npm - @trailmix-cms/cms - Versions diffs - 0.4.3 → 0.7.1 - Mend

@trailmix-cms/cms 0.4.3 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (266) hide show

package/dist/auth.guard.d.ts +5 -13
package/dist/auth.guard.d.ts.map +1 -1
package/dist/auth.guard.js +23 -91
package/dist/auth.guard.js.map +1 -1
package/dist/collections/account.collection.d.ts +5 -3
package/dist/collections/account.collection.d.ts.map +1 -1
package/dist/collections/account.collection.js +15 -8
package/dist/collections/account.collection.js.map +1 -1
package/dist/collections/api-key.collection.d.ts +54 -0
package/dist/collections/api-key.collection.d.ts.map +1 -0
package/dist/collections/api-key.collection.js +142 -0
package/dist/collections/api-key.collection.js.map +1 -0
package/dist/collections/index.d.ts +4 -2
package/dist/collections/index.d.ts.map +1 -1
package/dist/collections/index.js +9 -5
package/dist/collections/index.js.map +1 -1
package/dist/collections/organization.collection.d.ts +20 -0
package/dist/collections/organization.collection.d.ts.map +1 -0
package/dist/collections/{file.collection.js → organization.collection.js} +17 -17
package/dist/collections/organization.collection.js.map +1 -0
package/dist/collections/role.collection.d.ts +32 -0
package/dist/collections/role.collection.d.ts.map +1 -0
package/dist/collections/role.collection.js +90 -0
package/dist/collections/role.collection.js.map +1 -0
package/dist/collections/security-audit.collection.d.ts +30 -0
package/dist/collections/security-audit.collection.d.ts.map +1 -0
package/dist/collections/security-audit.collection.js +79 -0
package/dist/collections/security-audit.collection.js.map +1 -0
package/dist/constants/cms-collection-names.d.ts +4 -2
package/dist/constants/cms-collection-names.d.ts.map +1 -1
package/dist/constants/cms-collection-names.js +4 -2
package/dist/constants/cms-collection-names.js.map +1 -1
package/dist/constants/provider-symbols.d.ts +10 -12
package/dist/constants/provider-symbols.d.ts.map +1 -1
package/dist/constants/provider-symbols.js +10 -12
package/dist/constants/provider-symbols.js.map +1 -1
package/dist/controllers/account.controller.d.ts +11 -15
package/dist/controllers/account.controller.d.ts.map +1 -1
package/dist/controllers/account.controller.js +69 -13
package/dist/controllers/account.controller.js.map +1 -1
package/dist/controllers/api-keys.controller.d.ts +13 -0
package/dist/controllers/api-keys.controller.d.ts.map +1 -0
package/dist/controllers/api-keys.controller.js +125 -0
package/dist/controllers/api-keys.controller.js.map +1 -0
package/dist/controllers/audit.controller.d.ts.map +1 -1
package/dist/controllers/audit.controller.js +3 -3
package/dist/controllers/audit.controller.js.map +1 -1
package/dist/controllers/audits.controller.d.ts +10 -0
package/dist/controllers/audits.controller.d.ts.map +1 -0
package/dist/controllers/audits.controller.js +107 -0
package/dist/controllers/audits.controller.js.map +1 -0
package/dist/controllers/global-roles.controller.d.ts +16 -0
package/dist/controllers/global-roles.controller.d.ts.map +1 -0
package/dist/controllers/global-roles.controller.js +137 -0
package/dist/controllers/global-roles.controller.js.map +1 -0
package/dist/controllers/index.d.ts +6 -1
package/dist/controllers/index.d.ts.map +1 -1
package/dist/controllers/index.js +6 -1
package/dist/controllers/index.js.map +1 -1
package/dist/controllers/organization-roles.controller.d.ts +16 -0
package/dist/controllers/organization-roles.controller.d.ts.map +1 -0
package/dist/controllers/organization-roles.controller.js +145 -0
package/dist/controllers/organization-roles.controller.js.map +1 -0
package/dist/controllers/organizations.controller.d.ts +65 -0
package/dist/controllers/organizations.controller.d.ts.map +1 -0
package/dist/controllers/organizations.controller.js +140 -0
package/dist/controllers/organizations.controller.js.map +1 -0
package/dist/controllers/security-audits.controller.d.ts +11 -0
package/dist/controllers/security-audits.controller.d.ts.map +1 -0
package/dist/controllers/security-audits.controller.js +130 -0
package/dist/controllers/security-audits.controller.js.map +1 -0
package/dist/decorators/account.decorator.d.ts +1 -3
package/dist/decorators/account.decorator.d.ts.map +1 -1
package/dist/decorators/account.decorator.js +3 -10
package/dist/decorators/account.decorator.js.map +1 -1
package/dist/decorators/audit-context.decorator.d.ts +6 -0
package/dist/decorators/audit-context.decorator.d.ts.map +1 -1
package/dist/decorators/audit-context.decorator.js +12 -3
package/dist/decorators/audit-context.decorator.js.map +1 -1
package/dist/decorators/auth.decorator.d.ts +5 -3
package/dist/decorators/auth.decorator.d.ts.map +1 -1
package/dist/decorators/auth.decorator.js +38 -3
