@tellescope/sdk 1.248.0 → 1.249.1

package/src/tests/api_tests/managed_content_file_access.test.ts

@@ -0,0 +1,214 @@
+require('source-map-support').install();
+
+import * as buffer from 'buffer'
+import { Session, EnduserSession } from "../../sdk"
+import {
+  async_test,
+  log_header,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+const businessId = '60398b1131a295e64f084ff6'
+
+/**
+ * Tests for file_download_URL enduser access via managed content fallback.
+ *
+ * Verifies the backend fallback logic that allows endusers to access files
+ * attached to managed content records they have access to, even when the
+ * file itself does not have enduserId set or publicRead: true.
+ */
+export const managed_content_file_access_tests = async ({ sdk, sdkNonAdmin }: { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("Managed Content File Access Tests")
+
+  const contentRecordIds: string[] = []
+  const assignmentIds: string[] = []
+  const fileIds: string[] = []
+  let testEnduserId: string | undefined
+  let otherEnduserId: string | undefined
+  let enduserSDK: EnduserSession | undefined
+  let otherEnduserSDK: EnduserSession | undefined
+
+  const uploadFile = async (
+    name: string,
+    opts: { enduserId?: string, publicRead?: boolean } = {}
+  ) => {
+    const buff = buffer.Buffer.from(`test file content for ${name}`)
+    const { presignedUpload, file } = await sdk.api.files.prepare_file_upload({
+      name,
+      type: 'text/plain',
+      size: buff.byteLength,
+      ...opts,
+    })
+    await sdk.UPLOAD(presignedUpload as any, buff)
+    await sdk.api.files.confirm_file_upload({ id: file.id })
+    fileIds.push(file.id)
+    return file
+  }
+
+  try {
+    console.log("Setting up test data...")
+
+    const testEnduser = await sdk.api.endusers.createOne({
+      email: `mcr_file_access_test_${Date.now()}@test.tellescope.com`,
+    })
+    testEnduserId = testEnduser.id
+    await sdk.api.endusers.set_password({ id: testEnduser.id, password: 'TestPassword123!' })
+
+    const otherEnduser = await sdk.api.endusers.createOne({
+      email: `mcr_file_access_other_${Date.now()}@test.tellescope.com`,
+    })
+    otherEnduserId = otherEnduser.id
+    await sdk.api.endusers.set_password({ id: otherEnduser.id, password: 'TestPassword123!' })
+
+    enduserSDK = new EnduserSession({ host, businessId })
+    await enduserSDK.authenticate(testEnduser.email!, 'TestPassword123!')
+
+    otherEnduserSDK = new EnduserSession({ host, businessId })
+    await otherEnduserSDK.authenticate(otherEnduser.email!, 'TestPassword123!')
+
+    // ===== Test 1: File attached to assignmentType: 'All' content - enduser CAN access =====
+    const fileForAll = await uploadFile('mcr-file-all.txt')
+    const contentAll = await sdk.api.managed_content_records.createOne({
+      title: 'MCR File Access - All',
+      htmlContent: '<p>All</p>',
+      textContent: 'All',
+      assignmentType: 'All',
+      attachments: [{ secureName: fileForAll.secureName, type: 'file', name: fileForAll.name }],
+    })
+    contentRecordIds.push(contentAll.id)
+
+    await async_test(
+      'staff-uploaded file in assignmentType:All content - enduser CAN access',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: fileForAll.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 2: File attached to Individual content for enduser A - enduser B CANNOT access =====
+    const fileForIndividual = await uploadFile('mcr-file-individual.txt')
+    const contentIndividual = await sdk.api.managed_content_records.createOne({
+      title: 'MCR File Access - Individual',
+      htmlContent: '<p>Individual</p>',
+      textContent: 'Individual',
+      enduserId: testEnduser.id,
+      attachments: [{ secureName: fileForIndividual.secureName, type: 'file', name: fileForIndividual.name }],
+    })
+    contentRecordIds.push(contentIndividual.id)
+
+    await async_test(
+      'file attached to Individual content - assigned enduser CAN access',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: fileForIndividual.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    await async_test(
+      'file attached to Individual content - unassigned enduser CANNOT access',
+      async () => {
+        try {
+          await otherEnduserSDK!.api.files.file_download_URL({ secureName: fileForIndividual.secureName })
+          return false
+        } catch (err) {
+          return true
+        }
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 3: File not attached to any managed content - enduser CANNOT access =====
+    const fileNoContent = await uploadFile('mcr-file-no-content.txt')
+
+    await async_test(
+      'file not attached to any managed content - enduser CANNOT access',
+      async () => {
+        try {
+          await enduserSDK!.api.files.file_download_URL({ secureName: fileNoContent.secureName })
+          return false
+        } catch (err) {
+          return true
+        }
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 4: File with enduserId set - existing behavior preserved =====
+    const fileWithEnduser = await uploadFile('mcr-file-with-enduser.txt', { enduserId: testEnduser.id })
+
+    await async_test(
+      'file with enduserId set - enduser CAN access (no fallback needed)',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: fileWithEnduser.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 5: File with publicRead: true - existing behavior preserved =====
+    const filePublic = await uploadFile('mcr-file-public.txt', { publicRead: true })
+
+    await async_test(
+      'file with publicRead - enduser CAN access',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: filePublic.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    console.log("All Managed Content File Access tests passed!")
+
+  } finally {
+    console.log("Cleaning up test data...")
+
+    try {
+      for (const assignmentId of assignmentIds) {
+        await sdk.api.managed_content_record_assignments.deleteOne(assignmentId).catch(() => {})
+      }
+
+      for (const recordId of contentRecordIds) {
+        await sdk.api.managed_content_records.deleteOne(recordId).catch(() => {})
+      }
+
+      for (const fileId of fileIds) {
+        await sdk.api.files.deleteOne(fileId).catch(() => {})
+      }
+
+      if (testEnduserId) {
+        await sdk.api.endusers.deleteOne(testEnduserId).catch(() => {})
+      }
+      if (otherEnduserId) {
+        await sdk.api.endusers.deleteOne(otherEnduserId).catch(() => {})
+      }
+
+      console.log("Cleanup completed")
+    } catch (error) {
+      console.error('Cleanup error:', error)
+    }
+  }
+}
+
+if (require.main === module) {
+  console.log(`Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await managed_content_file_access_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("Managed content file access test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("Managed content file access test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/organization_settings_duplicates.test.ts

