Merge pull request KelvinTegelaar#1598 from Zacgoose/contact_perms

Feat: Contact Permissions Management

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecModifyContactPerms.ps1

@@ -0,0 +1,116 @@
+using namespace System.Net
+
+function Invoke-ExecModifyContactPerms {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Exchange.Mailbox.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    $Username = $Request.Body.userID
+    $TenantFilter = $Request.Body.tenantFilter
+    $Permissions = $Request.Body.permissions
+
+    Write-LogMessage -headers $Headers -API $APIName -message "Processing request for user: $Username, tenant: $TenantFilter" -Sev 'Debug'
+
+    if ($null -eq $Username) {
+        Write-LogMessage -headers $Headers -API $APIName -message 'Username is null' -Sev 'Error'
+        $body = [pscustomobject]@{'Results' = @('Username is required') }
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = $Body
+            })
+        return
+    }
+
+    try {
+        $UserId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)" -tenantid $TenantFilter).id
+        Write-LogMessage -headers $Headers -API $APIName -message "Retrieved user ID: $UserId" -Sev 'Debug'
+    } catch {
+        Write-LogMessage -headers $Headers -API $APIName -message "Failed to get user ID: $($_.Exception.Message)" -Sev 'Error'
+        $body = [pscustomobject]@{'Results' = @("Failed to get user ID: $($_.Exception.Message)") }
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::NotFound
+                Body       = $Body
+            })
+        return
+    }
+
+    $Results = [System.Collections.Generic.List[string]]::new()
+    $HasErrors = $false
+
+    # Convert permissions to array format if it's an object with numeric keys
+    if ($Permissions -is [PSCustomObject]) {
+        if ($Permissions.PSObject.Properties.Name -match '^\d+$') {
+            $Permissions = $Permissions.PSObject.Properties.Value
+        } else {
+            $Permissions = @($Permissions)
+        }
+    }
+
+    Write-LogMessage -headers $Headers -API $APIName -message "Processing $($Permissions.Count) permission entries" -Sev 'Debug'
+
+    foreach ($Permission in $Permissions) {
+        Write-LogMessage -headers $Headers -API $APIName -message "Processing permission: $($Permission | ConvertTo-Json)" -Sev 'Debug'
+
+        $PermissionLevel = $Permission.PermissionLevel.value ?? $Permission.PermissionLevel
+        $Modification = $Permission.Modification
+        $CanViewPrivateItems = $Permission.CanViewPrivateItems ?? $false
+        $FolderName = $Permission.FolderName ?? 'Contact'
+        $SendNotificationToUser = $Permission.SendNotificationToUser ?? $false
+
+        Write-LogMessage -headers $Headers -API $APIName -message "Permission Level: $PermissionLevel, Modification: $Modification, CanViewPrivateItems: $CanViewPrivateItems, FolderName: $FolderName" -Sev 'Debug'
+
+        # Handle UserID as array or single value
+        $TargetUsers = @($Permission.UserID | ForEach-Object { $_.value ?? $_ })
+
+        Write-LogMessage -headers $Headers -API $APIName -message "Target Users: $($TargetUsers -join ', ')" -Sev 'Debug'
+
+        foreach ($TargetUser in $TargetUsers) {
+            try {
+                Write-LogMessage -headers $Headers -API $APIName -message "Processing target user: $TargetUser" -Sev 'Debug'
+                $Params = @{
+                    APIName                = $APIName
+                    Headers                = $Headers
+                    RemoveAccess           = if ($Modification -eq 'Remove') { $TargetUser } else { $null }
+                    TenantFilter           = $TenantFilter
+                    UserID                 = $UserId
+                    folderName             = $FolderName
+                    UserToGetPermissions   = $TargetUser
+                    LoggingName            = $TargetUser
+                    Permissions            = $PermissionLevel
+                    SendNotificationToUser = $SendNotificationToUser
+                }
+
+                # Write-Host "Request params: $($Params | ConvertTo-Json)"
+                $Result = Set-CIPPContactPermission @Params
+
+                $null = $Results.Add($Result)
+            } catch {
+                $HasErrors = $true
+                $null = $Results.Add("$($_.Exception.Message)")
+            }
+        }
+    }
+
+    if ($Results.Count -eq 0) {
+        Write-LogMessage -headers $Headers -API $APIName -message 'No results were generated from the operation' -Sev 'Warning'
+        $null = $Results.Add('No results were generated from the operation. Please check the logs for more details.')
+        $HasErrors = $true
+    }
+
+    $Body = [pscustomobject]@{'Results' = @($Results) }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = if ($HasErrors) { [HttpStatusCode]::InternalServerError } else { [HttpStatusCode]::OK }
+            Body       = $Body
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListContactPermissions.ps1

