diff --git a/api/server/services/GraphApiService.spec.js b/api/server/services/GraphApiService.spec.js index b859c0ef3f..5c1484d8b5 100644 --- a/api/server/services/GraphApiService.spec.js +++ b/api/server/services/GraphApiService.spec.js @@ -52,9 +52,17 @@ describe('GraphApiService', () => { await mongoServer.stop(); }); + afterEach(() => { + // Clean up environment variables + delete process.env.OPENID_GRAPH_SCOPES; + }); + beforeEach(async () => { jest.clearAllMocks(); await mongoose.connection.dropDatabase(); + + // Set up environment variable for People.Read scope + process.env.OPENID_GRAPH_SCOPES = 'User.Read,People.Read,Group.Read.All'; // Mock Graph client mockGraphClient = { @@ -341,6 +349,7 @@ describe('GraphApiService', () => { // Should call contacts first with user filter expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people'); + expect(mockGraphClient.search).toHaveBeenCalledWith('"john"'); expect(mockGraphClient.filter).toHaveBeenCalledWith( "personType/subclass eq 'OrganizationUser'", ); @@ -404,7 +413,9 @@ describe('GraphApiService', () => { 10, ); - // Should call contacts with user filter only + // Should call contacts first with user filter + expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people'); + expect(mockGraphClient.search).toHaveBeenCalledWith('"test"'); expect(mockGraphClient.filter).toHaveBeenCalledWith( "personType/subclass eq 'OrganizationUser'", ); @@ -440,6 +451,7 @@ describe('GraphApiService', () => { // Should call contacts first expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people'); + expect(mockGraphClient.search).toHaveBeenCalledWith('"test"'); // Should not call users endpoint since limit was reached expect(mockGraphClient.api).not.toHaveBeenCalledWith('/users'); diff --git a/api/server/services/PermissionService.js b/api/server/services/PermissionService.js index 59cfb4159a..6e3ab160b2 100644 --- a/api/server/services/PermissionService.js +++ b/api/server/services/PermissionService.js @@ -85,6 +85,7 @@ const grantPermission = async ({ role.permBits, grantedBy, session, + role._id, ); } catch (error) { logger.error(`[PermissionService.grantPermission] Error: ${error.message}`); diff --git a/packages/data-schemas/src/methods/aclEntry.ts b/packages/data-schemas/src/methods/aclEntry.ts index 9d93d0fefc..a5bea90586 100644 --- a/packages/data-schemas/src/methods/aclEntry.ts +++ b/packages/data-schemas/src/methods/aclEntry.ts @@ -125,6 +125,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) { * @param permBits - The permission bits to grant * @param grantedBy - The ID of the user granting the permission * @param session - Optional MongoDB session for transactions + * @param roleId - Optional role ID to associate with this permission * @returns The created or updated ACL entry */ async function grantPermission( @@ -135,6 +136,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) { permBits: number, grantedBy: string | Types.ObjectId, session?: ClientSession, + roleId?: string | Types.ObjectId, ): Promise { const AclEntry = mongoose.models.AclEntry as Model; const query: Record = { @@ -153,6 +155,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) { permBits, grantedBy, grantedAt: new Date(), + ...(roleId && { roleId }), }, };