From 686697e890ea4d492601ae809031d9d919c27bda Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 21 Feb 2024 11:30:22 +0000
Subject: [PATCH 01/15] Enforce using example.com as a domain for emails.

---
 .eslintrc.json                                |  3 +-
 eslint-local-rules/index.js                   | 37 +++++++++++++++++++
 .../core/utilities/structures/accounts.ts     |  2 +-
 .../tests/core/utilities/structures/scim.ts   |  2 +-
 .../src/tests/utilities/TestConfiguration.ts  |  8 ++--
 .../api/routes/global/tests/groups.spec.ts    |  2 +-
 .../tests/accounts/accounts.cloud.spec.ts     |  2 +-
 qa-core/src/public-api/fixtures/users.ts      |  2 +-
 8 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/.eslintrc.json b/.eslintrc.json
index 3de9d13046..ae9512152f 100644
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -44,7 +44,8 @@
         "no-undef": "off",
         "no-prototype-builtins": "off",
         "local-rules/no-budibase-imports": "error",
-        "local-rules/no-test-com": "error"
+        "local-rules/no-test-com": "error",
+        "local-rules/email-domain-example-com": "error"
       }
     },
     {
diff --git a/eslint-local-rules/index.js b/eslint-local-rules/index.js
index 71bb5068da..177b0a129c 100644
--- a/eslint-local-rules/index.js
+++ b/eslint-local-rules/index.js
@@ -51,4 +51,41 @@ module.exports = {
       }
     },
   },
+  "email-domain-example-com": {
+    meta: {
+      type: "problem",
+      docs: {
+        description:
+          "enforce using the example.com domain for generator.email calls",
+        category: "Possible Errors",
+        recommended: false,
+      },
+      fixable: "code",
+      schema: [],
+    },
+    create: function (context) {
+      return {
+        CallExpression(node) {
+          if (
+            node.callee.type === "MemberExpression" &&
+            node.callee.object.name === "generator" &&
+            node.callee.property.name === "email" &&
+            node.arguments.length === 0
+          ) {
+            context.report({
+              node,
+              message:
+                "Prefer using generator.email with the domain \"{ domain: 'example.com' }\".",
+              fix: function (fixer) {
+                return fixer.replaceText(
+                  node,
+                  'generator.email({ domain: "example.com" })'
+                )
+              },
+            })
+          }
+        },
+      }
+    },
+  },
 }
diff --git a/packages/backend-core/tests/core/utilities/structures/accounts.ts b/packages/backend-core/tests/core/utilities/structures/accounts.ts
index 515f94db1e..7dcc2de116 100644
--- a/packages/backend-core/tests/core/utilities/structures/accounts.ts
+++ b/packages/backend-core/tests/core/utilities/structures/accounts.ts
@@ -18,7 +18,7 @@ export const account = (partial: Partial<Account> = {}): Account => {
   return {
     accountId: uuid(),
     tenantId: generator.word(),
-    email: generator.email(),
+    email: generator.email({ domain: "example.com" }),
     tenantName: generator.word(),
     hosting: Hosting.SELF,
     createdAt: Date.now(),
diff --git a/packages/backend-core/tests/core/utilities/structures/scim.ts b/packages/backend-core/tests/core/utilities/structures/scim.ts
index 80f41c605d..f36ccd2374 100644
--- a/packages/backend-core/tests/core/utilities/structures/scim.ts
+++ b/packages/backend-core/tests/core/utilities/structures/scim.ts
@@ -13,7 +13,7 @@ interface CreateUserRequestFields {
 export function createUserRequest(userData?: Partial<CreateUserRequestFields>) {
   const defaultValues = {
     externalId: uuid(),
-    email: generator.email(),
+    email: generator.email({ domain: "example.com" }),
     firstName: generator.first(),
     lastName: generator.last(),
     username: generator.name(),
diff --git a/packages/server/src/tests/utilities/TestConfiguration.ts b/packages/server/src/tests/utilities/TestConfiguration.ts
index 8e6ecdfeb1..2e6bbb6290 100644
--- a/packages/server/src/tests/utilities/TestConfiguration.ts
+++ b/packages/server/src/tests/utilities/TestConfiguration.ts
@@ -301,7 +301,7 @@ export default class TestConfiguration {
       lastName = generator.last(),
       builder = true,
       admin = false,
-      email = generator.email(),
+      email = generator.email({ domain: "example.com" }),
       roles,
     } = config
 
@@ -357,7 +357,7 @@ export default class TestConfiguration {
       id,
       firstName = generator.first(),
       lastName = generator.last(),
-      email = generator.email(),
+      email = generator.email({ domain: "example.com" }),
       builder = true,
       admin,
       roles,
@@ -485,7 +485,7 @@ export default class TestConfiguration {
 
   async basicRoleHeaders() {
     return await this.roleHeaders({
-      email: generator.email(),
+      email: generator.email({ domain: "example.com" }),
       builder: false,
       prodApp: true,
       roleId: roles.BUILTIN_ROLE_IDS.BASIC,
@@ -493,7 +493,7 @@ export default class TestConfiguration {
   }
 
   async roleHeaders({
-    email = generator.email(),
+    email = generator.email({ domain: "example.com" }),
     roleId = roles.BUILTIN_ROLE_IDS.ADMIN,
     builder = false,
     prodApp = true,
diff --git a/packages/worker/src/api/routes/global/tests/groups.spec.ts b/packages/worker/src/api/routes/global/tests/groups.spec.ts
index 8f0739a812..b69c4781c4 100644
--- a/packages/worker/src/api/routes/global/tests/groups.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/groups.spec.ts
@@ -147,7 +147,7 @@ describe("/api/global/groups", () => {
 
         await Promise.all(
           Array.from({ length: 30 }).map(async (_, i) => {
-            const email = `user${i}@${generator.domain()}`
+            const email = `user${i}@example.com`
             const user = await config.api.users.saveUser({
               ...structures.users.user(),
               email,
diff --git a/qa-core/src/account-api/tests/accounts/accounts.cloud.spec.ts b/qa-core/src/account-api/tests/accounts/accounts.cloud.spec.ts
index 0969b72cf9..01338b609c 100644
--- a/qa-core/src/account-api/tests/accounts/accounts.cloud.spec.ts
+++ b/qa-core/src/account-api/tests/accounts/accounts.cloud.spec.ts
@@ -84,7 +84,7 @@ describe("Accounts", () => {
     })
 
     it("searches by email", async () => {
-      const email = generator.email()
+      const email = generator.email({ domain: "example.com" })
 