package/dist/decorators/auth.decorator.js.map +1 -1
package/dist/decorators/index.d.ts +4 -0
package/dist/decorators/index.d.ts.map +1 -0
package/dist/decorators/index.js +20 -0
package/dist/decorators/index.js.map +1 -0
package/dist/dto/account.dto.d.ts +33 -0
package/dist/dto/account.dto.d.ts.map +1 -0
package/dist/dto/account.dto.js +14 -0
package/dist/dto/account.dto.js.map +1 -0
package/dist/dto/api-key.dto.d.ts +89 -0
package/dist/dto/api-key.dto.d.ts.map +1 -0
package/dist/dto/api-key.dto.js +27 -0
package/dist/dto/api-key.dto.js.map +1 -0
package/dist/dto/audit.dto.d.ts +11 -5
package/dist/dto/audit.dto.d.ts.map +1 -1
package/dist/dto/audit.dto.js +1 -1
package/dist/dto/audit.dto.js.map +1 -1
package/dist/dto/global-role.dto.d.ts +99 -0
package/dist/dto/global-role.dto.d.ts.map +1 -0
package/dist/dto/global-role.dto.js +26 -0
package/dist/dto/global-role.dto.js.map +1 -0
package/dist/dto/organization-role.dto.d.ts +107 -0
package/dist/dto/organization-role.dto.d.ts.map +1 -0
package/dist/dto/organization-role.dto.js +26 -0
package/dist/dto/organization-role.dto.js.map +1 -0
package/dist/dto/organization.dto.d.ts +57 -0
package/dist/dto/organization.dto.d.ts.map +1 -0
package/dist/dto/organization.dto.js +32 -0
package/dist/dto/organization.dto.js.map +1 -0
package/dist/dto/security-audit.dto.d.ts +95 -0
package/dist/dto/security-audit.dto.d.ts.map +1 -0
package/dist/dto/security-audit.dto.js +26 -0
package/dist/dto/security-audit.dto.js.map +1 -0
package/dist/index.d.ts +7 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +8 -3
package/dist/index.js.map +1 -1
package/dist/managers/global-role.manager.d.ts +42 -0
package/dist/managers/global-role.manager.d.ts.map +1 -0
package/dist/managers/global-role.manager.js +117 -0
package/dist/managers/global-role.manager.js.map +1 -0
package/dist/managers/index.d.ts +4 -0
package/dist/managers/index.d.ts.map +1 -0
package/dist/managers/index.js +20 -0
package/dist/managers/index.js.map +1 -0
package/dist/managers/organization-role.manager.d.ts +47 -0
package/dist/managers/organization-role.manager.d.ts.map +1 -0
package/dist/managers/organization-role.manager.js +218 -0
package/dist/managers/organization-role.manager.js.map +1 -0
package/dist/managers/organization.manager.d.ts +39 -0
package/dist/managers/organization.manager.d.ts.map +1 -0
package/dist/managers/organization.manager.js +196 -0
package/dist/managers/organization.manager.js.map +1 -0
package/dist/module.d.ts +92 -0
package/dist/module.d.ts.map +1 -0
package/dist/module.js +137 -0
package/dist/module.js.map +1 -0
package/dist/pipes/api-key.pipe.d.ts +8 -0
package/dist/pipes/api-key.pipe.d.ts.map +1 -0
package/dist/pipes/api-key.pipe.js +28 -0
package/dist/pipes/api-key.pipe.js.map +1 -0
package/dist/pipes/organization.pipe.d.ts +8 -0
package/dist/pipes/organization.pipe.d.ts.map +1 -0
package/dist/pipes/organization.pipe.js +28 -0
package/dist/pipes/organization.pipe.js.map +1 -0
package/dist/pipes/role.pipe.d.ts +8 -0
package/dist/pipes/{file.pipe.d.ts.map → role.pipe.d.ts.map} +1 -1
package/dist/pipes/{file.pipe.js → role.pipe.js} +8 -8
package/dist/pipes/{file.pipe.js.map → role.pipe.js.map} +1 -1
package/dist/services/account.service.d.ts +0 -2
package/dist/services/account.service.d.ts.map +1 -1
package/dist/services/account.service.js +1 -37
package/dist/services/account.service.js.map +1 -1
package/dist/services/api-key.service.d.ts +42 -0
package/dist/services/api-key.service.d.ts.map +1 -0
package/dist/services/api-key.service.js +306 -0
package/dist/services/api-key.service.js.map +1 -0
package/dist/services/auth.service.d.ts +40 -0
package/dist/services/auth.service.d.ts.map +1 -0
package/dist/services/auth.service.js +227 -0
package/dist/services/auth.service.js.map +1 -0
package/dist/services/authorization.service.d.ts +44 -9
package/dist/services/authorization.service.d.ts.map +1 -1
package/dist/services/authorization.service.js +107 -41
package/dist/services/authorization.service.js.map +1 -1
package/dist/services/feature.service.d.ts +23 -0
package/dist/services/feature.service.d.ts.map +1 -0
package/dist/services/feature.service.js +49 -0
package/dist/services/feature.service.js.map +1 -0
package/dist/services/global-role.service.d.ts +17 -0
package/dist/services/global-role.service.d.ts.map +1 -0
package/dist/services/global-role.service.js +99 -0
package/dist/services/global-role.service.js.map +1 -0
package/dist/services/index.d.ts +9 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +25 -0
package/dist/services/index.js.map +1 -0
package/dist/services/organization-role.service.d.ts +33 -0
package/dist/services/organization-role.service.d.ts.map +1 -0
package/dist/services/organization-role.service.js +102 -0
