Skip to content

Commit a40683c

Browse files
committed
fix: access issues related to undefined roles
cleanup dead code C-002
1 parent 9d8f1a0 commit a40683c

1 file changed

Lines changed: 4 additions & 32 deletions

File tree

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

Lines changed: 4 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -320,7 +320,6 @@ function Test-CIPPAccess {
320320
$PermissionsFound = $true
321321
} catch {
322322
Write-Information $_.Exception.Message
323-
continue
324323
}
325324
}
326325
$swRolePerms.Stop()
@@ -477,38 +476,12 @@ function Test-CIPPAccess {
477476
} else {
478477
# No permissions found for any roles
479478
if ($TenantList.IsPresent) {
480-
return @('AllTenants')
481-
}
482-
return $true
483-
if ($APIAllowed) {
484-
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env:TenantID
485-
# Check tenant level access
486-
if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
487-
$TenantAllowed = $true
488-
} elseif ($TenantFilter -eq 'AllTenants') {
489-
$TenantAllowed = $false
490-
} else {
491-
$Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
492-
493-
if ($Role.AllowedTenants -contains 'AllTenants') {
494-
$AllowedTenants = $Tenants.customerId
495-
} else {
496-
$AllowedTenants = $Role.AllowedTenants
497-
}
498-
if ($Tenant) {
499-
$TenantAllowed = $AllowedTenants -contains $Tenant -and $Role.BlockedTenants -notcontains $Tenant
500-
if (!$TenantAllowed) { continue }
501-
break
502-
} else {
503-
$TenantAllowed = $true
504-
break
505-
}
506-
}
479+
return @()
507480
}
481+
throw 'Access to this CIPP API endpoint is not allowed, the user does not have the required permission'
508482
}
509483

510484
if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
511-
512485
if (!$APIAllowed) {
513486
throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
514487
}
@@ -519,14 +492,13 @@ function Test-CIPPAccess {
519492
} else {
520493
return $true
521494
}
522-
523495
}
524496
} else {
525497
# No permissions found for any roles
526498
if ($TenantList.IsPresent) {
527-
return @('AllTenants')
499+
return @()
528500
}
529-
return $true
501+
throw 'Access to this CIPP API endpoint is not allowed, the user does not have the required permission'
530502
}
531503
$swUserBranch.Stop()
532504
$AccessTimings['UserBranch'] = $swUserBranch.Elapsed.TotalMilliseconds

0 commit comments

Comments
 (0)