bryanbcook · bryanbcook · Aug 3, 2025 · Aug 3, 2025
diff --git a/src/private/ModuleInitHelpers.ps1 b/src/private/ModuleInitHelpers.ps1
@@ -0,0 +1,6 @@
+function Test-IsAdmin
+{
+  $currentIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
+  $principal = New-Object System.Security.Principal.WindowsPrincipal($currentIdentity)
+  return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
+}
diff --git a/src/public/Initialize-Blogger.ps1 b/src/public/Initialize-Blogger.ps1
@@ -21,6 +21,8 @@ Initiate a login flow with Google
 
   Initialize-Blogger
 
+.NOTES
+  Note that this function requires administrator permissions to support the authentication flow.
 #>
 Function Initialize-Blogger {
   [CmdletBinding()]
@@ -34,8 +36,17 @@ Function Initialize-Blogger {
     [Parameter(HelpMessage = "Redirect Uri specified in Google API Consent Form")]
     [string]$RedirectUri = "http://localhost/oauth2callback"
   )
+
+  # Check that we're running as an admin
+  if (-not (Test-IsAdmin)) {
+    Write-Warning "Administrator privileges are required to initialize Blogger authentication."
+    Write-Warning "Please restart PowerShell as Administrator and try again."
+    return
+  }
 
   $ErrorActionPreference = 'Stop'
+
+  # Show warning to developers if they attempt to use the neutered credentials by mistake
   if ($env:PSBLOGGER_CLIENT_ID -and !$PSBoundParameters.ContainsKey("ClientId"))
   {
     Write-Verbose "Using environment variable PSBLOGGER_CLIENT_ID for ClientId"

diff --git a/src/tests/Initialize-Blogger.Tests.ps1 b/src/tests/Initialize-Blogger.Tests.ps1
@@ -4,16 +4,13 @@ Describe "Initialize-Blogger" {
     Import-Module $PSScriptRoot\..\PSBlogger.psm1 -Force
   }
 
-  # Context "Try it" {
-  #   It "Should launch browser and authenticate" {
-  #     Initialize-Blogger
-  #   }
-  # }
-
   Context "User provides AuthCode" {
 
     BeforeEach {
       InModuleScope -ModuleName PSBlogger {
+        # simulate running as admin
+        Mock Test-IsAdmin { $true }
+
         # simulate valid auth token
         Mock Get-GoogleAccessToken { return @{ refresh_token = "refresh_token" } }
         # simulate valid offline token
@@ -72,4 +69,30 @@ Describe "Initialize-Blogger" {
 
   }
 
+  Context "Running as non-admin" {
+    BeforeEach {
+      InModuleScope -ModuleName PSBlogger {
+        # simulate running as non-admin
+        Mock Test-IsAdmin { $false }
+
+        # ensure that we don't launch browser or admin features
+        Mock Start-Process { throw "Unexpected call to start-process"}
+      }
+    }
+
+    It "Should show warning and exit when not admin" {
+      InModuleScope -ModuleName PSBlogger {
+        # arrange
+        $initArgs = @{ ClientId="dummy"; ClientSecret="dummy" }
+        Mock Write-Warning {} -Verifiable
+
+        # act & assert
+        { Initialize-Blogger @initArgs } | Should -Not -Throw
+
+        # The function should exit early, so we can verify it doesn't try to do auth
+        Assert-MockCalled Test-IsAdmin -Times 1
+        Should -InvokeVerifiable
+      }
+    }
+  }
 }