@@ -176,6 +176,20 @@ export const organization_settings_duplicates_tests = async ({ sdk, sdkNonAdmin
       },
     }
   }, { replaceObjectFields: true })
+
+  // === D. subdomain is readonly ===
+  const orgBefore = await sdk.api.organizations.getOne(orgId)
+  await async_test(
+    "subdomain field is readonly — update does not change persisted value",
+    async () => {
+      await sdk.api.organizations.updateOne(orgId, {
+        subdomain: `readonly-attempt-${Date.now()}`,
+      } as any).catch(() => undefined) // tolerate either silent-drop or unknown-field rejection
+      const orgAfter = await sdk.api.organizations.getOne(orgId)
+      return orgAfter.subdomain === orgBefore.subdomain
+    },
+    { onResult: (unchanged: boolean) => unchanged === true }
+  )
 }
 
 // Allow running this test file independently

package/src/tests/tests.ts

@@ -50,7 +50,7 @@ import { appointment_rescheduled_trigger_tests } from "./api_tests/appointment_r
 import { journey_error_branching_tests } from "./api_tests/journey_error_branching.test"
 import { afteraction_day_of_month_delay_tests } from "./api_tests/afteraction_day_of_month_delay.test"
 import { setup_tests } from "./setup"
-import { evaluate_conditional_logic_for_enduser_fields, FORM_LOGIC_CALCULATED_FIELDS, get_care_team_primary, get_flattened_fields, get_next_reminder_timestamp, object_is_empty, replace_enduser_template_values, responses_satisfy_conditions, truncate_string, weighted_round_robin, YYYY_MM_DD_to_MM_DD_YYYY } from "@tellescope/utilities"
+import { evaluate_conditional_logic_for_enduser_fields, FORM_LOGIC_CALCULATED_FIELDS, get_care_team_primary, get_flattened_fields, get_next_reminder_timestamp, object_is_empty, replace_enduser_template_values, replace_form_field_template_values, responses_satisfy_conditions, truncate_string, weighted_round_robin, YYYY_MM_DD_to_MM_DD_YYYY } from "@tellescope/utilities"
 import { DEFAULT_OPERATIONS, PLACEHOLDER_ID, ZENDESK_INTEGRATIONS_TITLE, ZOOM_TITLE } from "@tellescope/constants"
 import { 
   schema, 
@@ -74,16 +74,20 @@ import {
 