       // Empty result
       const [_, emptyBody] = await config.api.accounts.search(email, "email")
diff --git a/qa-core/src/public-api/fixtures/users.ts b/qa-core/src/public-api/fixtures/users.ts
index e20c464b34..418b565d2a 100644
--- a/qa-core/src/public-api/fixtures/users.ts
+++ b/qa-core/src/public-api/fixtures/users.ts
@@ -4,7 +4,7 @@ import { generator } from "../../shared"
 export const generateUser = (
   overrides: Partial<User> = {}
 ): CreateUserParams => ({
-  email: generator.email(),
+  email: generator.email({ domain: "example.com" }),
   roles: {
     [generator.string({ length: 32, alpha: true, numeric: true })]:
       generator.word(),

From 90dd267aaf5ad6a95583c0d6d888a9a19068d299 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 21 Feb 2024 14:10:03 +0000
Subject: [PATCH 02/15] Update account-portal submodule to latest master.

---
 packages/account-portal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/account-portal b/packages/account-portal
index 4384bc742c..4de0d98e2f 160000
--- a/packages/account-portal
+++ b/packages/account-portal
@@ -1 +1 @@
-Subproject commit 4384bc742ca22fb1e9bf91843e65ae929daf17e2
+Subproject commit 4de0d98e2f8d80ee7631dffe076063273812a441

From 13563d18dca87872dad9294c61c8018158fa191d Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Tue, 5 Mar 2024 09:20:20 +0000
Subject: [PATCH 03/15] Write a failing test.

---
 .../src/api/routes/tests/application.spec.ts  | 46 ++++++++++++++++++-
 .../server/src/tests/utilities/api/index.ts   |  3 ++
 .../server/src/tests/utilities/api/role.ts    | 41 +++++++++++++++++
 3 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 packages/server/src/tests/utilities/api/role.ts

diff --git a/packages/server/src/api/routes/tests/application.spec.ts b/packages/server/src/api/routes/tests/application.spec.ts
index 5a3be462e8..b452e8742f 100644
--- a/packages/server/src/api/routes/tests/application.spec.ts
+++ b/packages/server/src/api/routes/tests/application.spec.ts
@@ -16,7 +16,13 @@ import * as setup from "./utilities"
 import { AppStatus } from "../../../db/utils"
 import { events, utils, context } from "@budibase/backend-core"
 import env from "../../../environment"
-import type { App } from "@budibase/types"
+import {
+  PermissionLevel,
+  type App,
+  INTERNAL_TABLE_SOURCE_ID,
+  TableSourceType,
+  FieldType,
+} from "@budibase/types"
 import tk from "timekeeper"
 
 describe("/applications", () => {
@@ -256,10 +262,48 @@ describe("/applications", () => {
         admin: { global: false },
       })
 
+      const table = await config.api.table.save({
+        name: "table",
+        type: "table",
+        sourceId: INTERNAL_TABLE_SOURCE_ID,
+        sourceType: TableSourceType.INTERNAL,
+        schema: {
+          name: {
+            type: FieldType.STRING,
+            name: "name",
+          },
+        },
+      })
+
       await config.withUser(user, async () => {
         const apps = await config.api.application.fetch()
         expect(apps).toHaveLength(0)
       })
+
+      const role = await config.api.roles.save({
+        name: "Test",
+        inherits: "PUBLIC",
+        permissionId: "read_only",
+        version: "name",
+      })
+
+      await config.api.user.update({
+        ...user,
+        roles: {
+          [config.getAppId()]: role._id!,
+        },
+      })
+
+      await config.api.permission.add({
+        resourceId: table._id!,
+        roleId: role._id!,
+        level: PermissionLevel.READ,
+      })
+
+      await config.withUser(user, async () => {
+        const apps = await config.api.application.fetch()
+        expect(apps).toHaveLength(1)
+      })
     })
   })
 })
diff --git a/packages/server/src/tests/utilities/api/index.ts b/packages/server/src/tests/utilities/api/index.ts
index fdcec3098d..d66acd86fd 100644
--- a/packages/server/src/tests/utilities/api/index.ts
+++ b/packages/server/src/tests/utilities/api/index.ts
@@ -11,6 +11,7 @@ import { BackupAPI } from "./backup"
 import { AttachmentAPI } from "./attachment"
 import { UserAPI } from "./user"
 import { QueryAPI } from "./query"
+import { RoleAPI } from "./role"
 
 export default class API {
   table: TableAPI
@@ -25,6 +26,7 @@ export default class API {
   attachment: AttachmentAPI
   user: UserAPI
   query: QueryAPI
+  roles: RoleAPI
 
   constructor(config: TestConfiguration) {
     this.table = new TableAPI(config)
@@ -39,5 +41,6 @@ export default class API {
     this.attachment = new AttachmentAPI(config)
     this.user = new UserAPI(config)
     this.query = new QueryAPI(config)
+    this.roles = new RoleAPI(config)
   }
 }
diff --git a/packages/server/src/tests/utilities/api/role.ts b/packages/server/src/tests/utilities/api/role.ts
new file mode 100644
index 0000000000..4defbc1220
--- /dev/null
+++ b/packages/server/src/tests/utilities/api/role.ts
@@ -0,0 +1,41 @@
+import {
+  AccessibleRolesResponse,
+  FetchRolesResponse,
+  FindRoleResponse,
+  SaveRoleRequest,
+  SaveRoleResponse,
+} from "@budibase/types"
+import { Expectations, TestAPI } from "./base"
+
+export class RoleAPI extends TestAPI {
+  fetch = async (expectations?: Expectations) => {
+    return await this._get<FetchRolesResponse>(`/api/roles`, {
+      expectations,
+    })
+  }
+
+  find = async (roleId: string, expectations?: Expectations) => {
+    return await this._get<FindRoleResponse>(`/api/roles/${roleId}`, {
+      expectations,
+    })
+  }
+
+  save = async (body: SaveRoleRequest, expectations?: Expectations) => {
+    return await this._post<SaveRoleResponse>(`/api/roles`, {
+      body,
+      expectations,
+    })
+  }
+
+  destroy = async (roleId: string, expectations?: Expectations) => {
+    return await this._delete(`/api/roles/${roleId}`, {
+      expectations,
+    })
+  }
+
+  accesssible = async (expectations?: Expectations) => {
+    return await this._get<AccessibleRolesResponse>(`/api/roles/accessible`, {
+      expectations,
+    })
+  }
+}

From aa124524d4bc93e228c5ada844fccb541cb55e6e Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Tue, 5 Mar 2024 10:05:05 +0000
Subject: [PATCH 04/15] Add a simpler test.

