code · pull · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/...s/integration/channels/system_console/site_configuration/link_customization_e20_1_spec.js b/...s/integration/channels/system_console/site_configuration/link_customization_e20_1_spec.js
@@ -130,7 +130,7 @@ describe('SupportSettings', () => {
 
     it('MM-T1038 - Customization App download link - Change to different', () => {
         // # Edit links in the support email field
-        const link = 'some_link';
+        const link = 'https://github.com/mattermost/desktop/releases';
         cy.findByTestId('NativeAppSettings.AppDownloadLinkinput').clear().type(link);
 
         // # Save setting then back to team view

diff --git a/server/channels/api4/post.go b/server/channels/api4/post.go
@@ -1046,6 +1046,12 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Users who can't create posts in a channel shouldn't be able to edit them either.
+	userCreatePostPermissionCheckWithContext(c, originalPost.ChannelId)
+	if c.Err != nil {
+		return
+	}
+
 	auditRec.AddEventPriorState(originalPost)
 	auditRec.AddEventObjectType("post")
 
@@ -1183,6 +1189,12 @@ func postPatchChecks(c *Context, auditRec *model.AuditRecord, message *string) b
 		return false
 	}
 
+	// Users who can't create posts in a channel shouldn't be able to edit them either.
+	userCreatePostPermissionCheckWithContext(c, originalPost.ChannelId)
+	if c.Err != nil {
+		return false
+	}
+
 	if *c.App.Config().ServiceSettings.PostEditTimeLimit != -1 && model.GetMillis() > originalPost.CreateAt+int64(*c.App.Config().ServiceSettings.PostEditTimeLimit*1000) && message != nil {
 		c.Err = model.NewAppError("patchPost", "api.post.update_post.permissions_time_limit.app_error", map[string]any{"timeLimit": *c.App.Config().ServiceSettings.PostEditTimeLimit}, "", http.StatusBadRequest)
 		return isMember

diff --git a/server/channels/api4/post_test.go b/server/channels/api4/post_test.go
@@ -1701,6 +1701,29 @@ func TestUpdatePost(t *testing.T) {
 		assert.Contains(t, updatedPost.FileIds, fileId)
 	})
 
+	t.Run("should prevent editing when create_post permission is revoked", func(t *testing.T) {
+		th.LoginBasic(t)
+
+		postToEdit, _, appErr := th.App.CreatePost(th.Context, &model.Post{
+			UserId:    th.BasicUser.Id,
+			ChannelId: channel.Id,
+			Message:   "original message",
+		}, channel, model.CreatePostFlags{SetOnline: true})
+		require.Nil(t, appErr)
+
+		th.RemovePermissionFromRole(t, model.PermissionCreatePost.Id, model.ChannelUserRoleId)
+		defer th.AddPermissionToRole(t, model.PermissionCreatePost.Id, model.ChannelUserRoleId)
+
+		updatePost := &model.Post{
+			Id:        postToEdit.Id,
+			ChannelId: channel.Id,
+			Message:   "edited message",
+		}
+		_, resp, err := client.UpdatePost(context.Background(), postToEdit.Id, updatePost)
+		require.Error(t, err)
+		CheckForbiddenStatus(t, resp)
+	})
+
 	t.Run("logged out", func(t *testing.T) {
 		_, err := client.Logout(context.Background())
 		require.NoError(t, err)
@@ -2085,6 +2108,27 @@ func TestPatchPost(t *testing.T) {
 		require.NoError(t, err)
 	})
 
+	t.Run("should prevent patching when create_post permission is revoked", func(t *testing.T) {
+		th.LoginBasic(t)
+
+		postToEdit, _, err := client.CreatePost(context.Background(), &model.Post{
+			ChannelId: channel.Id,
+			Message:   "original message",
+		})
+		require.NoError(t, err)
+
+		defaultPerms := th.SaveDefaultRolePermissions(t)
+		defer th.RestoreDefaultRolePermissions(t, defaultPerms)
+		th.RemovePermissionFromRole(t, model.PermissionCreatePost.Id, model.ChannelUserRoleId)
+
+		patch := &model.PostPatch{
+			Message: model.NewPointer("edited message"),
+		}
+		_, resp, err := client.PatchPost(context.Background(), postToEdit.Id, patch)
+		require.Error(t, err)
+		CheckForbiddenStatus(t, resp)
+	})
+
 	t.Run("time limit expired", func(t *testing.T) {
 		th.App.UpdateConfig(func(cfg *model.Config) {
 			*cfg.ServiceSettings.PostEditTimeLimit = 1

diff --git a/server/channels/app/role.go b/server/channels/app/role.go
@@ -7,12 +7,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"reflect"
 	"slices"
 	"strings"
 