 import fs from "fs"
 import { load_inbox_data_tests } from "./api_tests/load_inbox_data.test";
+import { eom_procedure_codes_tests } from "./api_tests/eom_procedure_codes.test";
+import { cross_org_api_key_tests } from "./api_tests/cross_org_api_key.test";
 import { custom_dashboards_tests } from "./api_tests/custom_dashboards.test";
 import { message_assignment_trigger_tests } from "./api_tests/message_assignment_trigger.test";
 import { time_tracks_tests, time_tracks_historical_tests, time_tracks_correction_tests, time_tracks_review_tests, time_tracks_lock_tests, time_tracks_edge_case_tests } from "./api_tests/time_tracks.test";
 import { monthly_availability_restrictions_tests } from "./api_tests/monthly_availability_restrictions.test";
 import { calendar_event_limits_tests } from "./api_tests/calendar_event_limits.test";
 import { custom_aggregation_tests } from "./api_tests/custom_aggregation.test";
+import { chats_analytics_tests } from "./api_tests/chats_analytics.test";
 import { no_access_permission_checks_tests } from "./api_tests/no_access_permission_checks.test";
 import { field_redaction_tests } from "./api_tests/field_redaction.test";
 import { bulk_assignment_tests } from "./api_tests/bulk_assignment.test";
 import { managed_content_enduser_access_tests } from "./api_tests/managed_content_enduser_access.test";
+import { managed_content_file_access_tests } from "./api_tests/managed_content_file_access.test";
 import { auto_merge_form_submission_tests } from "./api_tests/auto_merge_form_submission.test";
 import { database_cascade_delete_tests } from "./api_tests/database_cascade_delete.test";
 import { ai_conversations_tests } from "./api_tests/ai_conversations.test";
@@ -12903,6 +12907,87 @@ const replace_enduser_template_values_tests = async () => {
   await sdk.api.endusers.deleteOne(enduser.id)
 }
 
+const replace_form_field_template_values_tests = async () => {
+  log_header("Replace Form Field Template Values Tests")
+
+  const enduserWithMultilineField = {
+    fname: "Multi",
+    lname: "Line",
+    fields: { Locations: 'NYC\nSF\nLA' },
+  } as Partial<Enduser>
+
+  // With escapeNewlinesAsHTMLBreaks: true — newlines in substituted value become <br />
+  assert(
+    replace_form_field_template_values(
+      '<p>Locations: {{enduser.Locations}}</p>',
+      { enduser: enduserWithMultilineField, escapeNewlinesAsHTMLBreaks: true }
+    ) === '<p>Locations: NYC<br />SF<br />LA</p>',
+    'fail escapeNewlinesAsHTMLBreaks true', 'escapeNewlinesAsHTMLBreaks true'
+  )
+
+  // Default (option absent) — newlines preserved as \n
+  assert(
+    replace_form_field_template_values(
+      '<p>Locations: {{enduser.Locations}}</p>',
+      { enduser: enduserWithMultilineField }
+    ) === '<p>Locations: NYC\nSF\nLA</p>',
+    'fail default newline preserved', 'default newline preserved'
+  )
+
+  // Explicit false — same as default
+  assert(
+    replace_form_field_template_values(
+      '<p>Locations: {{enduser.Locations}}</p>',
+      { enduser: enduserWithMultilineField, escapeNewlinesAsHTMLBreaks: false }
+    ) === '<p>Locations: NYC\nSF\nLA</p>',
+    'fail escapeNewlinesAsHTMLBreaks false', 'escapeNewlinesAsHTMLBreaks false'
+  )
+
+  // \n in original template (not in substituted value) is left alone
+  assert(
+    replace_form_field_template_values(
+      '<p>Header</p>\n<p>{{enduser.fname}}</p>',
+      { enduser: enduserWithMultilineField, escapeNewlinesAsHTMLBreaks: true }
+    ) === '<p>Header</p>\n<p>Multi</p>',
+    'fail template newline untouched', 'template newline untouched'
+  )
+
+  // Single-line value unaffected when option is enabled
+  assert(
+    replace_form_field_template_values(
+      '<p>Hello {{enduser.fname}}</p>',
+      { enduser: enduserWithMultilineField, escapeNewlinesAsHTMLBreaks: true }
+    ) === '<p>Hello Multi</p>',
+    'fail single-line value', 'single-line value'
+  )
+
+  // Substituted value containing literal two-char \n escape sequence is also converted
+  const enduserWithLiteralEscapeField = {
+    fname: "Multi",
+    fields: { Locations: 'NYC\\nSF\\nLA' },
+  } as Partial<Enduser>
+  assert(
+    replace_form_field_template_values(
+      '<p>Locations: {{enduser.Locations}}</p>',
+      { enduser: enduserWithLiteralEscapeField, escapeNewlinesAsHTMLBreaks: true }
+    ) === '<p>Locations: NYC<br />SF<br />LA</p>',
+    'fail literal \\n escape in substituted value', 'literal \\n escape in substituted value'
+  )
+
+  // Substituted value with \r\n is also converted (single break per CRLF, not two)
+  const enduserWithCRLFField = {
+    fname: "Multi",
+    fields: { Locations: 'NYC\r\nSF\r\nLA' },
+  } as Partial<Enduser>
+  assert(
+    replace_form_field_template_values(
+      '<p>Locations: {{enduser.Locations}}</p>',
+      { enduser: enduserWithCRLFField, escapeNewlinesAsHTMLBreaks: true }
+    ) === '<p>Locations: NYC<br />SF<br />LA</p>',
+    'fail CRLF in substituted value', 'CRLF in substituted value'
+  )
+}
+
 const inbox_threads_building_tests = async () => {
   log_header("Inbox Thread Building Tests")
 