@@ -0,0 +1,41 @@
+using namespace System.Net
+
+Function Invoke-ListContactPermissions {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Exchange.Mailbox.Read
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    $UserID = $Request.Query.UserID
+    $TenantFilter = $Request.Query.tenantFilter
+
+    try {
+        $GetContactParam = @{Identity = $UserID; FolderScope = 'Contacts' }
+        $ContactFolder = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-MailboxFolderStatistics' -anchor $UserID -cmdParams $GetContactParam | Select-Object -First 1 -ExcludeProperty *data.type*
+        $ContactParam = @{Identity = "$($UserID):\$($ContactFolder.name)" }
+        $Mailbox = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-Mailbox' -cmdParams @{Identity = $UserID }
+        $GraphRequest = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-MailboxFolderPermission' -anchor $UserID -cmdParams $ContactParam -UseSystemMailbox $true | Select-Object Identity, User, AccessRights, FolderName, @{ Name = 'MailboxInfo'; Expression = { $Mailbox } }
+
+        Write-LogMessage -API $APIName -tenant $TenantFilter -message "Contact permissions listed for $($TenantFilter)" -sev Debug
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+        $StatusCode = [HttpStatusCode]::Forbidden
+        $GraphRequest = $ErrorMessage
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @($GraphRequest)
+        })
+
+}

Modules/CIPPCore/Public/Set-CIPPContactPermission.ps1

@@ -0,0 +1,64 @@
+function Set-CIPPContactPermission {
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    param(
+        $APIName = 'Set Contact Permissions',
+        $Headers,
+        $RemoveAccess,
+        $TenantFilter,
+        $UserID,
+        $FolderName,
+        $UserToGetPermissions,
+        $LoggingName,
+        $Permissions,
+        [bool]$SendNotificationToUser = $false
+    )
+
+    try {
+        # If a pretty logging name is not provided, use the ID instead
+        if ([string]::IsNullOrWhiteSpace($LoggingName) -and $RemoveAccess) {
+            $LoggingName = $RemoveAccess
+        } elseif ([string]::IsNullOrWhiteSpace($LoggingName) -and $UserToGetPermissions) {
+            $LoggingName = $UserToGetPermissions
+        }
+
+        $ContactParam = [PSCustomObject]@{
+            Identity               = "$($UserID):\$FolderName"
+            AccessRights           = @($Permissions)
+            User                   = $UserToGetPermissions
+            SendNotificationToUser = $SendNotificationToUser
+        }
+
+        if ($RemoveAccess) {
+            if ($PSCmdlet.ShouldProcess("$UserID\$FolderName", "Remove permissions for $LoggingName")) {
+                $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Remove-MailboxFolderPermission' -cmdParams @{Identity = "$($UserID):\$FolderName"; User = $RemoveAccess }
+                $Result = "Successfully removed access for $LoggingName from contact folder $($ContactParam.Identity)"
+                Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -sev Info
+            }
+        } else {
+            if ($PSCmdlet.ShouldProcess("$UserID\$FolderName", "Set permissions for $LoggingName to $Permissions")) {
+                try {
+                    $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Set-MailboxFolderPermission' -cmdParams $ContactParam -Anchor $UserID
+                } catch {
+                    $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-MailboxFolderPermission' -cmdParams $ContactParam -Anchor $UserID
+                }
+
+                $Result = "Successfully set permissions on contact folder $($ContactParam.Identity). The user $LoggingName now has $Permissions permissions on this folder."
+
+                if ($SendNotificationToUser) {
+                    $Result += ' A notification has been sent to the user.'
+                }
+
+                Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -sev Info
+            }
+        }
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-Warning "Error changing contact permissions $($_.Exception.Message)"
+        Write-Information $_.InvocationInfo.PositionMessage
+        $Result = "Failed to set contact permissions for $LoggingName on $UserID : $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -sev Error -LogData $ErrorMessage
+        throw $Result
+    }
+
+    return $Result
+}