hcengineering · ArtyomSavchenko · Oct 14, 2025 · Aug 19, 2025 · Aug 20, 2025 · Aug 20, 2025
diff --git a/common/config/rush/pnpm-lock.yaml b/common/config/rush/pnpm-lock.yaml
diff --git a/server/account/src/__tests__/utils.test.ts b/server/account/src/__tests__/utils.test.ts
@@ -1686,15 +1686,6 @@ describe('account utils', () => {
       }).not.toThrow()
     })
 
-    test('should not throw for admin', () => {
-      const services = ['service1']
-      const extra = { service: 'service2', admin: 'true' }
-
-      expect(() => {
-        verifyAllowedServices(services, extra)
-      }).not.toThrow()
-    })
-
     test('should throw for unauthorized service', () => {
       const services = ['service1']
       const extra = { service: 'service2' }

diff --git a/server/account/src/operations.ts b/server/account/src/operations.ts
@@ -2068,7 +2068,7 @@ export async function ensurePerson (
 ): Promise<{ uuid: PersonUuid, socialId: PersonId }> {
   const { account, workspace, extra } = decodeTokenVerbose(ctx, token)
   const allowedService = verifyAllowedServices(
-    ['tool', 'workspace', 'schedule', 'mail', 'github', 'hulygram'],
+    ['tool', 'workspace', 'schedule', 'mail', 'github', 'hulygram', 'admin'],
     extra,
     false
   )
@@ -2361,7 +2361,7 @@ export async function releaseSocialId (
     throw new PlatformError(new Status(Severity.ERROR, platform.status.BadRequest, {}))
   }
 
-  const allowedService = verifyAllowedServices(['github', 'tool', 'workspace'], extra, false)
+  const allowedService = verifyAllowedServices(['github', 'tool', 'workspace', 'admin'], extra, false)
 
   if (!allowedService) {
     if (personUuid != null && personUuid !== account) {

diff --git a/server/account/src/serviceOperations.ts b/server/account/src/serviceOperations.ts
@@ -585,10 +585,12 @@ export async function addSocialIdToPerson (
   const { person, type, value, confirmed, displayValue } = params
   const { extra } = decodeTokenVerbose(ctx, token)
 
-  verifyAllowedServices(
-    ['github', 'telegram-bot', 'gmail', 'tool', 'workspace', 'hulygram', 'google-calendar', 'ai-assistant'],
-    extra
-  )
+  if (extra?.admin !== 'true') {
+    verifyAllowedServices(
+      ['github', 'telegram-bot', 'gmail', 'tool', 'workspace', 'hulygram', 'google-calendar', 'ai-assistant'],
+      extra
+    )
+  }
 
   if (person == null || person === '' || !Object.values(SocialIdType).includes(type) || value == null || value === '') {
     throw new PlatformError(new Status(Severity.ERROR, platform.status.BadRequest, {}))

diff --git a/server/account/src/utils.ts b/server/account/src/utils.ts
@@ -1536,7 +1536,7 @@ export async function getWorkspaces (
 }
 
 export function verifyAllowedServices (services: string[], extra: any, shouldThrow = true): boolean {
-  const ok = services.includes(extra?.service) || extra?.admin === 'true'
+  const ok = services.includes(extra?.service)
 
   if (!ok && shouldThrow) {
     throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
@@ -1811,7 +1811,9 @@ export const integrationServices = [
   'gmail',
   'google-calendar',
   'huly-mail',
-  'ai-assistant'
+  'ai-assistant',
+  'tool',
+  'admin'
 ]
 
 export async function findExistingIntegration (

diff --git a/tests/sanity/package.json b/tests/sanity/package.json
@@ -52,6 +52,7 @@
     "@hcengineering/core": "^0.7.7",
     "@hcengineering/client-resources": "^0.7.6",
     "@hcengineering/account": "^0.7.0",
-    "@hcengineering/account-client": "^0.7.5"
+    "@hcengineering/account-client": "^0.7.5",
+    "@hcengineering/server-token": "^0.7.5"
   }
 }
diff --git a/tests/sanity/tests/API/AccountClient.ts b/tests/sanity/tests/API/AccountClient.ts
@@ -1,5 +1,7 @@
 import { getClient as getClientRaw, type AccountClient } from '@hcengineering/account-client'
 import { LocalUrl, PlatformAdmin } from '../utils'
+import { systemAccountUuid } from '@hcengineering/core'
+import { generateToken } from '@hcengineering/server-token'
 
 let adminAccountClient: AccountClient
 
@@ -18,3 +20,8 @@ export async function getAdminAccountClient (): Promise<AccountClient> {
   adminAccountClient = getClientRaw(LocalUrl, loginInfo.token)
   return adminAccountClient
 }
+
+export async function getServiceAccountClient (serviceName: string): Promise<AccountClient> {
+  const token = generateToken(systemAccountUuid, undefined, { service: serviceName }, 'secret')
+  return getClientRaw(LocalUrl, token)
+}
diff --git a/tests/sanity/tests/integrations.spec.ts b/tests/sanity/tests/integrations.spec.ts
@@ -4,11 +4,11 @@ import { Integration, IntegrationSecret } from '@hcengineering/account'
 import { buildSocialIdString, IntegrationKind, SocialIdType } from '@hcengineering/core'
 
 import { PlatformUser } from './utils'
-import { getAdminAccountClient } from './API/AccountClient'
+import { getServiceAccountClient } from './API/AccountClient'
 
 test.describe('integrations in accounts tests', () => {
   test('manage integrations', async () => {
-    const accountClient = await getAdminAccountClient()
+    const accountClient = await getServiceAccountClient('github')
 
     const personUuid = await accountClient.findPersonBySocialKey(
       buildSocialIdString({ type: SocialIdType.EMAIL, value: PlatformUser })

diff --git a/ws-tests/api-tests/src/__tests__/rest.test.ts b/ws-tests/api-tests/src/__tests__/rest.test.ts
@@ -75,7 +75,7 @@ describe('rest-api-server', () => {
     accountClient = getAccountClient(config.ACCOUNTS_URL, apiWorkspace1.token)
     adminAccountClient = getAccountClient(
       config.ACCOUNTS_URL,
-      generateToken(systemAccountUuid, undefined, { admin: 'true' }, 'secret')
+      generateToken(systemAccountUuid, undefined, { service: 'workspace', admin: 'true' }, 'secret')
     )
     const person = await accountClient.getPerson()
     const socialIds: SocialId[] = await accountClient.getSocialIds(true)