---
 packages/backend-core/src/cache/user.ts       |  4 +-
 packages/server/src/api/controllers/user.ts   |  3 +-
 .../src/api/routes/tests/application.spec.ts  | 39 ++++++++++++++++++-
 .../src/tests/utilities/TestConfiguration.ts  |  4 +-
 4 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/packages/backend-core/src/cache/user.ts b/packages/backend-core/src/cache/user.ts
index 313b9a4d4a..ecfa20f99e 100644
--- a/packages/backend-core/src/cache/user.ts
+++ b/packages/backend-core/src/cache/user.ts
@@ -6,7 +6,7 @@ import env from "../environment"
 import * as accounts from "../accounts"
 import { UserDB } from "../users"
 import { sdk } from "@budibase/shared-core"
-import { User } from "@budibase/types"
+import { User, UserMetadata } from "@budibase/types"
 
 const EXPIRY_SECONDS = 3600
 
@@ -15,7 +15,7 @@ const EXPIRY_SECONDS = 3600
  */
 async function populateFromDB(userId: string, tenantId: string) {
   const db = tenancy.getTenantDB(tenantId)
-  const user = await db.get<any>(userId)
+  const user = await db.get<UserMetadata>(userId)
   user.budibaseAccess = true
   if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
     const account = await accounts.getAccount(user.email)
diff --git a/packages/server/src/api/controllers/user.ts b/packages/server/src/api/controllers/user.ts
index 108e29fd3d..d1658f9820 100644
--- a/packages/server/src/api/controllers/user.ts
+++ b/packages/server/src/api/controllers/user.ts
@@ -1,6 +1,6 @@
 import { generateUserFlagID, InternalTables } from "../../db/utils"
 import { getFullUser } from "../../utilities/users"
-import { context } from "@budibase/backend-core"
+import { cache, context } from "@budibase/backend-core"
 import {
   ContextUserMetadata,
   Ctx,
@@ -42,6 +42,7 @@ export async function updateMetadata(
   // this isn't applicable to the user
   delete metadata.roles
   ctx.body = await db.put(metadata)
+  await cache.user.invalidateUser(user._id!)
 }
 
 export async function destroyMetadata(ctx: UserCtx<void, { message: string }>) {
diff --git a/packages/server/src/api/routes/tests/application.spec.ts b/packages/server/src/api/routes/tests/application.spec.ts
index b452e8742f..7424511200 100644
--- a/packages/server/src/api/routes/tests/application.spec.ts
+++ b/packages/server/src/api/routes/tests/application.spec.ts
@@ -256,7 +256,44 @@ describe("/applications", () => {
   })
 
   describe("permissions", () => {
-    it("should only return apps a user has access to", async () => {
+    it.only("should only return apps a user has access to", async () => {
+      const user = await config.createUser({
+        builder: { global: false },
+        admin: { global: false },
+      })
+
+      const table = await config.api.table.save({
+        name: "table",
+        type: "table",
+        sourceId: INTERNAL_TABLE_SOURCE_ID,
+        sourceType: TableSourceType.INTERNAL,
+        schema: {
+          name: {
+            type: FieldType.STRING,
+            name: "name",
+          },
+        },
+      })
+
+      await config.withUser(user, async () => {
+        const apps = await config.api.application.fetch()
+        expect(apps).toHaveLength(0)
+      })
+
+      await config.api.user.update({
+        ...user,
+        builder: {
+          [config.getAppId()]: true,
+        },
+      })
+
+      await config.withUser(user, async () => {
+        const apps = await config.api.application.fetch()
+        expect(apps).toHaveLength(1)
+      })
+    })
+
+    it("should only return apps a user has access to through a custom role on a group", async () => {
       const user = await config.createUser({
         builder: { global: false },
         admin: { global: false },
diff --git a/packages/server/src/tests/utilities/TestConfiguration.ts b/packages/server/src/tests/utilities/TestConfiguration.ts
index 2127e9d1cd..32af88836e 100644
--- a/packages/server/src/tests/utilities/TestConfiguration.ts
+++ b/packages/server/src/tests/utilities/TestConfiguration.ts
@@ -299,11 +299,11 @@ export default class TestConfiguration {
     }
   }
 
-  withUser(user: User, f: () => Promise<void>) {
+  async withUser(user: User, f: () => Promise<void>) {
     const oldUser = this.user
     this.user = user
     try {
-      return f()
+      return await f()
     } finally {
       this.user = oldUser
     }

From f1decee0102c0bc6b4687fffa14f5b445e1c3689 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Tue, 5 Mar 2024 14:37:06 +0000
Subject: [PATCH 05/15] Get test passing.

---
 .../src/api/routes/tests/application.spec.ts   |  8 +++++---
 .../src/tests/utilities/TestConfiguration.ts   | 18 +++++++++++-------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/packages/server/src/api/routes/tests/application.spec.ts b/packages/server/src/api/routes/tests/application.spec.ts
index 7424511200..6f948d9977 100644
--- a/packages/server/src/api/routes/tests/application.spec.ts
+++ b/packages/server/src/api/routes/tests/application.spec.ts
@@ -25,6 +25,8 @@ import {
 } from "@budibase/types"
 import tk from "timekeeper"
 
+jest.setTimeout(99999999)
+
 describe("/applications", () => {
   let config = setup.getConfig()
   let app: App
@@ -257,7 +259,7 @@ describe("/applications", () => {
 
   describe("permissions", () => {
     it.only("should only return apps a user has access to", async () => {
-      const user = await config.createUser({
+      let user = await config.createUser({
         builder: { global: false },
         admin: { global: false },
       })
@@ -280,10 +282,10 @@ describe("/applications", () => {
         expect(apps).toHaveLength(0)
       })
 
