Merge pull request #278 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 57bff3ca697f · 2025-05-30T06:41:05.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Authentication/Get-CIPPAccessRole.ps1 b/Modules/CIPPCore/Public/Authentication/Get-CIPPAccessRole.ps1
@@ -16,24 +16,34 @@ function Get-CIPPAccessRole {
     Internal
     #>
     [CmdletBinding()]
-    param($Request)
+    param($Request, $Headers)
 
-    $CacheAccessUserRoleTable = Get-CIPPTable -tablename 'cacheAccessUserRole'
-    $CachedRoles = Get-CIPPAzDataTableEntity @CacheAccessUserRoleTable -Filter "PartitionKey eq 'AccessUser' and RowKey eq '$($Request.Headers.'x-ms-client-principal-name')'" | Select-Object -ExpandProperty Role | ConvertFrom-Json
+    $Headers = $Request.Headers ?? $Headers
 
-    $SwaCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
+    $CacheAccessUserRoleTable = Get-CIPPTable -tablename 'cacheAccessUserRoles'
+
+    $SwaCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json)
     $SwaRoles = $SwaCreds.userRoles
+    $Username = $SwaCreds.userDetails
+
+    $CachedRoles = Get-CIPPAzDataTableEntity @CacheAccessUserRoleTable -Filter "PartitionKey eq 'AccessUser' and RowKey eq '$Username'" | Select-Object -ExpandProperty Role | ConvertFrom-Json
+
+    Write-Information "SWA Roles: $($SwaRoles -join ', ')"
+    Write-Information "Cached Roles: $($CachedRoles -join ', ')"
 
     # Combine SWA roles and cached roles into a single deduplicated list
     $AllRoles = [System.Collections.Generic.List[string]]::new()
-    if ($null -ne $SwaRoles) {
-        $AllRoles.AddRange($SwaRoles)
+
+    foreach ($Role in $SwaRoles) {
+        if (-not $AllRoles.Contains($Role)) {
+            $AllRoles.Add($Role)
+        }
     }
-    if ($null -ne $CachedRoles) {
-        $AllRoles.AddRange($CachedRoles)
+    foreach ($Role in $CachedRoles) {
+        if (-not $AllRoles.Contains($Role)) {
+            $AllRoles.Add($Role)
+        }
     }
-
-    # Remove duplicates and ensure we have a clean array
     $CombinedRoles = $AllRoles | Select-Object -Unique
 
     # For debugging
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-EditUser.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-EditUser.ps1
@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-EditUser {
+function Invoke-EditUser {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -89,7 +89,7 @@ Function Invoke-EditUser {
 
         if ($licenses -or $UserObj.removeLicenses) {
             if ($UserObj.sherwebLicense.value) {
-                $null = Set-SherwebSubscription -TenantFilter $UserObj.tenantFilter -SKU $UserObj.sherwebLicense.value -Add 1
+                $null = Set-SherwebSubscription -Headers $Headers -TenantFilter $UserObj.tenantFilter -SKU $UserObj.sherwebLicense.value -Add 1
                 $null = $Results.Add('Added Sherweb License, scheduling assignment')
                 $taskObject = [PSCustomObject]@{
                     TenantFilter  = $UserObj.tenantFilter
@@ -135,6 +135,8 @@ Function Invoke-EditUser {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -API $ApiName -tenant ($UserObj.tenantFilter) -headers $Headers -message "License assign API failed. $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
         $null = $results.Add( "We've failed to assign the license. $($ErrorMessage.NormalizedError)")
+        Write-Warning "License assign API failed. $($_.Exception.Message)"
+        Write-Information $_.InvocationInfo.PositionMessage
     }
 
     #Add Aliases, removal currently not supported.
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCSPLicense.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCSPLicense.ps1
@@ -21,18 +21,18 @@ Function Invoke-ExecCSPLicense {
 
     try {
         if ($Action -eq 'Add') {
-            $null = Set-SherwebSubscription -tenantFilter $TenantFilter -SKU $SKU -add $Request.Body.Add
+            $null = Set-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SKU $SKU -add $Request.Body.Add
         }
 
         if ($Action -eq 'Remove') {
-            $null = Set-SherwebSubscription -tenantFilter $TenantFilter -SKU $SKU -remove $Request.Body.Remove
+            $null = Set-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SKU $SKU -remove $Request.Body.Remove
         }
 
