code · pull · Aug 21, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -1061,21 +1061,6 @@ For more information on this, and how to apply and follow the GNU AGPL, see
 <http://www.gnu.org/licenses/>.
 
 
----
-
-## @mattermost/compass-components
-
-This product contains '@mattermost/compass-components' by Mattermost.
-
-components aligning to the compass design system
-
-* HOMEPAGE:
-  * https://github.com/mattermost/compass-components#readme
-
-* LICENSE: MIT
-
-
-
 ---
 
 ## @mattermost/compass-icons

diff --git a/api/v4/source/groups.yaml b/api/v4/source/groups.yaml
@@ -1200,3 +1200,40 @@
           $ref: "#/components/responses/BadRequest"
         "501":
           $ref: "#/components/responses/NotImplemented"
+  "/api/v4/groups/names":
+    post:
+      tags:
+        - groups
+      summary: Get groups by name
+      description: |
+        Get a list of groups based on a provided list of names.
+
+        ##### Permissions
+        Requires an active session but no other permissions.
+
+        __Minimum server version__: 11.0
+      operationId: GetGroupsByNames
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: array
+              items:
+                type: string
+        description: List of group names
+        required: true
+      responses:
+        "200":
+          description: Group list retrieval successfully
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/Group"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "501":
+          $ref: "#/components/responses/NotImplemented"
diff --git a/server/channels/api4/access_control.go b/server/channels/api4/access_control.go
@@ -52,9 +52,27 @@ func createAccessControlPolicy(c *Context, w http.ResponseWriter, r *http.Reques
 			return
 		}
 	case model.AccessControlPolicyTypeChannel:
-		if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), policy.ID, model.PermissionManageChannelAccessRules) {
-			c.SetPermissionError(model.PermissionManageChannelAccessRules)
-			return
+		// Check if user has system admin permission first
+		hasManageSystemPermission := c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem)
+
+		if !hasManageSystemPermission {
+			// For non-system admins, check channel-specific permission
+			if !model.IsValidId(policy.ID) {
+				c.SetInvalidParam("policy.id")
+				return
+			}
+
+			hasChannelPermission := c.App.HasPermissionToChannel(c.AppContext, c.AppContext.Session().UserId, policy.ID, model.PermissionManageChannelAccessRules)
+			if !hasChannelPermission {
+				c.SetPermissionError(model.PermissionManageChannelAccessRules)
+				return
+			}
+
+			// Now do the full validation (channel exists, is private, etc.)
+			if appErr := c.App.ValidateChannelAccessControlPolicyCreation(c.AppContext, c.AppContext.Session().UserId, &policy); appErr != nil {
+				c.Err = appErr
+				return
+			}
 		}
 	default:
 		c.SetInvalidParam("type")
@@ -83,17 +101,22 @@ func createAccessControlPolicy(c *Context, w http.ResponseWriter, r *http.Reques
 }
 
 func getAccessControlPolicy(c *Context, w http.ResponseWriter, r *http.Request) {
-	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
-		c.SetPermissionError(model.PermissionManageSystem)
-		return
-	}
-
 	c.RequirePolicyId()
 	if c.Err != nil {
 		return
 	}
 	policyID := c.Params.PolicyId
 
+	// Check if user has system admin permission OR channel-specific permission
+	hasManageSystemPermission := c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem)
+	if !hasManageSystemPermission {
+		// For non-system admins, validate policy access permission
+		if appErr := c.App.ValidateAccessControlPolicyPermission(c.AppContext, c.AppContext.Session().UserId, policyID); appErr != nil {
+			c.SetPermissionError(model.PermissionManageSystem)
+			return
+		}
+	}
+
 	policy, appErr := c.App.GetAccessControlPolicy(c.AppContext, policyID)
 	if appErr != nil {
 		c.Err = appErr
@@ -112,11 +135,6 @@ func getAccessControlPolicy(c *Context, w http.ResponseWriter, r *http.Request)
 }
 
 func deleteAccessControlPolicy(c *Context, w http.ResponseWriter, r *http.Request) {
-	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
-		c.SetPermissionError(model.PermissionManageSystem)
-		return
-	}
-
 	c.RequirePolicyId()
 	if c.Err != nil {
 		return
@@ -127,6 +145,16 @@ func deleteAccessControlPolicy(c *Context, w http.ResponseWriter, r *http.Reques
 	defer c.LogAuditRec(auditRec)
 	model.AddEventParameterToAuditRec(auditRec, "id", policyID)
 
+	// Check if user has system admin permission OR channel-specific permission
+	hasManageSystemPermission := c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem)
+	if !hasManageSystemPermission {
+		// For non-system admins, validate policy access permission
+		if appErr := c.App.ValidateAccessControlPolicyPermission(c.AppContext, c.AppContext.Session().UserId, policyID); appErr != nil {
+			c.SetPermissionError(model.PermissionManageSystem)
+			return
+		}
+	}
+
 	appErr := c.App.DeleteAccessControlPolicy(c.AppContext, policyID)
 	if appErr != nil {
 		c.Err = appErr
@@ -146,7 +174,8 @@ func checkExpression(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
+	// Check if user has system admin permission OR any channel admin permission
+	if !(c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) || c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageChannelAccessRules)) {
 		c.SetPermissionError(model.PermissionManageSystem)
 		return
 	}
@@ -175,7 +204,8 @@ func testExpression(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
+	// Check if user has system admin permission OR any channel admin permission
+	if !(c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) || c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageChannelAccessRules)) {
 		c.SetPermissionError(model.PermissionManageSystem)
 		return
 	}
@@ -454,7 +484,8 @@ func searchChannelsForAccessControlPolicy(c *Context, w http.ResponseWriter, r *
 }
 
 func getFieldsAutocomplete(c *Context, w http.ResponseWriter, r *http.Request) {
-	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
+	// Check if user has system admin permission OR any channel admin permission
+	if !(c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) || c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageChannelAccessRules)) {
 		c.SetPermissionError(model.PermissionManageSystem)
 		return
 	}
@@ -496,7 +527,8 @@ func getFieldsAutocomplete(c *Context, w http.ResponseWriter, r *http.Request) {
 }
 
 func convertToVisualAST(c *Context, w http.ResponseWriter, r *http.Request) {
-	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
+	// Check if user has system admin permission OR any channel admin permission
+	if !(c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) || c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageChannelAccessRules)) {
 		c.SetPermissionError(model.PermissionManageSystem)
 		return
 	}