fix: custom role issues

JohnDuprey · JohnDuprey · commit 567f59582684 · 2025-11-13T11:50:43.000-05:00
limit permission list to custom roles that exist
also add cleanup to AccessRoleGroup table when custom role is removed
ticket 32016460905
diff --git a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1 b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1
@@ -31,27 +31,34 @@ function Test-CIPPAccessUserRole {
             $uri = "https://graph.microsoft.com/beta/users/$($User.userDetails)/transitiveMemberOf"
             $Memberships = New-GraphGetRequest -uri $uri -NoAuthCheck $true | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }
             if ($Memberships) {
-                Write-Information "Found user roles for $($User.userDetails)"
+                Write-Information "Found group memberships for $($User.userDetails)"
             } else {
-                Write-Information "No user roles found for $($User.userDetails)"
+                Write-Information "No group memberships found for $($User.userDetails)"
             }
         } catch {
             Write-Information "Could not get user roles for $($User.userDetails). $($_.Exception.Message)"
             return $User
         }
 
         $AccessGroupsTable = Get-CippTable -TableName AccessRoleGroups
-        $AccessGroups = Get-CIPPAzDataTableEntity @AccessGroupsTable
+        $AccessGroups = Get-CIPPAzDataTableEntity @AccessGroupsTable -Filter "PartitionKey eq 'AccessRoleGroups'"
+        $CustomRolesTable = Get-CippTable -TableName CustomRoles
+        $CustomRoles = Get-CIPPAzDataTableEntity @CustomRolesTable -Filter "PartitionKey eq 'CustomRoles'"
+        $BaseRoles = @('superadmin', 'admin', 'editor', 'readonly')
 
         $Roles = foreach ($AccessGroup in $AccessGroups) {
-            if ($Memberships.id -contains $AccessGroup.GroupId) {
+            if ($Memberships.id -contains $AccessGroup.GroupId -and ($CustomRoles.RowKey -contains $AccessGroup.RowKey -or $BaseRoles -contains $AccessGroup.RowKey)) {
                 $AccessGroup.RowKey
             }
         }
 
         $Roles = @($Roles) + @($User.userRoles)
 
-        if (($Roles | Measure-Object).Count -gt 0) {
+        if ($Roles) {
+            Write-Information "Roles determined for $($User.userDetails): $($Roles -join ', ')"
+        }
+
+        if (($Roles | Measure-Object).Count -gt 2) {
             $UserRole = [PSCustomObject]@{
                 PartitionKey = 'AccessUser'
                 RowKey       = [string]$User.userDetails
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1
@@ -110,6 +110,10 @@ function Invoke-ExecCustomRole {
             Write-Information "Deleting custom role $($Request.Body.RoleName)"
             $Role = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.RoleName)'" -Property RowKey, PartitionKey
             Remove-AzDataTableEntity -Force @Table -Entity $Role
+            $AccessRoleGroup = Get-CIPPAzDataTableEntity @AccessRoleGroupTable -Filter "PartitionKey eq 'AccessRoleGroups' and RowKey eq '$($Request.Body.RoleName)'"
+            if ($AccessRoleGroup) {
+                Remove-AzDataTableEntity -Force @AccessRoleGroupTable -Entity $AccessRoleGroup
+            }
             $Body = @{Results = 'Custom role deleted' }
             Write-LogMessage -headers $Request.Headers -API 'ExecCustomRole' -message "Deleted custom role $($Request.Body.RoleName)" -Sev 'Info'
         }