package/dist/services/organization-role.service.js.map +1 -0
package/dist/services/organization.service.d.ts +29 -0
package/dist/services/organization.service.d.ts.map +1 -0
package/dist/services/organization.service.js +95 -0
package/dist/services/organization.service.js.map +1 -0
package/dist/types/feature-config.d.ts +9 -0
package/dist/types/feature-config.d.ts.map +1 -0
package/dist/types/feature-config.js +3 -0
package/dist/types/feature-config.js.map +1 -0
package/dist/types/hooks/auth-guard-hook.d.ts.map +1 -0
package/dist/types/hooks/auth-guard-hook.js.map +1 -0
package/dist/types/hooks/index.d.ts +3 -0
package/dist/types/hooks/index.d.ts.map +1 -0
package/dist/types/hooks/index.js +19 -0
package/dist/types/hooks/index.js.map +1 -0
package/dist/types/hooks/organization-delete-hook.d.ts +20 -0
package/dist/types/hooks/organization-delete-hook.d.ts.map +1 -0
package/dist/types/hooks/organization-delete-hook.js +3 -0
package/dist/types/hooks/organization-delete-hook.js.map +1 -0
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +21 -0
package/dist/types/index.js.map +1 -0
package/dist/types/request-principal.d.ts +9 -0
package/dist/types/request-principal.d.ts.map +1 -0
package/dist/types/request-principal.js +3 -0
package/dist/types/request-principal.js.map +1 -0
package/dist/utils/provider-helpers.d.ts +6 -1
package/dist/utils/provider-helpers.d.ts.map +1 -1
package/dist/utils/provider-helpers.js +11 -1
package/dist/utils/provider-helpers.js.map +1 -1
package/package.json +59 -17
package/test/unit/collections/api-key.collection.spec.ts +416 -0
package/test/unit/managers/global-role.manager.spec.ts +269 -0
package/test/unit/managers/organization-role.manager.spec.ts +632 -0
package/test/unit/managers/organization.manager.spec.ts +395 -0
package/test/unit/module.spec.ts +596 -0
package/test/unit/services/account.service.spec.ts +90 -0
package/test/unit/services/api-key.service.spec.ts +1244 -0
package/test/unit/services/auth.service.spec.ts +790 -0
package/test/unit/services/authorization.service.spec.ts +636 -0
package/test/unit/services/feature.service.spec.ts +56 -0
package/test/unit/services/global-role.service.spec.ts +289 -0
package/test/unit/services/organization-role.service.spec.ts +300 -0
package/test/unit/services/organization.service.spec.ts +385 -0
package/test/utils/auth-guard.ts +114 -0
package/test/utils/base.ts +16 -0
package/test/utils/entities/account.ts +13 -0
package/test/utils/entities/api-key.ts +15 -0
package/test/utils/entities/audit.ts +18 -0
package/test/utils/entities/index.ts +6 -0
package/test/utils/entities/mapping.ts +20 -0
package/test/utils/entities/organization.ts +13 -0
package/test/utils/entities/role.ts +21 -0
package/test/utils/entities/security-audit.ts +16 -0
package/test/utils/index.ts +4 -0
package/test/utils/models/audit-context.ts +10 -0
package/test/utils/models/authorization.ts +7 -0
package/test/utils/models/global-role.ts +22 -0
package/test/utils/models/index.ts +5 -0
package/test/utils/models/organization-role.ts +23 -0
package/test/utils/models/publishable.ts +7 -0
package/tsconfig.build.json +36 -0
package/tsconfig.build.tsbuildinfo +1 -0
package/dist/auth-guard-hook.d.ts.map +0 -1
package/dist/auth-guard-hook.js.map +0 -1
package/dist/cms.module.d.ts +0 -8
package/dist/cms.module.d.ts.map +0 -1
package/dist/cms.module.js +0 -44
package/dist/cms.module.js.map +0 -1
package/dist/cms.providers.d.ts +0 -120
package/dist/cms.providers.d.ts.map +0 -1
package/dist/cms.providers.js +0 -126
package/dist/cms.providers.js.map +0 -1
package/dist/collections/file.collection.d.ts +0 -21
package/dist/collections/file.collection.d.ts.map +0 -1
package/dist/collections/file.collection.js.map +0 -1
package/dist/collections/text.collection.d.ts +0 -20
package/dist/collections/text.collection.d.ts.map +0 -1
package/dist/collections/text.collection.js +0 -56
package/dist/collections/text.collection.js.map +0 -1
package/dist/pipes/file.pipe.d.ts +0 -8
/package/dist/{auth-guard-hook.d.ts → types/hooks/auth-guard-hook.d.ts} +0 -0
/package/dist/{auth-guard-hook.js → types/hooks/auth-guard-hook.js} +0 -0

package/test/unit/managers/organization-role.manager.spec.ts ADDED Viewed

@@ -0,0 +1,632 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { BadRequestException, ForbiddenException, NotFoundException, Logger } from '@nestjs/common';
+import { ObjectId } from 'mongodb';
+import * as trailmixModels from '@trailmix-cms/models';
+import * as TestUtils from '../../utils';
+import { OrganizationRoleManager } from '@/managers';
+import { OrganizationRoleService, AuthorizationService } from '@/services';
+import { OrganizationCollection, SecurityAuditCollection } from '@/collections';
