Allow searching for users with all roles in a tenant

slavikm · slavikm · commit 93fceb9771cc · 2025-08-20T14:16:19.000-07:00
diff --git a/descope/management/common.py b/descope/management/common.py
@@ -407,9 +407,3 @@ def sort_to_dict(sort: List[Sort]) -> list:
                 }
             )
     return sort_list
-
-
-def map_to_values_object(input_map: dict):
-    if not input_map:
-        return {}
-    return {k: {"values": v} for k, v in input_map.items()}
diff --git a/descope/management/user.py b/descope/management/user.py
@@ -666,7 +666,9 @@ def search_all(
         to_modified_time (int): Optional int, only include users whose last modification/update occurred on or before this time (in Unix epoch milliseconds)
         user_ids (List[str]): Optional list of user IDs to filter by
         tenant_role_ids (dict): Optional mapping of tenant ID to list of role IDs.
+            Dict value is in the form of {"tenant_id": {"values":["role_id1", "role_id2"], "and": True}} if you want to match all roles (AND) or any role (OR).
         tenant_role_names (dict): Optional mapping of tenant ID to list of role names.
+            Dict value is in the form of {"tenant_id": {"values":["role_name1", "role_name2"], "and": True}} if you want to match all roles (AND) or any role (OR).
 
         Return value (dict):
         Return dict in the format
@@ -733,9 +735,9 @@ def search_all(
             body["toModifiedTime"] = to_modified_time
 
         if tenant_role_ids is not None:
-            body["tenantRoleIds"] = map_to_values_object(tenant_role_ids)
+            body["tenantRoleIds"] = tenant_role_ids
         if tenant_role_names is not None:
-            body["tenantRoleNames"] = map_to_values_object(tenant_role_names)
+            body["tenantRoleNames"] = tenant_role_names
 
         response = self._auth.do_post(
             MgmtV1.users_search_path,
@@ -786,7 +788,9 @@ def search_all_test_users(
         from_modified_time (int): Optional int, only include users whose last modification/update occurred on or after this time (in Unix epoch milliseconds)
         to_modified_time (int): Optional int, only include users whose last modification/update occurred on or before this time (in Unix epoch milliseconds)
         tenant_role_ids (dict): Optional mapping of tenant ID to list of role IDs.
+            Dict value is in the form of {"tenant_id": {"values":["role_id1", "role_id2"], "and": True}} if you want to match all roles (AND) or any role (OR).
         tenant_role_names (dict): Optional mapping of tenant ID to list of role names.
+            Dict value is in the form of {"tenant_id": {"values":["role_name1", "role_name2"], "and": True}} if you want to match all roles (AND) or any role (OR).
 
         Return value (dict):
         Return dict in the format
@@ -850,9 +854,9 @@ def search_all_test_users(
             body["toModifiedTime"] = to_modified_time
 
         if tenant_role_ids is not None:
-            body["tenantRoleIds"] = map_to_values_object(tenant_role_ids)
+            body["tenantRoleIds"] = tenant_role_ids
         if tenant_role_names is not None:
-            body["tenantRoleNames"] = map_to_values_object(tenant_role_names)
+            body["tenantRoleNames"] = tenant_role_names
 
         response = self._auth.do_post(
             MgmtV1.test_users_search_path,
diff --git a/tests/management/test_user.py b/tests/management/test_user.py
@@ -323,7 +323,7 @@ def test_invite_batch(self):
             users = resp["users"]
             self.assertEqual(users[0]["id"], "u1")
 
-            expectedUsers = {
+            expected_users = {
                 "users": [
                     {
                         "loginId": "name@mail.com",
@@ -369,7 +369,7 @@ def test_invite_batch(self):
                     "x-descope-project-id": self.dummy_project_id,
                 },
                 params=None,
-                json=expectedUsers,
+                json=expected_users,
                 allow_redirects=False,
                 verify=True,
                 timeout=DEFAULT_TIMEOUT_SECONDS,
@@ -403,8 +403,8 @@ def test_invite_batch(self):
                 send_sms=True,
             )
 
