Adds command outlook calendargroup set. Closes #7109#7183
Adds command outlook calendargroup set. Closes #7109#7183MathijsVerbeeck wants to merge 1 commit intopnp:mainfrom
outlook calendargroup set. Closes #7109#7183Conversation
MathijsVerbeeck
changed the title
outlook calendargroup set. Closes #7109
There was a problem hiding this comment.
Pull request overview
Adds the new Microsoft Graph-backed command m365 outlook calendargroup set to update a user’s Outlook calendar group name, including command implementation, tests, and documentation updates to surface it in the CLI docs.
Changes:
- Implemented
outlook calendargroup setcommand logic (Graph PATCH + lookup by name when needed) - Added a comprehensive Mocha test suite covering validation and app-only vs delegated behaviors
- Documented the command and added it to the Outlook docs sidebar and command name registry
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/m365/outlook/commands/calendargroup/calendargroup-set.ts | New command implementation to update a calendar group (by id or name) for me or a specified user |
| src/m365/outlook/commands/calendargroup/calendargroup-set.spec.ts | New test suite covering validation, URL selection logic, scope checks, and error handling |
| src/m365/outlook/commands.ts | Registers the new command name outlook calendargroup set for lazy-loading |
| docs/src/config/sidebars.ts | Adds the command page to the Outlook → calendargroup section in the docs nav |
| docs/docs/cmd/outlook/calendargroup/calendargroup-set.mdx | New documentation page for the command (usage/options/permissions/examples) |
| const userIdentifier = args.options.userId ?? args.options.userName; | ||
| userUrl = `${this.resource}/v1.0/users('${userIdentifier}')`; | ||
| } |
There was a problem hiding this comment.
userIdentifier is interpolated into users('${userIdentifier}') without URL/OData escaping. A valid UPN can contain characters like ' (eg o'connor@contoso.com), which would break the request URL (and can enable crafted path/query injection). Consider using the /users/<id-or-upn> form or encoding the identifier first (eg formatting.encodeQueryParameter(...)).
|
|
||
| const userIdentifier = args.options.userId ?? args.options.userName; | ||
| userUrl = `${this.resource}/v1.0/users('${userIdentifier}')`; | ||
| } |
There was a problem hiding this comment.
Same issue in delegated mode: userIdentifier is interpolated into users('${userIdentifier}') without escaping. Since userName validation allows characters like ', this can produce invalid URLs or allow crafted inputs to alter the request path. Encode the identifier (eg formatting.encodeQueryParameter) or use the /users/<id-or-upn> style used elsewhere.
Closes #7109