket.chat/fuselage';
 import { GenericModal } from '@rocket.chat/ui-client';
 import { useRouter } from '@rocket.chat/ui-contexts';
 import { Trans, useTranslation } from 'react-i18next';

From 797c95cae455294c890f574b18abe298b85025f2 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 21 Oct 2025 10:53:31 -0300
Subject: [PATCH 12/21] chore: update modal type

---
 apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
index 2e841802d9200..b5b1eb65a08d1 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -24,7 +24,7 @@ const AdminABACWarningModal = ({ onConfirm, onCancel }: AdminABACWarningModalPro
 		<GenericModal
 			title={t('ABAC_Warning_Modal_Title')}
 			// @ts-expect-error - Remove this once https://github.com/RocketChat/Rocket.Chat/pull/37223 is merged and the branch synced
-			variant='danger-secondary'
+			variant='secondary-danger'
 			confirmText={t('ABAC_Warning_Modal_Confirm_Text')}
 			cancelText={t('Cancel')}
 			onConfirm={onConfirm}

From 93341e478e479521e26b53bc1860da8630e2f107 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 21 Oct 2025 12:54:37 -0300
Subject: [PATCH 13/21] typo

---
 apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
index b5b1eb65a08d1..2da8ed1c6cd18 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -37,7 +37,7 @@ const AdminABACWarningModal = ({ onConfirm, onCancel }: AdminABACWarningModalPro
 				control, it must be removed from ABAC management in
 				<Box is='a' onClick={handleNavigate}>
 					{' '}
-					ABAC {'>'} Rooms'
+					ABAC {'>'} Rooms
 				</Box>
 				.
 			</Trans>

From 1ef3c25034927cc3eae3febda5a24e54c241f2e6 Mon Sep 17 00:00:00 2001
From: Tasso <tasso.evangelista@rocket.chat>
Date: Thu, 23 Oct 2025 10:44:03 -0300
Subject: [PATCH 14/21] Remove tsc error suppression

---
 apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
index 2da8ed1c6cd18..f44437285770c 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -23,7 +23,6 @@ const AdminABACWarningModal = ({ onConfirm, onCancel }: AdminABACWarningModalPro
 	return (
 		<GenericModal
 			title={t('ABAC_Warning_Modal_Title')}
-			// @ts-expect-error - Remove this once https://github.com/RocketChat/Rocket.Chat/pull/37223 is merged and the branch synced
 			variant='secondary-danger'
 			confirmText={t('ABAC_Warning_Modal_Confirm_Text')}
 			cancelText={t('Cancel')}

From ebfd2047411cd518cf92baa7aa5b315e84605dd5 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 28 Oct 2025 09:29:18 -0300
Subject: [PATCH 15/21] review: doc link

---
 apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
index e03716213fe42..d7cd1a2a1df06 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
@@ -15,12 +15,15 @@ const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
 	const { t } = useTranslation();
 	const tab = useRouteParameter('tab');
 	const learnMore = useExternalLink();
+	// TODO: replace both links with an go.rocket.chat link
+	const documentationUrl = '#';
+	const licenseRenewalUrl = '#';
 
 	return (
 		<Page flexDirection='row'>
 			<Page>
 				<PageHeader title={t('ABAC')}>
-					<Button icon='new-window' secondary onClick={() => learnMore('https://rocket.chat/docs/abac')}>
+					<Button icon='new-window' secondary onClick={() => learnMore(documentationUrl)}>
 						{t('ABAC_Learn_More')}
 					</Button>
 				</PageHeader>
@@ -29,9 +32,8 @@ const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
 						<Callout type='warning' title={t('ABAC_automatically_disabled_callout')}>
 							{/* TODO: get documentation URL */}
 							<Trans i18nKey='ABAC_automatically_disabled_callout_description'>
-								Renew your license to continue using all
-								<a href='https://rocket.chat/docs/abac' rel='noopener noreferrer' target='_blank'>
-									{' '}
+								Renew your license to continue using all{' '}
+								<a href={licenseRenewalUrl} rel='noopener noreferrer' target='_blank'>
 									ABAC capabilities without restriction.
 								</a>
 							</Trans>