+import { RequestPrincipal } from '@/types';
+import { createAuditContextForPrincipal } from '@/decorators/audit-context.decorator';
+describe('OrganizationRoleManager', () => {
+    let manager: OrganizationRoleManager;
+    let organizationRoleService: jest.Mocked<OrganizationRoleService>;
+    let authorizationService: jest.Mocked<AuthorizationService>;
+    let organizationCollection: jest.Mocked<OrganizationCollection>;
+    let securityAuditCollection: jest.Mocked<SecurityAuditCollection>;
+    const accountEntity = TestUtils.Entities.createAccount();
+    const accountPrincipal: RequestPrincipal = {
+        principal_type: trailmixModels.Principal.Account,
+        entity: accountEntity,
+    };
+    const auditContext = createAuditContextForPrincipal(accountPrincipal);
+    const organizationId = new ObjectId();
+    beforeEach(async () => {
+        // Mock Logger methods to prevent console output during tests
+        jest.spyOn(Logger.prototype, 'log').mockImplementation();
+        jest.spyOn(Logger.prototype, 'error').mockImplementation();
+        jest.spyOn(Logger.prototype, 'warn').mockImplementation();
+        jest.spyOn(Logger.prototype, 'debug').mockImplementation();
+        jest.spyOn(Logger.prototype, 'verbose').mockImplementation();
+        const mockOrganizationRoleService = {
+            insertOne: jest.fn(),
+            find: jest.fn(),
+            findOne: jest.fn(),
+            deleteOne: jest.fn(),
+        };
+        const mockAuthorizationService = {
+            isGlobalAdmin: jest.fn(),
+            resolveAuthorization: jest.fn(),
+            resolveOrganizationAuthorization: jest.fn(),
+        };
+        const mockOrganizationCollection = {
+            get: jest.fn(),
+        };
+        const mockSecurityAuditCollection = {
+            insertOne: jest.fn().mockResolvedValue(undefined),
+        };
+        const module: TestingModule = await Test.createTestingModule({
+            providers: [
+                OrganizationRoleManager,
+                {
+                    provide: OrganizationRoleService,
+                    useValue: mockOrganizationRoleService,
+                },
+                {
+                    provide: AuthorizationService,
+                    useValue: mockAuthorizationService,
+                },
+                {
+                    provide: OrganizationCollection,
+                    useValue: mockOrganizationCollection,
+                },
+                {
+                    provide: SecurityAuditCollection,
+                    useValue: mockSecurityAuditCollection,
+                },
+            ],
+        }).compile();
+        manager = module.get<OrganizationRoleManager>(OrganizationRoleManager);
+        organizationRoleService = module.get(OrganizationRoleService);
+        authorizationService = module.get(AuthorizationService);
+        organizationCollection = module.get(OrganizationCollection);
+        securityAuditCollection = module.get(SecurityAuditCollection);
+    });
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+    afterAll(() => {
+        jest.restoreAllMocks();
+    });
+    describe('insertOne', () => {
+        const params = {
+            organization_id: organizationId,
+            principal_id: new ObjectId(),
+            principal_type: trailmixModels.Principal.Account,
+            role: trailmixModels.RoleValue.Admin,
+        };
+        it('successfully creates an organization role when organization exists and user has admin access (ensuring organization role creation works)', async () => {
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel(params);
+            const adminRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.Admin,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: true,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [adminRole],
+            });
+            organizationRoleService.findOne.mockResolvedValue(null);
+            organizationRoleService.insertOne.mockResolvedValue(organizationRole);
+            const result = await manager.insertOne(params, accountPrincipal, auditContext);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalledWith({
+                principal: accountPrincipal,
+                rolesAllowList: [trailmixModels.RoleValue.Admin, trailmixModels.RoleValue.Owner],
+                principalTypeAllowList: [trailmixModels.Principal.Account, trailmixModels.Principal.ApiKey],
+                organizationId: organizationId,
+            });
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith(params);
+            expect(organizationRoleService.insertOne).toHaveBeenCalledWith(params, auditContext);
+            expect(result).toEqual(organizationRole);