-      await config.api.user.update({
+      user = await config.globalUser({
         ...user,
         builder: {
-          [config.getAppId()]: true,
+          apps: [config.getProdAppId()],
         },
       })
 
diff --git a/packages/server/src/tests/utilities/TestConfiguration.ts b/packages/server/src/tests/utilities/TestConfiguration.ts
index 32af88836e..cfe1bf4066 100644
--- a/packages/server/src/tests/utilities/TestConfiguration.ts
+++ b/packages/server/src/tests/utilities/TestConfiguration.ts
@@ -363,6 +363,7 @@ export default class TestConfiguration {
       _id,
       ...existing,
       ...config,
+      _rev: existing._rev,
       email,
       roles,
       tenantId,
@@ -372,11 +373,12 @@ export default class TestConfiguration {
       admin,
     }
     await sessions.createASession(_id, {
-      sessionId: "sessionid",
+      sessionId: this.sessionIdForUser(_id),
       tenantId: this.getTenantId(),
       csrfToken: this.csrfToken,
     })
     const resp = await db.put(user)
+    await cache.user.invalidateUser(_id)
     return {
       _rev: resp.rev,
       ...user,
@@ -384,9 +386,7 @@ export default class TestConfiguration {
   }
 
   async createUser(user: Partial<User> = {}): Promise<User> {
-    const resp = await this.globalUser(user)
-    await cache.user.invalidateUser(resp._id!)
-    return resp
+    return await this.globalUser(user)
   }
 
   async createGroup(roleId: string = roles.BUILTIN_ROLE_IDS.BASIC) {
@@ -416,6 +416,10 @@ export default class TestConfiguration {
     })
   }
 
+  sessionIdForUser(userId: string): string {
+    return `sessionid-${userId}`
+  }
+
   async login({
     roleId,
     userId,
@@ -442,13 +446,13 @@ export default class TestConfiguration {
         })
       }
       await sessions.createASession(userId, {
-        sessionId: "sessionid",
+        sessionId: this.sessionIdForUser(userId),
         tenantId: this.getTenantId(),
       })
       // have to fake this
       const authObj = {
         userId,
-        sessionId: "sessionid",
+        sessionId: this.sessionIdForUser(userId),
         tenantId: this.getTenantId(),
       }
       const authToken = jwt.sign(authObj, coreEnv.JWT_SECRET as Secret)
@@ -470,7 +474,7 @@ export default class TestConfiguration {
     const user = this.getUser()
     const authObj: AuthToken = {
       userId: user._id!,
-      sessionId: "sessionid",
+      sessionId: this.sessionIdForUser(user._id!),
       tenantId,
     }
     const authToken = jwt.sign(authObj, coreEnv.JWT_SECRET as Secret)

From 182a1df9606f98da9791cb50df8355fc54eb21c2 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Tue, 5 Mar 2024 17:35:04 +0000
Subject: [PATCH 06/15] Fix the bug, I think.

---
 packages/backend-core/src/db/Replication.ts   | 36 ++++++---
 packages/backend-core/src/security/roles.ts   |  5 +-
 packages/server/src/api/controllers/role.ts   | 10 +++
 .../src/api/routes/tests/application.spec.ts  | 81 +++++++++----------
 packages/types/src/documents/app/role.ts      |  1 +
 5 files changed, 72 insertions(+), 61 deletions(-)

diff --git a/packages/backend-core/src/db/Replication.ts b/packages/backend-core/src/db/Replication.ts
index f91a37ce8f..12c11eb9e2 100644
--- a/packages/backend-core/src/db/Replication.ts
+++ b/packages/backend-core/src/db/Replication.ts
@@ -1,17 +1,18 @@
+import PouchDB from "pouchdb"
 import { getPouchDB, closePouchDB } from "./couch"
 import { DocumentType } from "../constants"
 
 class Replication {
-  source: any
-  target: any
-  replication: any
+  source: PouchDB.Database
+  target: PouchDB.Database
+  replication?: Promise<any>
 
   /**
    *
    * @param source - the DB you want to replicate or rollback to
    * @param target - the DB you want to replicate to, or rollback from
    */
-  constructor({ source, target }: any) {
+  constructor({ source, target }: { source: string; target: string }) {
     this.source = getPouchDB(source)
     this.target = getPouchDB(target)
   }
@@ -40,7 +41,7 @@ class Replication {
    * Two way replication operation, intended to be promise based.
    * @param opts - PouchDB replication options
    */
-  sync(opts = {}) {
+  sync(opts: PouchDB.Replication.SyncOptions = {}) {
     this.replication = this.promisify(this.source.sync, opts)
     return this.replication
   }
@@ -49,18 +50,31 @@ class Replication {
    * One way replication operation, intended to be promise based.
    * @param opts - PouchDB replication options
    */
-  replicate(opts = {}) {
+  replicate(opts: PouchDB.Replication.ReplicateOptions = {}) {
     this.replication = this.promisify(this.source.replicate.to, opts)
     return this.replication
   }
 
-  appReplicateOpts() {
+  appReplicateOpts(
+    opts: PouchDB.Replication.ReplicateOptions = {}
+  ): PouchDB.Replication.ReplicateOptions {
+    if (typeof opts.filter === "string") {
+      return opts
+    }
+
+    const filter = opts.filter
+    delete opts.filter
+
     return {
-      filter: (doc: any) => {
+      ...opts,
+      filter: (doc: any, params: any) => {
         if (doc._id && doc._id.startsWith(DocumentType.AUTOMATION_LOG)) {
           return false
         }
-        return doc._id !== DocumentType.APP_METADATA
+        if (doc._id === DocumentType.APP_METADATA) {
+          return false
+        }
+        return filter ? filter(doc, params) : true
       },
     }
   }
@@ -75,10 +89,6 @@ class Replication {
     // take the opportunity to remove deleted tombstones
     await this.replicate()
   }
-
-  cancel() {
-    this.replication.cancel()
-  }
 }
 