From cd6667c6f522226fd347a232025f1045e01a6324 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 28 Oct 2025 09:38:43 -0300
Subject: [PATCH 16/21] review: dummy permission

---
 apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx | 2 +-
 apps/meteor/client/views/admin/sidebarItems.ts         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
index 1a3e84683ce46..81256ad43b2c5 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
@@ -15,7 +15,7 @@ import EditableSettingsProvider from '../settings/EditableSettingsProvider';
 const AdminABACRoute = (): ReactElement => {
 	const { t } = useTranslation();
 	// TODO: Check what permission is needed to view the ABAC page
-	const canViewABACPage = usePermission('manage-cloud');
+	const canViewABACPage = !usePermission('dummy');
 	const hasABAC = useHasLicenseModule('abac') === true;
 	const isModalOpen = !!useCurrentModal();
 	const tab = useRouteParameter('tab');
diff --git a/apps/meteor/client/views/admin/sidebarItems.ts b/apps/meteor/client/views/admin/sidebarItems.ts
index a47081ea24e62..0ba5d04c2e345 100644
--- a/apps/meteor/client/views/admin/sidebarItems.ts
+++ b/apps/meteor/client/views/admin/sidebarItems.ts
@@ -68,7 +68,8 @@ export const {
 		href: '/admin/ABAC',
 		i18nLabel: 'ABAC',
 		icon: 'team-lock',
-		permissionGranted: (): boolean => hasPermission('manage-cloud'),
+		// TODO: Check what permission is needed to view the ABAC page
+		permissionGranted: (): boolean => !hasPermission('dummy'),
 	},
 	{
 		href: '/admin/device-management',

From 7ca1ee33b08cf4cf62a62a454b81596982623026 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Tue, 28 Oct 2025 15:35:57 -0300
Subject: [PATCH 17/21] review: unmount modal before navigating to a new route

---
 apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
index f44437285770c..a6be0c83dcbcc 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACWarningModal.tsx
@@ -12,6 +12,7 @@ const AdminABACWarningModal = ({ onConfirm, onCancel }: AdminABACWarningModalPro
 	const { t } = useTranslation();
 	const router = useRouter();
 	const handleNavigate = () => {
+		onCancel();
 		router.navigate({
 			name: 'admin-ABAC',
 			params: {

From a9c79e769107bd6107738bbeeb9fc5b1adebe863 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Thu, 30 Oct 2025 16:33:02 -0300
Subject: [PATCH 18/21] restore file

---
 ee/packages/abac/src/index.ts | 50 ++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 13 deletions(-)

diff --git a/ee/packages/abac/src/index.ts b/ee/packages/abac/src/index.ts
index 70c3f2af98c5f..4c1084f68b315 100644
--- a/ee/packages/abac/src/index.ts
+++ b/ee/packages/abac/src/index.ts
@@ -170,9 +170,13 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async setRoomAbacAttributes(rid: string, attributes: Record<string, string[]>): Promise<void> {
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
-			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
-		});
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'teamDefault' | 'default'>>(
+			rid,
+			'p',
+			{
+				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
+			},
+		);
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -268,9 +272,13 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async updateRoomAbacAttributeValues(rid: string, key: string, values: string[]): Promise<void> {
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
-			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
-		});
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'teamDefault' | 'default'>>(
+			rid,
+			'p',
+			{
+				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
+			},
+		);
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -317,7 +325,9 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async removeRoomAbacAttribute(rid: string, key: string): Promise<void> {
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes'>>(rid, 'p', { projection: { abacAttributes: 1 } });
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 'teamDefault' | 'default'>>(rid, 'p', {
+			projection: { abacAttributes: 1, default: 1, teamDefault: 1 },
+		});
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -332,6 +342,12 @@ export class AbacService extends ServiceClass implements IAbacService {
 			return;
 		}
 