+        });
+        it('throws BadRequestException when organization does not exist (ensuring organization existence is validated)', async () => {
+            organizationCollection.get.mockResolvedValue(null);
+            await expect(
+                manager.insertOne(params, accountPrincipal, auditContext)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).not.toHaveBeenCalled();
+            expect(organizationRoleService.insertOne).not.toHaveBeenCalled();
+        });
+        it('throws BadRequestException when role already exists (ensuring role uniqueness is enforced)', async () => {
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const existingRole = TestUtils.Models.createOrganizationRoleModel(params);
+            const adminRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.Admin,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: true,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [adminRole],
+            });
+            organizationRoleService.findOne.mockResolvedValue(existingRole);
+            await expect(
+                manager.insertOne(params, accountPrincipal, auditContext)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith(params);
+            expect(organizationRoleService.insertOne).not.toHaveBeenCalled();
+        });
+        it('throws ForbiddenException when user has organization access but not admin role (ensuring users with lower roles cannot create organization roles)', async () => {
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const readerRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.Reader,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [readerRole],
+            });
+            await expect(
+                manager.insertOne(params, accountPrincipal, auditContext)
+            ).rejects.toThrow(ForbiddenException);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.insertOne).not.toHaveBeenCalled();
+            expect(securityAuditCollection.insertOne).toHaveBeenCalled();
+        });
+        it('throws BadRequestException when user has no organization access (ensuring user with no access is rejected)', async () => {
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [],
+            });
+            await expect(
+                manager.insertOne(params, accountPrincipal, auditContext)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.insertOne).not.toHaveBeenCalled();
+        });
+    });
+    describe('find', () => {
+        it('allows global admin to find all organization roles without organization_id (ensuring global admin can find all organization roles)', async () => {
+            const params = {};
+            const organizationRoles = [
+                TestUtils.Models.createOrganizationRoleModel(),
+                TestUtils.Models.createOrganizationRoleModel(),
+            ];
+            authorizationService.isGlobalAdmin.mockResolvedValue(true);
+            organizationRoleService.find.mockResolvedValue(organizationRoles);
+            const result = await manager.find(params, accountPrincipal);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalledWith(
+                accountEntity._id,
+                accountPrincipal.principal_type,
+            );
+            expect(organizationRoleService.find).toHaveBeenCalledWith(params);
+            expect(result).toEqual(organizationRoles);
+        });
+        it('throws BadRequestException when non-admin tries to find without organization_id (ensuring only admins can find organization roles)', async () => {
+            const params = {};
+            authorizationService.isGlobalAdmin.mockResolvedValue(false);
+            await expect(
+                manager.find(params, accountPrincipal)
+            ).rejects.toThrow(BadRequestException);
+            expect(authorizationService.isGlobalAdmin).toHaveBeenCalled();
+            expect(organizationRoleService.find).not.toHaveBeenCalled();
+        });
+        it('successfully finds organization roles when user has admin access to organization (ensuring organization role retrieval works)', async () => {
+            const params = { organization_id: organizationId };
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const organizationRoles = [
+                TestUtils.Models.createOrganizationRoleModel({ organization_id: organizationId }),
+            ];
+            const adminRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.Admin,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: true,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [adminRole],
+            });
+            organizationRoleService.find.mockResolvedValue(organizationRoles);