         if ($Action -eq 'NewSub') {
-            $null = Set-SherwebSubscription -tenantFilter $TenantFilter -SKU $SKU -Quantity $Request.Body.Quantity
+            $null = Set-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SKU $SKU -Quantity $Request.Body.Quantity
         }
         if ($Action -eq 'Cancel') {
-            $null = Remove-SherwebSubscription -tenantFilter $TenantFilter -SubscriptionIds $Request.Body.SubscriptionIds
+            $null = Remove-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SubscriptionIds $Request.Body.SubscriptionIds
         }
         $Result = 'License change executed successfully.'
         $StatusCode = [HttpStatusCode]::OK
diff --git a/Modules/CIPPCore/Public/New-CIPPUserTask.ps1 b/Modules/CIPPCore/Public/New-CIPPUserTask.ps1
@@ -21,7 +21,7 @@ function New-CIPPUserTask {
     try {
         if ($UserObj.licenses.value) {
             if ($UserObj.sherwebLicense.value) {
-                $License = Set-SherwebSubscription -TenantFilter $UserObj.tenantFilter -SKU $UserObj.sherwebLicense.value -Add 1
+                $License = Set-SherwebSubscription -Headers $Headers -TenantFilter $UserObj.tenantFilter -SKU $UserObj.sherwebLicense.value -Add 1
                 $null = $results.Add('Added Sherweb License, scheduling assignment')
                 $taskObject = [PSCustomObject]@{
                     TenantFilter  = $UserObj.tenantFilter
diff --git a/Modules/CippExtensions/Public/Sherweb/Remove-SherwebSubscription.ps1 b/Modules/CippExtensions/Public/Sherweb/Remove-SherwebSubscription.ps1
@@ -4,8 +4,34 @@ function Remove-SherwebSubscription {
         [string]$CustomerId,
         [Parameter(Mandatory = $true)]
         [string[]]$SubscriptionIds,
-        [string]$TenantFilter
+        [string]$TenantFilter,
+        $Headers
     )
+
+    if ($Headers) {
+        # Get extension config and check for AllowedCustomRoles
+        $Table = Get-CIPPTable -TableName Extensionsconfig
+        $ExtensionConfig = (Get-CIPPAzDataTableEntity @Table).config | ConvertFrom-Json
+        $Config = $ExtensionConfig.Sherweb
+
+        $AllowedRoles = $Config.AllowedCustomRoles.value
+        if ($AllowedRoles -and $Headers.'x-ms-client-principal') {
+            $UserRoles = Get-CIPPAccessRole -Headers $Headers
+            $Allowed = $false
+            foreach ($Role in $UserRoles) {
+                if ($AllowedRoles -contains $Role) {
+                    Write-Information "User has allowed CIPP role: $Role"
+                    $Allowed = $true
+                    break
+                }
+            }
+            if (-not $Allowed) {
+                throw 'This user is not allowed to modify Sherweb Licenses.'
+            }
+        }
+    }
+
+
     if ($TenantFilter) {
         $TenantFilter = (Get-Tenants -TenantFilter $TenantFilter).customerId
         $CustomerId = Get-ExtensionMapping -Extension 'Sherweb' | Where-Object { $_.RowKey -eq $TenantFilter } | Select-Object -ExpandProperty IntegrationId
diff --git a/Modules/CippExtensions/Public/Sherweb/Set-SherwebSubscription.ps1 b/Modules/CippExtensions/Public/Sherweb/Set-SherwebSubscription.ps1
@@ -7,8 +7,33 @@ function Set-SherwebSubscription {
         [int]$Quantity,
         [int]$Add,
         [int]$Remove,
-        [string]$TenantFilter
+        [string]$TenantFilter,
+        $Headers
     )
+
+    if ($Headers) {
+        # Get extension config and check for AllowedCustomRoles
+        $Table = Get-CIPPTable -TableName Extensionsconfig
+        $ExtensionConfig = (Get-CIPPAzDataTableEntity @Table).config | ConvertFrom-Json
+        $Config = $ExtensionConfig.Sherweb
+
+        $AllowedRoles = $Config.AllowedCustomRoles.value
+        if ($AllowedRoles -and $Headers.'x-ms-client-principal') {
+            $UserRoles = Get-CIPPAccessRole -Headers $Headers
+            $Allowed = $false
+            foreach ($Role in $UserRoles) {
+                if ($AllowedRoles -contains $Role) {
+                    Write-Information "User has allowed CIPP role: $Role"
+                    $Allowed = $true
+                    break
+                }
+            }
+            if (-not $Allowed) {
+                throw 'This user is not allowed to modify Sherweb subscriptions.'
+            }
+        }
+    }
+
     if ($TenantFilter) {
         $TenantFilter = (Get-Tenants -TenantFilter $TenantFilter).customerId
         $CustomerId = Get-ExtensionMapping -Extension 'Sherweb' | Where-Object { $_.RowKey -eq $TenantFilter } | Select-Object -ExpandProperty IntegrationId

Original file line number	Diff line number	Diff line change
`@@ -21,18 +21,18 @@ Function Invoke-ExecCSPLicense {`
`21`	`21`
`22`	`22`	`try {`
`23`	`23`	`if ($Action -eq 'Add') {`
`24`		`- $null = Set-SherwebSubscription -tenantFilter $TenantFilter -SKU $SKU -add $Request.Body.Add`
	`24`	`+ $null = Set-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SKU $SKU -add $Request.Body.Add`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`if ($Action -eq 'Remove') {`
`28`		`- $null = Set-SherwebSubscription -tenantFilter $TenantFilter -SKU $SKU -remove $Request.Body.Remove`
	`28`	`+ $null = Set-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SKU $SKU -remove $Request.Body.Remove`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`if ($Action -eq 'NewSub') {`
`32`		`- $null = Set-SherwebSubscription -tenantFilter $TenantFilter -SKU $SKU -Quantity $Request.Body.Quantity`
	`32`	`+ $null = Set-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SKU $SKU -Quantity $Request.Body.Quantity`
`33`	`33`	`}`
`34`	`34`	`if ($Action -eq 'Cancel') {`
`35`		`- $null = Remove-SherwebSubscription -tenantFilter $TenantFilter -SubscriptionIds $Request.Body.SubscriptionIds`
	`35`	`+ $null = Remove-SherwebSubscription -Headers $Headers -tenantFilter $TenantFilter -SubscriptionIds $Request.Body.SubscriptionIds`
`36`	`36`	`}`
`37`	`37`	`$Result = 'License change executed successfully.'`
`38`	`38`	`$StatusCode = [HttpStatusCode]::OK`