+		// if is the last attribute, just remove all
+		if (previous.length === 1) {
+			await Rooms.unsetAbacAttributesById(rid);
+			return;
+		}
+
 		await Rooms.removeAbacAttributeByRoomIdAndKey(rid, key);
 		this.logger.debug({
 			msg: 'Room ABAC attribute removed',
@@ -343,9 +359,13 @@ export class AbacService extends ServiceClass implements IAbacService {
 	async addRoomAbacAttributeByKey(rid: string, key: string, values: string[]): Promise<void> {
 		await this.ensureAttributeDefinitionsExist([{ key, values }]);
 
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
-			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
-		});
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'default' | 'teamDefault'>>(
+			rid,
+			'p',
+			{
+				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
+			},
+		);
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}
@@ -372,9 +392,13 @@ export class AbacService extends ServiceClass implements IAbacService {
 	async replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[]): Promise<void> {
 		await this.ensureAttributeDefinitionsExist([{ key, values }]);
 
-		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain'>>(rid, 'p', {
-			projection: { abacAttributes: 1, t: 1, teamMain: 1 },
-		});
+		const room = await Rooms.findOneByIdAndType<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'default' | 'teamDefault'>>(
+			rid,
+			'p',
+			{
+				projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1 },
+			},
+		);
 		if (!room) {
 			throw new Error('error-room-not-found');
 		}

From cc13efef3d5b22d36e2efd44044658acbfcad1bc Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Fri, 31 Oct 2025 16:56:00 -0300
Subject: [PATCH 19/21] chore: implement permission

---
 apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx | 2 +-
 apps/meteor/client/views/admin/sidebarItems.ts         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
index 81256ad43b2c5..20a1db6239b81 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
@@ -15,7 +15,7 @@ import EditableSettingsProvider from '../settings/EditableSettingsProvider';
 const AdminABACRoute = (): ReactElement => {
 	const { t } = useTranslation();
 	// TODO: Check what permission is needed to view the ABAC page
-	const canViewABACPage = !usePermission('dummy');
+	const canViewABACPage = usePermission('abac-management');
 	const hasABAC = useHasLicenseModule('abac') === true;
 	const isModalOpen = !!useCurrentModal();
 	const tab = useRouteParameter('tab');
diff --git a/apps/meteor/client/views/admin/sidebarItems.ts b/apps/meteor/client/views/admin/sidebarItems.ts
index 0ba5d04c2e345..7b907afec75e4 100644
--- a/apps/meteor/client/views/admin/sidebarItems.ts
+++ b/apps/meteor/client/views/admin/sidebarItems.ts
@@ -69,7 +69,7 @@ export const {
 		i18nLabel: 'ABAC',
 		icon: 'team-lock',
 		// TODO: Check what permission is needed to view the ABAC page
-		permissionGranted: (): boolean => !hasPermission('dummy'),
+		permissionGranted: (): boolean => !hasPermission('abac-management'),
 	},
 	{
 		href: '/admin/device-management',

From 9fc8ad1f8bef658d400dfd87a1c1944c0cf094b7 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Wed, 5 Nov 2025 16:04:40 -0300
Subject: [PATCH 20/21] chore: use links module

---
 apps/meteor/client/lib/links.ts                          | 4 ++++
 apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx    | 9 +++------
 .../meteor/client/views/admin/ABAC/AdminABACSettings.tsx | 4 ++--
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/apps/meteor/client/lib/links.ts b/apps/meteor/client/lib/links.ts
index 4c97d4696fff5..a1e28ddc853d3 100644
--- a/apps/meteor/client/lib/links.ts
+++ b/apps/meteor/client/lib/links.ts
@@ -31,6 +31,10 @@ export const links = {
 		trial: `${GO_ROCKET_CHAT_PREFIX}/i/docs-trial`,
 		versionSupport: `${GO_ROCKET_CHAT_PREFIX}/i/version-support`,
 		updateProduct: `${GO_ROCKET_CHAT_PREFIX}/i/update-product`,
+		// TODO: implement abac links when available
+		abacDocs: `${GO_ROCKET_CHAT_PREFIX}/i/TODO-ABAC-DOCS`,
+		abacLicenseRenewalUrl: `${GO_ROCKET_CHAT_PREFIX}/i/TODO-ABAC-LICENSE-RENEWAL-URL`,
+		abacLDAPDocs: `${GO_ROCKET_CHAT_PREFIX}/i/TODO-ABAC-LDAP-DOCS`,
 	},
 	/** @deprecated use `go.rocket.chat` links */
 	desktopAppDownload: 'https://rocket.chat/download',
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
index d7cd1a2a1df06..d8352181e4df9 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
@@ -6,6 +6,7 @@ import AdminABACSettings from './AdminABACSettings';
 import AdminABACTabs from './AdminABACTabs';
 import { Page, PageContent, PageHeader } from '../../../components/Page';
 import { useExternalLink } from '../../../hooks/useExternalLink';
+import { links } from '../../../lib/links';
 