 export default Replication
diff --git a/packages/backend-core/src/security/roles.ts b/packages/backend-core/src/security/roles.ts
index 01473ad991..a64be6b319 100644
--- a/packages/backend-core/src/security/roles.ts
+++ b/packages/backend-core/src/security/roles.ts
@@ -101,10 +101,7 @@ export function getBuiltinRole(roleId: string): Role | undefined {
 /**
  * Works through the inheritance ranks to see how far up the builtin stack this ID is.
  */
-export function builtinRoleToNumber(id?: string) {
-  if (!id) {
-    return 0
-  }
+export function builtinRoleToNumber(id: string) {
   const builtins = getBuiltinRoles()
   const MAX = Object.values(builtins).length + 1
   if (id === BUILTIN_IDS.ADMIN || id === BUILTIN_IDS.BUILDER) {
diff --git a/packages/server/src/api/controllers/role.ts b/packages/server/src/api/controllers/role.ts
index b3eb61a255..fff58da86e 100644
--- a/packages/server/src/api/controllers/role.ts
+++ b/packages/server/src/api/controllers/role.ts
@@ -106,6 +106,16 @@ export async function save(ctx: UserCtx<SaveRoleRequest, SaveRoleResponse>) {
   )
   role._rev = result.rev
   ctx.body = role
+
+  const replication = new dbCore.Replication({
+    source: context.getDevAppDB().name,
+    target: context.getProdAppDB().name,
+  })
+  await replication.replicate({
+    filter: (doc: any, params: any) => {
+      return doc._id === _id
+    },
+  })
 }
 
 export async function destroy(ctx: UserCtx<void, DestroyRoleResponse>) {
diff --git a/packages/server/src/api/routes/tests/application.spec.ts b/packages/server/src/api/routes/tests/application.spec.ts
index 6f948d9977..63c9fe44b8 100644
--- a/packages/server/src/api/routes/tests/application.spec.ts
+++ b/packages/server/src/api/routes/tests/application.spec.ts
@@ -16,16 +16,9 @@ import * as setup from "./utilities"
 import { AppStatus } from "../../../db/utils"
 import { events, utils, context } from "@budibase/backend-core"
 import env from "../../../environment"
-import {
-  PermissionLevel,
-  type App,
-  INTERNAL_TABLE_SOURCE_ID,
-  TableSourceType,
-  FieldType,
-} from "@budibase/types"
+import { type App } from "@budibase/types"
 import tk from "timekeeper"
-
-jest.setTimeout(99999999)
+import * as uuid from "uuid"
 
 describe("/applications", () => {
   let config = setup.getConfig()
@@ -258,25 +251,12 @@ describe("/applications", () => {
   })
 
   describe("permissions", () => {
-    it.only("should only return apps a user has access to", async () => {
+    it("should only return apps a user has access to", async () => {
       let user = await config.createUser({
         builder: { global: false },
         admin: { global: false },
       })
 
-      const table = await config.api.table.save({
-        name: "table",
-        type: "table",
-        sourceId: INTERNAL_TABLE_SOURCE_ID,
-        sourceType: TableSourceType.INTERNAL,
-        schema: {
-          name: {
-            type: FieldType.STRING,
-            name: "name",
-          },
-        },
-      })
-
       await config.withUser(user, async () => {
         const apps = await config.api.application.fetch()
         expect(apps).toHaveLength(0)
@@ -295,25 +275,12 @@ describe("/applications", () => {
       })
     })
 
-    it("should only return apps a user has access to through a custom role on a group", async () => {
-      const user = await config.createUser({
+    it("should only return apps a user has access to through a custom role", async () => {
+      let user = await config.createUser({
         builder: { global: false },
         admin: { global: false },
       })
 
-      const table = await config.api.table.save({
-        name: "table",
-        type: "table",
-        sourceId: INTERNAL_TABLE_SOURCE_ID,
-        sourceType: TableSourceType.INTERNAL,
-        schema: {
-          name: {
-            type: FieldType.STRING,
-            name: "name",
-          },
-        },
-      })
-
       await config.withUser(user, async () => {
         const apps = await config.api.application.fetch()
         expect(apps).toHaveLength(0)
@@ -326,17 +293,43 @@ describe("/applications", () => {
         version: "name",
       })
 
-      await config.api.user.update({
+      user = await config.globalUser({
         ...user,
         roles: {
-          [config.getAppId()]: role._id!,
+          [config.getProdAppId()]: role.name,
         },
       })
 
-      await config.api.permission.add({
-        resourceId: table._id!,
-        roleId: role._id!,
-        level: PermissionLevel.READ,
+      await config.withUser(user, async () => {
+        const apps = await config.api.application.fetch()
+        expect(apps).toHaveLength(1)
+      })
+    })
+
+    it.only("should only return apps a user has access to through a custom role on a group", async () => {
+      let user = await config.createUser({
+        builder: { global: false },
+        admin: { global: false },
+      })
+
+      await config.withUser(user, async () => {
+        const apps = await config.api.application.fetch()
+        expect(apps).toHaveLength(0)
+      })
+
+      const roleName = uuid.v4().replace(/-/g, "")
+      const role = await config.api.roles.save({
+        name: roleName,
+        inherits: "PUBLIC",
+        permissionId: "read_only",
+        version: "name",
+      })
+
+      const group = await config.createGroup(role._id!)
+
+      user = await config.globalUser({
+        ...user,
+        userGroups: [group._id!],
       })
 
       await config.withUser(user, async () => {
diff --git a/packages/types/src/documents/app/role.ts b/packages/types/src/documents/app/role.ts
index d126a67b16..f32ba810b0 100644
--- a/packages/types/src/documents/app/role.ts
+++ b/packages/types/src/documents/app/role.ts
@@ -5,4 +5,5 @@ export interface Role extends Document {
   inherits?: string
   permissions: { [key: string]: string[] }
   version?: string
+  name: string
 }

From 11704ea983b5ec3d7426b6927afa41d1cdea81a7 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Tue, 5 Mar 2024 17:40:38 +0000
Subject: [PATCH 07/15] TODO.