 	"github.com/mattermost/mattermost/server/public/model"
+	"github.com/mattermost/mattermost/server/public/shared/mlog"
 	"github.com/mattermost/mattermost/server/public/shared/request"
 
 	"github.com/mattermost/mattermost/server/v8/channels/store"
@@ -276,13 +278,93 @@ func (a *App) CheckRolesExist(roleNames []string) *model.AppError {
 }
 
 func (a *App) sendUpdatedRoleEvent(role *model.Role) *model.AppError {
-	message := model.NewWebSocketEvent(model.WebsocketEventRoleUpdated, "", "", "", nil, "")
 	roleJSON, jsonErr := json.Marshal(role)
 	if jsonErr != nil {
 		return model.NewAppError("sendUpdatedRoleEvent", "api.marshal_error", nil, "", http.StatusInternalServerError).Wrap(jsonErr)
 	}
-	message.Add("role", string(roleJSON))
-	a.Publish(message)
+
+	publishEvent := func(teamID, channelID string) {
+		message := model.NewWebSocketEvent(model.WebsocketEventRoleUpdated, teamID, channelID, "", nil, "")
+		message.Add("role", string(roleJSON))
+		a.Publish(message)
+	}
+
+	// Built-in system roles apply to all users; broadcast globally without a DB lookup.
+	if role.BuiltIn {
+		publishEvent("", "")
+		return nil
+	}
+
+	// Scheme-managed roles: use SchemeId to look up the owning scheme.
+	if role.SchemeId == nil {
+		// No owning scheme — treat as global (e.g. custom non-scheme role).
+		publishEvent("", "")
+		return nil
+	}
+	scheme, err := a.Srv().Store().Scheme().Get(*role.SchemeId)
+	if err != nil {
+		a.Log().Error("Failed to look up scheme for role event; skipping broadcast",
+			mlog.String("role_id", role.Id),
+			mlog.String("scheme_id", *role.SchemeId),
+			mlog.Err(err))
+		return nil
+	}
+
+	const pageSize = 1000
+	const maxBroadcasts = 100000
+	switch scheme.Scope {
+	case model.SchemeScopeTeam:
+		totalBroadcasts := 0
+		offset := 0
+		for {
+			teams, storeErr := a.Srv().Store().Team().GetTeamsByScheme(scheme.Id, offset, pageSize)
+			if storeErr != nil {
+				return model.NewAppError("sendUpdatedRoleEvent", "app.role.send_updated_role_event.app_error", nil, "", http.StatusInternalServerError).Wrap(storeErr)
+			}
+			for _, team := range teams {
+				publishEvent(team.Id, "")
+			}
+			totalBroadcasts += len(teams)
+			if len(teams) < pageSize {
+				break
+			}
+			if totalBroadcasts >= maxBroadcasts {
+				a.Log().Error("sendUpdatedRoleEvent: hit broadcast limit for team scheme",
+					mlog.String("scheme_id", scheme.Id),
+					mlog.Int("totalBroadcasts", totalBroadcasts))
+				break
+			}
+			offset += pageSize
+		}
+	case model.SchemeScopeChannel:
+		totalBroadcasts := 0
+		offset := 0
+		for {
+			channels, storeErr := a.Srv().Store().Channel().GetChannelsByScheme(scheme.Id, offset, pageSize)
+			if storeErr != nil {
+				return model.NewAppError("sendUpdatedRoleEvent", "app.role.send_updated_role_event.app_error", nil, "", http.StatusInternalServerError).Wrap(storeErr)
+			}
+			for _, channel := range channels {
+				publishEvent("", channel.Id)
+			}
+			totalBroadcasts += len(channels)
+			if len(channels) < pageSize {
+				break
+			}
+			if totalBroadcasts >= maxBroadcasts {
+				a.Log().Error("sendUpdatedRoleEvent: hit broadcast limit for channel scheme",
+					mlog.String("scheme_id", scheme.Id),
+					mlog.Int("totalBroadcasts", totalBroadcasts))
+				break
+			}
+			offset += pageSize
+		}
+	case model.SchemeScopePlaybook, model.SchemeScopeRun:
+		// Playbook/run schemes don't map to teams or channels; broadcast globally.
+		publishEvent("", "")
+	default:
+		return model.NewAppError("sendUpdatedRoleEvent", "app.role.send_updated_role_event.unknown_scope", nil, fmt.Sprintf("unknown scheme scope: %s", scheme.Scope), http.StatusInternalServerError)
+	}
 	return nil
 }