@@ -14199,8 +14284,14 @@ const ip_address_form_tests = async () => {
 
     await enduser_conditional_logic_tests()
     await replace_enduser_template_values_tests()
+    await replace_form_field_template_values_tests()
     await mfa_tests()
     await setup_tests(sdk, sdkNonAdmin)
+    await eom_procedure_codes_tests({ sdk, sdkNonAdmin })
+    await cross_org_api_key_tests({ sdk, sdkNonAdmin })
+    await organization_settings_duplicates_tests({ sdk, sdkNonAdmin })
+    await enduser_session_invalidation_tests({ sdk, sdkNonAdmin })
+    await chats_analytics_tests({ sdk, sdkNonAdmin })
     await field_redaction_tests({ sdk, sdkNonAdmin })
     await form_submitted_trigger_tests({ sdk, sdkNonAdmin })
     await date_string_validation_tests({ sdk, sdkNonAdmin })
@@ -14208,7 +14299,6 @@ const ip_address_form_tests = async () => {
     await automation_trigger_tests()
     await integrations_redacted_tests({ sdk, sdkNonAdmin })
     await mdb_sort_tests({ sdk, sdkNonAdmin })
-    await organization_settings_duplicates_tests({ sdk, sdkNonAdmin })
     await search_tests()
     await time_tracks_tests({ sdk, sdkNonAdmin })
     await time_tracks_historical_tests({ sdk, sdkNonAdmin })
@@ -14235,6 +14325,7 @@ const ip_address_form_tests = async () => {
     await beluga_pharmacy_mappings_tests({ sdk, sdkNonAdmin })
     await threadKeyTests()
     await managed_content_enduser_access_tests({ sdk, sdkNonAdmin })
+    await managed_content_file_access_tests({ sdk, sdkNonAdmin })
     await afteraction_day_of_month_delay_tests({ sdk, sdkNonAdmin })
     await bulk_assignment_tests({ sdk, sdkNonAdmin })
     await formsort_tests()
@@ -14247,7 +14338,6 @@ const ip_address_form_tests = async () => {
     await inbox_threads_loading_tests()
     await load_inbox_data_tests({ sdk, sdkNonAdmin })
     await enduser_observations_acknowledge_tests({ sdk, sdkNonAdmin })
-    await enduser_session_invalidation_tests({ sdk, sdkNonAdmin })
     await create_user_notifications_trigger_tests({ sdk })
     await group_mms_active_tests()
     await auto_reply_tests()