fix: add roleId parameter to grantPermission and update tests for GraphApiService

api/server/services/GraphApiService.spec.js

@@ -52,9 +52,17 @@ describe('GraphApiService', () => {
     await mongoServer.stop();
   });
 
+  afterEach(() => {
+    // Clean up environment variables
+    delete process.env.OPENID_GRAPH_SCOPES;
+  });
+
   beforeEach(async () => {
     jest.clearAllMocks();
     await mongoose.connection.dropDatabase();
+    
+    // Set up environment variable for People.Read scope
+    process.env.OPENID_GRAPH_SCOPES = 'User.Read,People.Read,Group.Read.All';
 
     // Mock Graph client
     mockGraphClient = {
@@ -341,6 +349,7 @@ describe('GraphApiService', () => {
 
       // Should call contacts first with user filter
       expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"john"');
       expect(mockGraphClient.filter).toHaveBeenCalledWith(
         "personType/subclass eq 'OrganizationUser'",
       );
@@ -404,7 +413,9 @@ describe('GraphApiService', () => {
         10,
       );
 
-      // Should call contacts with user filter only
+      // Should call contacts first with user filter
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"test"');
       expect(mockGraphClient.filter).toHaveBeenCalledWith(
         "personType/subclass eq 'OrganizationUser'",
       );
@@ -440,6 +451,7 @@ describe('GraphApiService', () => {
 
       // Should call contacts first
       expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"test"');
       // Should not call users endpoint since limit was reached
       expect(mockGraphClient.api).not.toHaveBeenCalledWith('/users');
 

api/server/services/PermissionService.js

@@ -85,6 +85,7 @@ const grantPermission = async ({
       role.permBits,
       grantedBy,
       session,
+      role._id,
     );
   } catch (error) {
     logger.error(`[PermissionService.grantPermission] Error: ${error.message}`);

packages/data-schemas/src/methods/aclEntry.ts

@@ -125,6 +125,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
    * @param permBits - The permission bits to grant
    * @param grantedBy - The ID of the user granting the permission
    * @param session - Optional MongoDB session for transactions
+   * @param roleId - Optional role ID to associate with this permission
    * @returns The created or updated ACL entry
    */
   async function grantPermission(
@@ -135,6 +136,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
     permBits: number,
     grantedBy: string | Types.ObjectId,
     session?: ClientSession,
+    roleId?: string | Types.ObjectId,
   ): Promise<IAclEntry | null> {
     const AclEntry = mongoose.models.AclEntry as Model<IAclEntry>;
     const query: Record<string, unknown> = {
@@ -153,6 +155,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
         permBits,
         grantedBy,
         grantedAt: new Date(),
+        ...(roleId && { roleId }),
       },
     };