11function Test-CIPPAccess {
22 param (
33 $Request ,
4- [switch ]$TenantList
4+ [switch ]$TenantList ,
5+ [switch ]$GroupList
56 )
67 if ($Request.Params.CIPPEndpoint -eq ' ExecSAMSetup' ) { return $true }
78
@@ -239,7 +240,21 @@ function Test-CIPPAccess {
239240 $ExpandedAllowedTenants | Where-Object { $ExpandedBlockedTenants -notcontains $_ }
240241 }
241242 }
242- return $LimitedTenantList
243+ return @ ($LimitedTenantList | Sort-Object - Unique)
244+ } elseif ($GroupList.IsPresent ) {
245+ Write-Information " Getting allowed groups for roles: $ ( $CustomRoles -join ' , ' ) "
246+ $LimitedGroupList = foreach ($Permission in $PermissionSet ) {
247+ if ((($Permission.AllowedTenants | Measure-Object ).Count -eq 0 -or $Permission.AllowedTenants -contains ' AllTenants' ) -and (($Permission.BlockedTenants | Measure-Object ).Count -eq 0 )) {
248+ @ (' AllGroups' )
249+ } else {
250+ foreach ($AllowedItem in $Permission.AllowedTenants ) {
251+ if ($AllowedItem -is [PSCustomObject ] -and $AllowedItem.type -eq ' Group' ) {
252+ $AllowedItem.value
253+ }
254+ }
255+ }
256+ }
257+ return @ ($LimitedGroupList | Sort-Object - Unique)
243258 }
244259
245260 $TenantAllowed = $false
@@ -256,12 +271,14 @@ function Test-CIPPAccess {
256271 }
257272
258273 if ($APIAllowed ) {
259- $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $Request.Body.tenantId.value ?? $env: TenantID
274+ $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env: TenantID
260275 # Check tenant level access
261276 if (($Role.BlockedTenants | Measure-Object ).Count -eq 0 -and $Role.AllowedTenants -contains ' AllTenants' ) {
262277 $TenantAllowed = $true
263- } elseif ($TenantFilter -eq ' AllTenants' ) {
278+ } elseif ($TenantFilter -eq ' AllTenants' -and $ApiRole -match ' Write$ ' ) {
264279 $TenantAllowed = $false
280+ } elseif ($TenantFilter -eq ' AllTenants' -and $ApiRole -match ' Read$' ) {
281+ $TenantAllowed = $true
265282 } else {
266283 $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
267284
@@ -328,12 +345,11 @@ function Test-CIPPAccess {
328345 }
329346 return $true
330347 if ($APIAllowed ) {
331- $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $env: TenantID
348+ $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request . Query.tenantId ?? $Request .Body.tenantId.value ?? $Request.Body.tenantId ?? $env: TenantID
332349 # Check tenant level access
333350 if (($Role.BlockedTenants | Measure-Object ).Count -eq 0 -and $Role.AllowedTenants -contains ' AllTenants' ) {
334351 $TenantAllowed = $true
335352 } elseif ($TenantFilter -eq ' AllTenants' ) {
336-
337353 $TenantAllowed = $false
338354 } else {
339355 $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
0 commit comments