---
 packages/server/src/api/controllers/role.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/server/src/api/controllers/role.ts b/packages/server/src/api/controllers/role.ts
index fff58da86e..6b62c568e2 100644
--- a/packages/server/src/api/controllers/role.ts
+++ b/packages/server/src/api/controllers/role.ts
@@ -107,6 +107,8 @@ export async function save(ctx: UserCtx<SaveRoleRequest, SaveRoleResponse>) {
   role._rev = result.rev
   ctx.body = role
 
+  // TODO: need to check that the prod DB actually exists, I think it won't
+  // if the app has never been published.
   const replication = new dbCore.Replication({
     source: context.getDevAppDB().name,
     target: context.getProdAppDB().name,

From 2b206f2105681140a1079ba49bcc434df1e7f489 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 6 Mar 2024 10:00:02 +0000
Subject: [PATCH 08/15] Fix the TODO I left myself last night.

---
 packages/backend-core/src/db/Replication.ts | 41 +++++----------------
 packages/server/src/api/controllers/role.ts | 25 +++++++------
 2 files changed, 23 insertions(+), 43 deletions(-)

diff --git a/packages/backend-core/src/db/Replication.ts b/packages/backend-core/src/db/Replication.ts
index 12c11eb9e2..9c960d76dd 100644
--- a/packages/backend-core/src/db/Replication.ts
+++ b/packages/backend-core/src/db/Replication.ts
@@ -5,56 +5,33 @@ import { DocumentType } from "../constants"
 class Replication {
   source: PouchDB.Database
   target: PouchDB.Database
-  replication?: Promise<any>
 
-  /**
-   *
-   * @param source - the DB you want to replicate or rollback to
-   * @param target - the DB you want to replicate to, or rollback from
-   */
   constructor({ source, target }: { source: string; target: string }) {
     this.source = getPouchDB(source)
     this.target = getPouchDB(target)
   }
 
-  close() {
-    return Promise.all([closePouchDB(this.source), closePouchDB(this.target)])
+  async close() {
+    await Promise.all([closePouchDB(this.source), closePouchDB(this.target)])
   }
 
-  promisify(operation: any, opts = {}) {
-    return new Promise(resolve => {
-      operation(this.target, opts)
-        .on("denied", function (err: any) {
+  replicate(opts: PouchDB.Replication.ReplicateOptions = {}) {
+    return new Promise<PouchDB.Replication.ReplicationResult<{}>>(resolve => {
+      this.source.replicate
+        .to(this.target, opts)
+        .on("denied", function (err) {
           // a document failed to replicate (e.g. due to permissions)
           throw new Error(`Denied: Document failed to replicate ${err}`)
         })
-        .on("complete", function (info: any) {
+        .on("complete", function (info) {
           return resolve(info)
         })
-        .on("error", function (err: any) {
+        .on("error", function (err) {
           throw new Error(`Replication Error: ${err}`)
         })
     })
   }
 
-  /**
-   * Two way replication operation, intended to be promise based.
-   * @param opts - PouchDB replication options
-   */
-  sync(opts: PouchDB.Replication.SyncOptions = {}) {
-    this.replication = this.promisify(this.source.sync, opts)
-    return this.replication
-  }
-
-  /**
-   * One way replication operation, intended to be promise based.
-   * @param opts - PouchDB replication options
-   */
-  replicate(opts: PouchDB.Replication.ReplicateOptions = {}) {
-    this.replication = this.promisify(this.source.replicate.to, opts)
-    return this.replication
-  }
-
   appReplicateOpts(
     opts: PouchDB.Replication.ReplicateOptions = {}
   ): PouchDB.Replication.ReplicateOptions {
diff --git a/packages/server/src/api/controllers/role.ts b/packages/server/src/api/controllers/role.ts
index 6b62c568e2..84179d8dbc 100644
--- a/packages/server/src/api/controllers/role.ts
+++ b/packages/server/src/api/controllers/role.ts
@@ -107,17 +107,20 @@ export async function save(ctx: UserCtx<SaveRoleRequest, SaveRoleResponse>) {
   role._rev = result.rev
   ctx.body = role
 
-  // TODO: need to check that the prod DB actually exists, I think it won't
-  // if the app has never been published.
-  const replication = new dbCore.Replication({
-    source: context.getDevAppDB().name,
-    target: context.getProdAppDB().name,
-  })
-  await replication.replicate({
-    filter: (doc: any, params: any) => {
-      return doc._id === _id
-    },
-  })
+  const devDb = context.getDevAppDB()
+  const prodDb = context.getProdAppDB()
+
+  if (await prodDb.exists()) {
+    const replication = new dbCore.Replication({
+      source: devDb.name,
+      target: prodDb.name,
+    })
+    await replication.replicate({
+      filter: (doc: any, params: any) => {
+        return doc._id === _id
+      },
+    })
+  }
 }
 
 export async function destroy(ctx: UserCtx<void, DestroyRoleResponse>) {

From 10ac21525ba205ce7dc138426b545befa3b030a0 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 6 Mar 2024 14:58:34 +0000
Subject: [PATCH 09/15] Update submodules.

---
 packages/account-portal | 2 +-
 packages/pro            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/account-portal b/packages/account-portal
index 4de0d98e2f..0c050591c2 160000
--- a/packages/account-portal
+++ b/packages/account-portal
@@ -1 +1 @@
-Subproject commit 4de0d98e2f8d80ee7631dffe076063273812a441
+Subproject commit 0c050591c21d3b67dc0c9225d60cc9e2324c8dac
diff --git a/packages/pro b/packages/pro
index 60e47a8249..22a278da72 160000
--- a/packages/pro
+++ b/packages/pro
@@ -1 +1 @@
-Subproject commit 60e47a8249fd6291a6bc20fe3fe6776b11938fa1
+Subproject commit 22a278da720d92991dabdcd4cb6c96e7abe29781

From 1b387d359c669b9672ab1de10e2811bb72f26811 Mon Sep 17 00:00:00 2001
From: Conor Webb <126772285+ConorWebb96@users.noreply.github.com>
Date: Wed, 6 Mar 2024 16:32:00 +0000
Subject: [PATCH 10/15] Added icon to button component, reworked icon display
 code. (#12624)

* Added icons to buttons, removed svg code added icon component code.

* Added icon functionality to button group component.

* Added gap to button manifest

* Added gap to button setitngs.

* Added gap setting to ButtonGroup component

* Added the ability to clear the selected icon.