-            del expectedUsers["users"][0]["hashedPassword"]
-            expectedUsers["users"][0]["password"] = "clear"
+            del expected_users["users"][0]["hashedPassword"]
+            expected_users["users"][0]["password"] = "clear"
             mock_post.assert_called_with(
                 f"{common.DEFAULT_BASE_URL}{MgmtV1.user_create_batch_path}",
                 headers={
@@ -413,7 +413,7 @@ def test_invite_batch(self):
                     "x-descope-project-id": self.dummy_project_id,
                 },
                 params=None,
-                json=expectedUsers,
+                json=expected_users,
                 allow_redirects=False,
                 verify=True,
                 timeout=DEFAULT_TIMEOUT_SECONDS,
@@ -426,7 +426,7 @@ def test_invite_batch(self):
                 send_sms=True,
             )
 
-            del expectedUsers["users"][0]["password"]
+            del expected_users["users"][0]["password"]
             mock_post.assert_called_with(
                 f"{common.DEFAULT_BASE_URL}{MgmtV1.user_create_batch_path}",
                 headers={
@@ -435,7 +435,7 @@ def test_invite_batch(self):
                     "x-descope-project-id": self.dummy_project_id,
                 },
                 params=None,
-                json=expectedUsers,
+                json=expected_users,
                 allow_redirects=False,
                 verify=True,
                 timeout=DEFAULT_TIMEOUT_SECONDS,
@@ -1056,8 +1056,8 @@ def test_search_all(self):
             )
             mock_post.return_value = network_resp
             resp = self.client.mgmt.user.search_all(
-                tenant_role_ids={"tenant1": ["roleA", "roleB"]},
-                tenant_role_names={"tenant2": ["admin", "user"]},
+                tenant_role_ids={"tenant1": {"values": ["roleA", "roleB"], "and": True}},
+                tenant_role_names={"tenant2": {"values": ["admin", "user"], "and": False}},
             )
             users = resp["users"]
             self.assertEqual(len(users), 2)
@@ -1078,8 +1078,8 @@ def test_search_all(self):
                     "page": 0,
                     "testUsersOnly": False,
                     "withTestUser": False,
-                    "tenantRoleIds": {"tenant1": {"values": ["roleA", "roleB"]}},
-                    "tenantRoleNames": {"tenant2": {"values": ["admin", "user"]}},
+                    "tenantRoleIds": {"tenant1": {"values": ["roleA", "roleB"], "and": True}},
+                    "tenantRoleNames": {"tenant2": {"values": ["admin", "user"], "and": False}},
                 },
                 allow_redirects=False,
                 verify=True,
@@ -1324,8 +1324,8 @@ def test_search_all_test_users(self):
                     "page": 0,
                     "testUsersOnly": True,
                     "withTestUser": True,
-                    "tenantRoleIds": {"tenant1": {"values": ["roleA", "roleB"]}},
-                    "tenantRoleNames": {"tenant2": {"values": ["admin", "user"]}},
+                    "tenantRoleIds": {"tenant1": {"values": ["roleA", "roleB"], "and": True}},
+                    "tenantRoleNames": {"tenant2": {"values": ["admin", "user"], "and": False}},
                 },
                 allow_redirects=False,
                 verify=True,

Original file line number	Diff line number	Diff line change
`@@ -407,9 +407,3 @@ def sort_to_dict(sort: List[Sort]) -> list:`
`407`	`407`	`}`
`408`	`408`	`)`
`409`	`409`	`return sort_list`
`410`		`-`
`411`		`-`
`412`		`-def map_to_values_object(input_map: dict):`
`413`		`- if not input_map:`
`414`		`- return {}`
`415`		`- return {k: {"values": v} for k, v in input_map.items()}`