fix: Quote chaining in E2EE room not limiting quote depth

[gabriellsh]

Proposed changes (including videos or screenshots)

This issue occurs because we only enforce the quote chaining limit on the server, but the server cannot evaluate the message or its content due to the message being encrypted.

Due to this constraint, the limit can only be applied client-side before the message is sent decrypted, and that is what was done. This also improves UX since previously the quote preview did not evaluate the chain limit, causing a mismatch between what showed in the preview and what was actually experienced once the message was sent*.

• This did not prevent the messages from being sent with exceeding quote depth, but since it was implemented, I'm keeping this fix as a bônus, as it does make the UX more concise, and could be interpreted as part of the same issue.

Caveats:

• as said before there's no way to prevent exceeding the quote chain limit for encrypted messages in the backend, because that would require encryption to be broken, and no longer end-to-end. Due to this it is still possible to send messages through the API that exceed said limit. There's no way around this. UPDATE: Quote attachments are based on message permalinks. We cannot prevent sending deeply nested quotes. Instead, we prune quotes that exceed the depth limit at decryption time.
• Since we currently only apply this limit server-side, messages sent before the limit is decreased still display all quotes as they were when the message was sent (change to the setting does not modify messages retroactively). Due to this, no limit to quotes was applied to the message layout, as to not break expected behavior. This means that encrypted messages sent through the APIs can display quote chains bigger thant the limit (see previous caveat). UPDATE: See caveat update above. Layout modifications were applied solely to e2ee messages.

Update:
Unfortunately the mechanism for sending e2ee messages with quotes was misinterpreted, so some of what was said above is not true. Attachments for e2ee messages are processed at the time of decryption, and there's no control of the depth of quote chaining at the time of sending it. For this reason, for e2ee messages only, the limit was applied during the decryption step, which changes the rendered content when the setting changes.

Some of the caveats

Issue(s)

SUP-782

Steps to test or reproduce

• Navigate to Administration > Message > Quoting.​
• Set "Maximum Number of Chained Quotes" to a specific value (e.g., 2).​
• Create or enter a private room with E2E encryption enabled.​
• Send a message quoting another message, creating nested quotes beyond the set limit.​

Further comments

It's not clear whether the message layout should also respect the limit, but historically it has not, so no attempt was or will made to change the message layout at this point. If this changes at any point, a new PR is warranted.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 7503729

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 36 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/instance-status	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

PR Preview Action v1.6.1
🚀 View preview at https://RocketChat.github.io/Rocket.Chat/pr-preview/pr-36143/
Built to branch gh-pages at 2025-06-10 14:49 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.56%. Comparing base (86bb76c) to head (7503729).
Report is 31 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #36143      +/-   ##
===========================================
- Coverage    64.93%   64.56%   -0.38%     
===========================================
  Files         3112     3129      +17     
  Lines        93748    98364    +4616     
  Branches     17812    18689     +877     
===========================================
+ Hits         60878    63508    +2630     
- Misses       30085    32031    +1946     
- Partials      2785     2825      +40     

Flag	Coverage Δ
e2e	57.34% <29.41%> (-1.06%)	⬇️
unit	69.98% <100.00%> (-1.65%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.