* Added enter search to icon select

* Removed use:styleable as its for the button

* Moved non internal props up

* Fixed broken DynamicFilter component icon

* Updated DynamicFilter icon to a better suited one

---------

Co-authored-by: melohagan <101575380+melohagan@users.noreply.github.com>
---
 .../controls/IconSelect/IconSelect.svelte     | 17 ++++++++--
 packages/client/manifest.json                 | 32 +++++++++++++++++++
 .../client/src/components/app/Button.svelte   | 24 +++++++-------
 .../src/components/app/ButtonGroup.svelte     |  4 ++-
 .../app/dynamic-filter/DynamicFilter.svelte   |  4 +--
 5 files changed, 65 insertions(+), 16 deletions(-)

diff --git a/packages/builder/src/components/design/settings/controls/IconSelect/IconSelect.svelte b/packages/builder/src/components/design/settings/controls/IconSelect/IconSelect.svelte
index 0c68c3c3e6..a28f5cfb3b 100644
--- a/packages/builder/src/components/design/settings/controls/IconSelect/IconSelect.svelte
+++ b/packages/builder/src/components/design/settings/controls/IconSelect/IconSelect.svelte
@@ -139,10 +139,22 @@
         {/each}
       </div>
       <div class="search-input">
-        <div class="input-wrapper">
-          <Input bind:value={searchTerm} thin placeholder="Search Icon" />
+        <div class="input-wrapper" style={`width: ${value ? "425" : "510"}px`}>
+          <Input
+            bind:value={searchTerm}
+            on:keyup={event => {
+              if (event.key === "Enter") {
+                searchForIcon()
+              }
+            }}
+            thin
+            placeholder="Search Icon"
+          />
         </div>
         <Button secondary on:click={searchForIcon}>Search</Button>
+        {#if value}
+          <Button primary on:click={() => (value = null)}>Clear</Button>
+        {/if}
       </div>
       <div class="page-area">
         <div class="pager">
@@ -239,6 +251,7 @@
     flex-flow: row nowrap;
     width: 100%;
     padding-right: 15px;
+    gap: 10px;
   }
   .input-wrapper {
     width: 510px;
diff --git a/packages/client/manifest.json b/packages/client/manifest.json
index 43b75ebe26..10f9c5f412 100644
--- a/packages/client/manifest.json
+++ b/packages/client/manifest.json
@@ -525,6 +525,38 @@
         "barTitle": "Disable button",
         "key": "disabled"
       },
+      {
+        "type": "icon",
+        "label": "Icon",
+        "key": "icon"
+      },
+      {
+        "type": "select",
+        "label": "Gap",
+        "key": "gap",
+        "showInBar": true,
+        "barStyle": "picker",
+        "dependsOn": "icon",
+        "options": [
+          {
+            "label": "None",
+            "value": "N"
+          },
+          {
+            "label": "Small",
+            "value": "S"
+          },
+          {
+            "label": "Medium",
+            "value": "M"
+          },
+          {
+            "label": "Large",
+            "value": "L"
+          }
+        ],
+        "defaultValue": "M"
+      },
       {
         "type": "event",
         "label": "On click",
diff --git a/packages/client/src/components/app/Button.svelte b/packages/client/src/components/app/Button.svelte
index 361e64a983..c43face1bb 100644
--- a/packages/client/src/components/app/Button.svelte
+++ b/packages/client/src/components/app/Button.svelte
@@ -13,9 +13,10 @@
   export let size = "M"
   export let type = "cta"
   export let quiet = false
+  export let icon = null
+  export let gap = "M"
 
   // For internal use only for now - not defined in the manifest
-  export let icon = null
   export let active = false
 
   const handleOnClick = async () => {
@@ -47,7 +48,7 @@
 
 {#key $component.editing}
   <button
-    class={`spectrum-Button spectrum-Button--size${size} spectrum-Button--${type}`}
+    class={`spectrum-Button spectrum-Button--size${size} spectrum-Button--${type} gap-${gap}`}
     class:spectrum-Button--quiet={quiet}
     disabled={disabled || handlingOnClick}
     use:styleable={$component.styles}
@@ -58,15 +59,7 @@
     class:active
   >
     {#if icon}
-      <svg
-        class:hasText={componentText?.length > 0}
-        class="spectrum-Icon spectrum-Icon--size{size.toUpperCase()}"
-        focusable="false"
-        aria-hidden="true"
-        aria-label={icon}
-      >
-        <use xlink:href="#spectrum-icon-18-{icon}" />
-      </svg>
+      <i class="{icon} {size}" />
     {/if}
     {componentText}
   </button>
@@ -92,4 +85,13 @@
   .active {
     color: var(--spectrum-global-color-blue-600);
   }
+  .gap-S {
+    gap: 8px;
+  }
+  .gap-M {
+    gap: 16px;
+  }
+  .gap-L {
+    gap: 32px;
+  }
 </style>
diff --git a/packages/client/src/components/app/ButtonGroup.svelte b/packages/client/src/components/app/ButtonGroup.svelte
index 3ee703e253..2cf6b3db7d 100644
--- a/packages/client/src/components/app/ButtonGroup.svelte
+++ b/packages/client/src/components/app/ButtonGroup.svelte
@@ -20,7 +20,7 @@
       wrap: true,
     }}
   >
-    {#each buttons as { text, type, quiet, disabled, onClick, size }}
+    {#each buttons as { text, type, quiet, disabled, onClick, size, icon, gap }}
       <BlockComponent
         type="button"
         props={{
@@ -29,6 +29,8 @@
           type,
           quiet,
           disabled,
+          icon,
+          gap,
           size: size || "M",
         }}
       />
diff --git a/packages/client/src/components/app/dynamic-filter/DynamicFilter.svelte b/packages/client/src/components/app/dynamic-filter/DynamicFilter.svelte
index 199a6122ab..549574e89b 100644
--- a/packages/client/src/components/app/dynamic-filter/DynamicFilter.svelte
+++ b/packages/client/src/components/app/dynamic-filter/DynamicFilter.svelte
@@ -92,9 +92,9 @@
 {#if schemaLoaded}
   <Button
     onClick={openEditor}
-    icon="Properties"
+    icon="ri-filter-3-line"
     text="Filter"
-    {size}
+    size="XL"
     type="secondary"
     quiet
     active={filters?.length > 0}

From aa200882744c7ef8ddfcecefed7cc167046cca31 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 6 Mar 2024 16:57:29 +0000
Subject: [PATCH 11/15] Fix tests.

