From 68006b4937d2a3fda85da5341ac1f051b895fc29 Mon Sep 17 00:00:00 2001
From: Kevin  Aleman <kaleman960@gmail.com>
Date: Wed, 19 Nov 2025 14:26:31 -0600
Subject: [PATCH 1/5] on setting change hook

---
 apps/meteor/ee/server/configuration/abac.ts | 24 +++++++++++++++++++++
 apps/meteor/ee/server/settings/abac.ts      |  4 ++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/ee/server/configuration/abac.ts b/apps/meteor/ee/server/configuration/abac.ts
index 138746572a4a4..a521b7294f3dc 100644
--- a/apps/meteor/ee/server/configuration/abac.ts
+++ b/apps/meteor/ee/server/configuration/abac.ts
@@ -1,4 +1,26 @@
 import { License } from '@rocket.chat/license';
+import { Users } from '@rocket.chat/models';
+
+import { settings } from '../../../app/settings/server';
+import { LDAPEE } from '../sdk';
+
+function syncAbacAttributes() {
+	// Listen for setting changes
+	// question? does this fire when a setting was disabled on CE and then enabled because of EE upgrade?
+	settings.watch('ABAC_Enabled', async (value) => {
+		console.log('------------------------------------------------------------------------');
+		if (value) {
+			await LDAPEE.syncUsersAbacAttributes(Users.findLDAPUsers());
+		}
+	});
+
+	// Initial sync if enabled after license is applied
+	// This should only happen if the ws downgrades and then upgrades again
+	// Checking if needed
+	// if (settings.get('ABAC_Enabled')) {
+	// 	await LDAPEE.syncAbacAttributes();
+	// }
+}
 
 Meteor.startup(async () => {
 	await License.onLicense('abac', async () => {
@@ -9,5 +31,7 @@ Meteor.startup(async () => {
 		await createPermissions();
 
 		await import('../hooks/abac');
+
+		syncAbacAttributes();
 	});
 });
diff --git a/apps/meteor/ee/server/settings/abac.ts b/apps/meteor/ee/server/settings/abac.ts
index 14be029d785d6..54b93912ddb7c 100644
--- a/apps/meteor/ee/server/settings/abac.ts
+++ b/apps/meteor/ee/server/settings/abac.ts
@@ -1,7 +1,7 @@
 import { settingsRegistry } from '../../../app/settings/server';
 
-export function addSettings(): void {
-	void settingsRegistry.addGroup('General', async function () {
+export function addSettings(): Promise<void> {
+	return settingsRegistry.addGroup('General', async function () {
 		await this.with(
 			{
 				enterprise: true,

From 5ffe5059ea6a2076e72e7fd47f9d56971abc4245 Mon Sep 17 00:00:00 2001
From: Kevin  Aleman <kaleman960@gmail.com>
Date: Thu, 20 Nov 2025 09:09:00 -0600
Subject: [PATCH 2/5] sync

---
 apps/meteor/ee/server/configuration/abac.ts | 9 ---------
 apps/meteor/ee/server/lib/ldap/Manager.ts   | 1 +
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/apps/meteor/ee/server/configuration/abac.ts b/apps/meteor/ee/server/configuration/abac.ts
index a521b7294f3dc..9cffa07c2f3a8 100644
--- a/apps/meteor/ee/server/configuration/abac.ts
+++ b/apps/meteor/ee/server/configuration/abac.ts
@@ -6,20 +6,11 @@ import { LDAPEE } from '../sdk';
 
 function syncAbacAttributes() {
 	// Listen for setting changes
-	// question? does this fire when a setting was disabled on CE and then enabled because of EE upgrade?
 	settings.watch('ABAC_Enabled', async (value) => {
-		console.log('------------------------------------------------------------------------');
 		if (value) {
 			await LDAPEE.syncUsersAbacAttributes(Users.findLDAPUsers());
 		}
 	});
-
-	// Initial sync if enabled after license is applied
-	// This should only happen if the ws downgrades and then upgrades again
-	// Checking if needed
-	// if (settings.get('ABAC_Enabled')) {
-	// 	await LDAPEE.syncAbacAttributes();
-	// }
 }
 
 Meteor.startup(async () => {
diff --git a/apps/meteor/ee/server/lib/ldap/Manager.ts b/apps/meteor/ee/server/lib/ldap/Manager.ts
index b505c71a80cb1..186f527ed6540 100644
--- a/apps/meteor/ee/server/lib/ldap/Manager.ts
+++ b/apps/meteor/ee/server/lib/ldap/Manager.ts
@@ -138,6 +138,7 @@ export class LDAPEEManager extends LDAPManager {
 			await ldap.connect();
 
 			try {
+				logger.debug({ msg: 'Starting ABAC attributes sync for LDAP users' });
 				for await (const user of users) {
 					await this.syncUserAbacAttribute(ldap, user);
 				}