+            const result = await manager.find(params, accountPrincipal);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.find).toHaveBeenCalledWith(params);
+            expect(result).toEqual(organizationRoles);
+        });
+        it('returns principal organization roles when non-admin user has organization access and queries their own roles (ensuring non-admin users can view their own roles)', async () => {
+            const params = {
+                organization_id: organizationId,
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+            };
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            const result = await manager.find(params, accountPrincipal);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.find).not.toHaveBeenCalled();
+            expect(result).toEqual([userRole]);
+        });
+        it('throws BadRequestException when non-admin user tries to view other principal roles (ensuring non-admin users cannot view other principals roles)', async () => {
+            const otherPrincipalId = new ObjectId();
+            const params = {
+                organization_id: organizationId,
+                principal_id: otherPrincipalId,
+            };
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            await expect(
+                manager.find(params, accountPrincipal)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.find).not.toHaveBeenCalled();
+        });
+        it('throws BadRequestException when non-admin user tries to view other principal type roles (ensuring non-admin users cannot view other principal types)', async () => {
+            const params = {
+                organization_id: organizationId,
+                principal_type: trailmixModels.Principal.ApiKey,
+            };
+            const organization = TestUtils.Entities.createOrganization({ _id: organizationId });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationCollection.get.mockResolvedValue(organization);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            await expect(
+                manager.find(params, accountPrincipal)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.find).not.toHaveBeenCalled();
+        });
+        it('throws BadRequestException when organization does not exist (ensuring organization existence is validated)', async () => {
+            const params = { organization_id: organizationId };
+            organizationCollection.get.mockResolvedValue(null);
+            await expect(
+                manager.find(params, accountPrincipal)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationCollection.get).toHaveBeenCalledWith(organizationId);
+            expect(organizationRoleService.find).not.toHaveBeenCalled();
+        });
+    });
+    describe('get', () => {
+        const roleId = new ObjectId();
+        it('successfully gets an organization role when user has admin access (ensuring organization role retrieval works)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+            });
+            const adminRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.Admin,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: true,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [adminRole],
+            });
+            const result = await manager.get(roleId, accountPrincipal);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalledWith({
+                principal: accountPrincipal,
+                rolesAllowList: [trailmixModels.RoleValue.Admin, trailmixModels.RoleValue.Owner],
+                principalTypeAllowList: [trailmixModels.Principal.Account, trailmixModels.Principal.ApiKey],
+                organizationId: organizationId,
+            });
+            expect(result).toEqual(organizationRole);
+        });
+        it('successfully gets an organization role when non-admin user views their own role (ensuring non-admin users can view their own roles)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                role: trailmixModels.RoleValue.User,
+            });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            const result = await manager.get(roleId, accountPrincipal);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(result).toEqual(organizationRole);
+        });
+        it('throws NotFoundException when role is assigned to different principal (ensuring users cannot view roles assigned to others)', async () => {
+            const otherPrincipalId = new ObjectId();
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+                principal_id: otherPrincipalId,
+                principal_type: accountPrincipal.principal_type,
+            });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            await expect(
+                manager.get(roleId, accountPrincipal)
