Merge pull request #465 from KelvinTegelaar/dev

pull[bot] · web-flow · commit e94aa1ab1504 · 2025-09-24T18:41:24.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1
@@ -12,7 +12,16 @@ function Invoke-ExecCustomRole {
     $AccessRoleGroupTable = Get-CippTable -tablename 'AccessRoleGroups'
     $Action = $Request.Query.Action ?? $Request.Body.Action
 
-    $DefaultRoles = @('readonly', 'editor', 'admin', 'superadmin')
+    $CIPPCore = (Get-Module -Name CIPPCore).ModuleBase
+    $CIPPRoot = (Get-Item -Path $CIPPCore).Parent.Parent.FullName
+
+    $CippRolesJson = Join-Path -Path $CIPPRoot -ChildPath 'Config\cipp-roles.json'
+    if (Test-Path $CippRolesJson) {
+        $DefaultRoles = Get-Content -Path $CippRolesJson | ConvertFrom-Json
+    } else {
+        throw "Could not find $CippRolesJson"
+    }
+
     $BlockedRoles = @('anonymous', 'authenticated')
 
     if ($Request.Body.RoleName -in $BlockedRoles) {
@@ -24,7 +33,7 @@ function Invoke-ExecCustomRole {
             try {
                 $Results = [System.Collections.Generic.List[string]]::new()
                 Write-LogMessage -headers $Request.Headers -API 'ExecCustomRole' -message "Saved custom role $($Request.Body.RoleName)" -Sev 'Info'
-                if ($Request.Body.RoleName -notin $DefaultRoles) {
+                if ($Request.Body.RoleName -notin $DefaultRoles.PSObject.Properties.Name) {
                     $Role = @{
                         'PartitionKey'     = 'CustomRoles'
                         'RowKey'           = "$($Request.Body.RoleName.ToLower())"
@@ -63,7 +72,7 @@ function Invoke-ExecCustomRole {
         }
         'Clone' {
             try {
-                if ($Request.Body.NewRoleName -in $DefaultRoles) {
+                if ($Request.Body.NewRoleName -in $DefaultRoles.PSObject.Properties.Name) {
                     throw "Role name $($Request.Body.NewRoleName) cannot be used"
                 }
                 $ExistingRole = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.RoleName.ToLower())'"
@@ -72,7 +81,7 @@ function Invoke-ExecCustomRole {
                 }
 
                 if ($ExistingRole.RowKey -eq $Request.Body.NewRoleName.ToLower()) {
-                    throw "New role name cannot be the same as the existing role name"
+                    throw 'New role name cannot be the same as the existing role name'
                 }
 
                 $NewRoleTest = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.NewRoleName.ToLower())'"
@@ -127,13 +136,13 @@ function Invoke-ExecCustomRole {
                     try {
                         $Role.Permissions = $Role.Permissions | ConvertFrom-Json
                     } catch {
-                        $Role.Permissions = ''
+                        $Role.Permissions = @()
                     }
                     if ($Role.AllowedTenants) {
                         try {
                             $Role.AllowedTenants = @($Role.AllowedTenants | ConvertFrom-Json)
                         } catch {
-                            $Role.AllowedTenants = ''
+                            $Role.AllowedTenants = @()
                         }
                     } else {
                         $Role | Add-Member -NotePropertyName AllowedTenants -NotePropertyValue @() -Force
@@ -142,7 +151,7 @@ function Invoke-ExecCustomRole {
                         try {
                             $Role.BlockedTenants = @($Role.BlockedTenants | ConvertFrom-Json)
                         } catch {
-                            $Role.BlockedTenants = ''
+                            $Role.BlockedTenants = @()
                         }
                     } else {
                         $Role | Add-Member -NotePropertyName BlockedTenants -NotePropertyValue @() -Force
@@ -151,7 +160,7 @@ function Invoke-ExecCustomRole {
                         try {
                             $Role.BlockedEndpoints = @($Role.BlockedEndpoints | ConvertFrom-Json)
                         } catch {
-                            $Role.BlockedEndpoints = ''
+                            $Role.BlockedEndpoints = @()
                         }
                     } else {
                         $Role | Add-Member -NotePropertyName BlockedEndpoints -NotePropertyValue @() -Force
@@ -164,13 +173,13 @@ function Invoke-ExecCustomRole {
                     }
                     $Role
                 }
-                $DefaultRoles = foreach ($DefaultRole in $DefaultRoles) {
+                $DefaultRoles = foreach ($DefaultRole in $DefaultRoles.PSObject.Properties.Name) {
                     $Role = @{
                         RowKey           = $DefaultRole
-                        Permissions      = ''
+                        Permissions      = $DefaultRoles.$DefaultRole
                         AllowedTenants   = @('AllTenants')
-                        BlockedTenants   = @('')
-                        BlockedEndpoints = @('')
+                        BlockedTenants   = @()
+                        BlockedEndpoints = @()
                     }
                     $EntraRoleGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey
                     if ($EntraRoleGroup) {