From d3b63d47cc1830f64611a9016721d0779fdb2626 Mon Sep 17 00:00:00 2001
From: Kevin  Aleman <kaleman960@gmail.com>
Date: Thu, 20 Nov 2025 15:00:42 -0600
Subject: [PATCH 3/5] another way

---
 ee/packages/license/src/license.ts | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/ee/packages/license/src/license.ts b/ee/packages/license/src/license.ts
index 677be2bb5112f..75ded34efd721 100644
--- a/ee/packages/license/src/license.ts
+++ b/ee/packages/license/src/license.ts
@@ -286,10 +286,7 @@ export abstract class LicenseManager extends Emitter<LicenseEvents> {
 		const disabledModules = getModulesToDisable(validationResult);
 		const modulesToEnable = this._license.grantedModules.filter(({ module }) => !disabledModules.includes(module));
 
-		const modulesChanged = replaceModules.call(
-			this,
-			modulesToEnable.map(({ module }) => module),
-		);
+		const modulesChanged = replaceModules.call(this, [...modulesToEnable.map(({ module }) => module), 'abac']);
 
 		if (shouldLogModules || modulesChanged) {
 			logger.log({ msg: 'License validated', modules: modulesToEnable });

From 616a6a5c56d85b16becd20e3864e44495e0d820e Mon Sep 17 00:00:00 2001
From: Kevin  Aleman <kaleman960@gmail.com>
Date: Thu, 20 Nov 2025 15:11:38 -0600
Subject: [PATCH 4/5] oops

---
 ee/packages/license/src/license.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ee/packages/license/src/license.ts b/ee/packages/license/src/license.ts
index 75ded34efd721..677be2bb5112f 100644
--- a/ee/packages/license/src/license.ts
+++ b/ee/packages/license/src/license.ts
@@ -286,7 +286,10 @@ export abstract class LicenseManager extends Emitter<LicenseEvents> {
 		const disabledModules = getModulesToDisable(validationResult);
 		const modulesToEnable = this._license.grantedModules.filter(({ module }) => !disabledModules.includes(module));
 
-		const modulesChanged = replaceModules.call(this, [...modulesToEnable.map(({ module }) => module), 'abac']);
+		const modulesChanged = replaceModules.call(
+			this,
+			modulesToEnable.map(({ module }) => module),
+		);
 
 		if (shouldLogModules || modulesChanged) {
 			logger.log({ msg: 'License validated', modules: modulesToEnable });

From aaebfd883354b85699311ec349e1daa9b18ec9e6 Mon Sep 17 00:00:00 2001
From: Kevin  Aleman <kaleman960@gmail.com>
Date: Thu, 20 Nov 2025 15:12:10 -0600
Subject: [PATCH 5/5] ooops2

---
 apps/meteor/ee/server/configuration/abac.ts | 33 +++++++++++----------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/apps/meteor/ee/server/configuration/abac.ts b/apps/meteor/ee/server/configuration/abac.ts
index 9cffa07c2f3a8..490ed6e3fb064 100644
--- a/apps/meteor/ee/server/configuration/abac.ts
+++ b/apps/meteor/ee/server/configuration/abac.ts
@@ -4,25 +4,26 @@ import { Users } from '@rocket.chat/models';
 import { settings } from '../../../app/settings/server';
 import { LDAPEE } from '../sdk';
 
-function syncAbacAttributes() {
-	// Listen for setting changes
-	settings.watch('ABAC_Enabled', async (value) => {
-		if (value) {
-			await LDAPEE.syncUsersAbacAttributes(Users.findLDAPUsers());
-		}
-	});
-}
-
 Meteor.startup(async () => {
-	await License.onLicense('abac', async () => {
-		const { addSettings } = await import('../settings/abac');
-		const { createPermissions } = await import('../lib/abac');
+	let stopWatcher: () => void;
+	License.onToggledFeature('abac', {
+		up: async () => {
+			const { addSettings } = await import('../settings/abac');
+			const { createPermissions } = await import('../lib/abac');
 
-		await addSettings();
-		await createPermissions();
+			await addSettings();
+			await createPermissions();
 
-		await import('../hooks/abac');
+			await import('../hooks/abac');
 
-		syncAbacAttributes();
+			stopWatcher = settings.watch('ABAC_Enabled', async (value) => {
+				if (value) {
+					await LDAPEE.syncUsersAbacAttributes(Users.findLDAPUsers());
+				}
+			});
+		},
+		down: () => {
+			stopWatcher?.();
+		},
 	});
 });