+            ).rejects.toThrow(NotFoundException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+        });
+        it('throws NotFoundException when role is assigned to different principal type (ensuring users cannot view roles for other principal types)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+                principal_id: accountEntity._id,
+                principal_type: trailmixModels.Principal.ApiKey,
+            });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            await expect(
+                manager.get(roleId, accountPrincipal)
+            ).rejects.toThrow(NotFoundException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+        });
+        it('throws NotFoundException when role does not exist (ensuring role existence is validated)', async () => {
+            organizationRoleService.findOne.mockResolvedValue(null);
+            await expect(
+                manager.get(roleId, accountPrincipal)
+            ).rejects.toThrow(NotFoundException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).not.toHaveBeenCalled();
+        });
+        it('throws BadRequestException when user does not have access (ensuring user with no access is rejected)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [],
+            });
+            await expect(
+                manager.get(roleId, accountPrincipal)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(securityAuditCollection.insertOne).toHaveBeenCalled();
+        });
+    });
+    describe('deleteOne', () => {
+        const roleId = new ObjectId();
+        it('successfully deletes an organization role when user has admin access (ensuring organization role deletion works)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+            });
+            const adminRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.Admin,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: true,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [adminRole],
+            });
+            organizationRoleService.deleteOne.mockResolvedValue(undefined);
+            await manager.deleteOne(roleId, accountPrincipal, auditContext);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.deleteOne).toHaveBeenCalledWith(roleId, auditContext);
+        });
+        it('throws NotFoundException when role does not exist (ensuring role existence is validated)', async () => {
+            organizationRoleService.findOne.mockResolvedValue(null);
+            await expect(
+                manager.deleteOne(roleId, accountPrincipal, auditContext)
+            ).rejects.toThrow(NotFoundException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(organizationRoleService.deleteOne).not.toHaveBeenCalled();
+        });
+        it('throws BadRequestException when user does not have access (ensuring user with no access is rejected)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [],
+            });
+            await expect(
+                manager.deleteOne(roleId, accountPrincipal, auditContext)
+            ).rejects.toThrow(BadRequestException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(organizationRoleService.deleteOne).not.toHaveBeenCalled();
+        });
+        it('throws ForbiddenException when user has organization access but not admin role (ensuring only admins can delete organization roles)', async () => {
+            const organizationRole = TestUtils.Models.createOrganizationRoleModel({
+                _id: roleId,
+                organization_id: organizationId,
+            });
+            const userRole = TestUtils.Models.createOrganizationRoleModel({
+                principal_id: accountEntity._id,
+                principal_type: accountPrincipal.principal_type,
+                organization_id: organizationId,
+                role: trailmixModels.RoleValue.User,
+            });
+            organizationRoleService.findOne.mockResolvedValue(organizationRole);
+            authorizationService.resolveOrganizationAuthorization.mockResolvedValue({
+                hasAccess: false,
+                isGlobalAdmin: false,
+                globalRoles: [],
+                organizationRoles: [userRole],
+            });
+            await expect(
+                manager.deleteOne(roleId, accountPrincipal, auditContext)
+            ).rejects.toThrow(ForbiddenException);
+            expect(organizationRoleService.findOne).toHaveBeenCalledWith({ _id: roleId });
+            expect(authorizationService.resolveOrganizationAuthorization).toHaveBeenCalled();
+            expect(securityAuditCollection.insertOne).toHaveBeenCalled();
+            expect(organizationRoleService.deleteOne).not.toHaveBeenCalled();
+        });
+    });
+});