---
 packages/server/__mocks__/node-fetch.ts | 17 +++++++++--------
 packages/server/src/tests/jestEnv.ts    |  1 +
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/packages/server/__mocks__/node-fetch.ts b/packages/server/__mocks__/node-fetch.ts
index 265d6b1c36..98c75bb84f 100644
--- a/packages/server/__mocks__/node-fetch.ts
+++ b/packages/server/__mocks__/node-fetch.ts
@@ -8,6 +8,7 @@ module FetchMock {
   let mockSearch = false
 
   const func = async (url: any, opts: any) => {
+    const { host, pathname } = new URL(url)
     function json(body: any, status = 200) {
       return {
         status,
@@ -34,7 +35,7 @@ module FetchMock {
       }
     }
 
-    if (url.includes("/api/global")) {
+    if (pathname.includes("/api/global")) {
       const user = {
         email: "test@example.com",
         _id: "us_test@example.com",
@@ -47,31 +48,31 @@ module FetchMock {
           global: false,
         },
       }
-      return url.endsWith("/users") && opts.method === "GET"
+      return pathname.endsWith("/users") && opts.method === "GET"
         ? json([user])
         : json(user)
     }
     // mocked data based on url
-    else if (url.includes("api/apps")) {
+    else if (pathname.includes("api/apps")) {
       return json({
         app1: {
           url: "/app1",
         },
       })
-    } else if (url.includes("example.com")) {
+    } else if (host.includes("example.com")) {
       return json({
         body: opts.body,
         url,
         method: opts.method,
       })
-    } else if (url.includes("invalid.com")) {
+    } else if (host.includes("invalid.com")) {
       return json(
         {
           invalid: true,
         },
         404
       )
-    } else if (mockSearch && url.includes("_search")) {
+    } else if (mockSearch && pathname.includes("_search")) {
       const body = opts.body
       const parts = body.split("tableId:")
       let tableId
@@ -90,7 +91,7 @@ module FetchMock {
         ],
         bookmark: "test",
       })
-    } else if (url.includes("google.com")) {
+    } else if (host.includes("google.com")) {
       return json({
         url,
         opts,
@@ -177,7 +178,7 @@ module FetchMock {
     } else if (url === "https://www.googleapis.com/oauth2/v4/token") {
       // any valid response
       return json({})
-    } else if (url.includes("failonce.com")) {
+    } else if (host.includes("failonce.com")) {
       failCount++
       if (failCount === 1) {
         return json({ message: "error" }, 500)
diff --git a/packages/server/src/tests/jestEnv.ts b/packages/server/src/tests/jestEnv.ts
index 4763208c54..7c58470e9b 100644
--- a/packages/server/src/tests/jestEnv.ts
+++ b/packages/server/src/tests/jestEnv.ts
@@ -10,3 +10,4 @@ process.env.MOCK_REDIS = "1"
 process.env.PLATFORM_URL = "http://localhost:10000"
 process.env.REDIS_PASSWORD = "budibase"
 process.env.BUDIBASE_VERSION = "0.0.0+jest"
+process.env.WORKER_URL = "http://localhost:10000"

From b7e5d9f71aadf42f34b1ac25377a02ad22b535b7 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 6 Mar 2024 16:58:51 +0000
Subject: [PATCH 12/15] Sync all roles on any role change.

---
 packages/server/src/api/controllers/role.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/api/controllers/role.ts b/packages/server/src/api/controllers/role.ts
index 84179d8dbc..2f5340d2e6 100644
--- a/packages/server/src/api/controllers/role.ts
+++ b/packages/server/src/api/controllers/role.ts
@@ -117,7 +117,7 @@ export async function save(ctx: UserCtx<SaveRoleRequest, SaveRoleResponse>) {
     })
     await replication.replicate({
       filter: (doc: any, params: any) => {
-        return doc._id === _id
+        return doc._id && doc._id.startsWith("role_")
       },
     })
   }

From 470b5b5349e88ef7d94c2380bf3f14c36ba7ecb0 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 6 Mar 2024 17:02:37 +0000
Subject: [PATCH 13/15] Remove incorrect cache invalidation.

---
 packages/server/src/api/controllers/user.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/server/src/api/controllers/user.ts b/packages/server/src/api/controllers/user.ts
index d1658f9820..7fc5c6e1bc 100644
--- a/packages/server/src/api/controllers/user.ts
+++ b/packages/server/src/api/controllers/user.ts
@@ -42,7 +42,6 @@ export async function updateMetadata(
   // this isn't applicable to the user
   delete metadata.roles
   ctx.body = await db.put(metadata)
-  await cache.user.invalidateUser(user._id!)
 }
 
 export async function destroyMetadata(ctx: UserCtx<void, { message: string }>) {

From 6f692723e7f848d0351520da34e6961ca0d5da18 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Wed, 6 Mar 2024 17:28:45 +0000
Subject: [PATCH 14/15] Remove flakiness in SCIM tests.

---
 packages/backend-core/tests/core/utilities/structures/scim.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend-core/tests/core/utilities/structures/scim.ts b/packages/backend-core/tests/core/utilities/structures/scim.ts
index f36ccd2374..f424b2881a 100644
--- a/packages/backend-core/tests/core/utilities/structures/scim.ts
+++ b/packages/backend-core/tests/core/utilities/structures/scim.ts
@@ -13,7 +13,7 @@ interface CreateUserRequestFields {
 export function createUserRequest(userData?: Partial<CreateUserRequestFields>) {
   const defaultValues = {
     externalId: uuid(),
-    email: generator.email({ domain: "example.com" }),
+    email: `${uuid()}@example.com`,
     firstName: generator.first(),
     lastName: generator.last(),
     username: generator.name(),

From 907018448af0a0a178ee71353d813ea56d5396df Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Thu, 7 Mar 2024 09:23:19 +0000
Subject: [PATCH 15/15] Update pro reference.

---
 packages/pro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/pro b/packages/pro
index 22a278da72..2b322d0f4b 160000
--- a/packages/pro
+++ b/packages/pro
@@ -1 +1 @@
-Subproject commit 22a278da720d92991dabdcd4cb6c96e7abe29781
+Subproject commit 2b322d0f4b71ba96664d383b94c30445ead7ac5b