@@ -320,7 +320,6 @@ function Test-CIPPAccess {
320320 $PermissionsFound = $true
321321 } catch {
322322 Write-Information $_.Exception.Message
323- continue
324323 }
325324 }
326325 $swRolePerms.Stop ()
@@ -477,38 +476,12 @@ function Test-CIPPAccess {
477476 } else {
478477 # No permissions found for any roles
479478 if ($TenantList.IsPresent ) {
480- return @ (' AllTenants' )
481- }
482- return $true
483- if ($APIAllowed ) {
484- $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env: TenantID
485- # Check tenant level access
486- if (($Role.BlockedTenants | Measure-Object ).Count -eq 0 -and $Role.AllowedTenants -contains ' AllTenants' ) {
487- $TenantAllowed = $true
488- } elseif ($TenantFilter -eq ' AllTenants' ) {
489- $TenantAllowed = $false
490- } else {
491- $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
492-
493- if ($Role.AllowedTenants -contains ' AllTenants' ) {
494- $AllowedTenants = $Tenants.customerId
495- } else {
496- $AllowedTenants = $Role.AllowedTenants
497- }
498- if ($Tenant ) {
499- $TenantAllowed = $AllowedTenants -contains $Tenant -and $Role.BlockedTenants -notcontains $Tenant
500- if (! $TenantAllowed ) { continue }
501- break
502- } else {
503- $TenantAllowed = $true
504- break
505- }
506- }
479+ return @ ()
507480 }
481+ throw ' Access to this CIPP API endpoint is not allowed, the user does not have the required permission'
508482 }
509483
510484 if (! $TenantAllowed -and $Functionality -notmatch ' AnyTenant' ) {
511-
512485 if (! $APIAllowed ) {
513486 throw " Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole "
514487 }
@@ -519,14 +492,13 @@ function Test-CIPPAccess {
519492 } else {
520493 return $true
521494 }
522-
523495 }
524496 } else {
525497 # No permissions found for any roles
526498 if ($TenantList.IsPresent ) {
527- return @ (' AllTenants ' )
499+ return @ ()
528500 }
529- return $true
501+ throw ' Access to this CIPP API endpoint is not allowed, the user does not have the required permission '
530502 }
531503 $swUserBranch.Stop ()
532504 $AccessTimings [' UserBranch' ] = $swUserBranch.Elapsed.TotalMilliseconds
0 commit comments