 type AdminABACPageProps = {
 	shouldShowWarning: boolean;
@@ -15,25 +16,21 @@ const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
 	const { t } = useTranslation();
 	const tab = useRouteParameter('tab');
 	const learnMore = useExternalLink();
-	// TODO: replace both links with an go.rocket.chat link
-	const documentationUrl = '#';
-	const licenseRenewalUrl = '#';
 
 	return (
 		<Page flexDirection='row'>
 			<Page>
 				<PageHeader title={t('ABAC')}>
-					<Button icon='new-window' secondary onClick={() => learnMore(documentationUrl)}>
+					<Button icon='new-window' secondary onClick={() => learnMore(links.go.abacDocs)}>
 						{t('ABAC_Learn_More')}
 					</Button>
 				</PageHeader>
 				{shouldShowWarning && (
 					<Box mi={24} mb={16}>
 						<Callout type='warning' title={t('ABAC_automatically_disabled_callout')}>
-							{/* TODO: get documentation URL */}
 							<Trans i18nKey='ABAC_automatically_disabled_callout_description'>
 								Renew your license to continue using all{' '}
-								<a href={licenseRenewalUrl} rel='noopener noreferrer' target='_blank'>
+								<a href={links.go.abacLicenseRenewalUrl} rel='noopener noreferrer' target='_blank'>
 									ABAC capabilities without restriction.
 								</a>
 							</Trans>
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
index 8b6d11430c3d5..3741720317692 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACSettings.tsx
@@ -3,6 +3,7 @@ import { Trans } from 'react-i18next';
 
 import AdminABACSettingToggle from './AdminABACSettingToggle';
 import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
+import { links } from '../../../lib/links';
 
 const AdminABACSettings = () => {
 	const hasABAC = useHasLicenseModule('abac');
@@ -13,10 +14,9 @@ const AdminABACSettings = () => {
 					<AdminABACSettingToggle hasABAC={hasABAC} />
 
 					<Callout>
-						{/* TODO: get documentation URL */}
 						<Trans i18nKey='ABAC_Enabled_callout'>
 							User attributes are synchronized via LDAP
-							<a href='https://rocket.chat' rel='noopener noreferrer' target='_blank'>
+							<a href={links.go.abacLDAPDocs} rel='noopener noreferrer' target='_blank'>
 								Learn more
 							</a>
 						</Trans>

From a844fe11baee39455dbdae4dcf2c3cbd5dbec107 Mon Sep 17 00:00:00 2001
From: MartinSchoeler <martinschoeler8@gmail.com>
Date: Wed, 5 Nov 2025 16:41:23 -0300
Subject: [PATCH 21/21] fix ts

---
 .../views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx b/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx
index 1abda763611f8..c373215c328d3 100644
--- a/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx
+++ b/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx
@@ -117,7 +117,6 @@ const RoomMembersWithData = ({ rid }: { rid: IRoom['_id'] }): ReactElement => {
 			reload={refetch}
 			onClickInvite={canCreateInviteLinks && canAddUsers ? openInvite : undefined}
 			onClickAdd={canAddUsers ? openAddUser : undefined}
-			// @ts-expect-error to be implemented in ABAC Feature branch
 			isABACRoom={Boolean(room?.abacAttributes)}
 		/>
 	);