admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[permissions] permissions and workflows (#12436)

Browse Source 
In this PR

- Determine object record permissions on workflows objects (workflow,
workflowVersion, workflowRun) base on settings permissions @Weiko
- Add Workflow permission guards on workflow resolvers @thomtrp . **Any
method within a resolver that has the SettingsPermission Guard is only
callable by a apiKey or a user that has the permission** (so not by
external parties).
- Add checks bypass in workflow services since 1) for actions gated by
settings permissions, the gate should be done at resolver level, so it
will have been done before the call to the service 2) some service
methods may be called by workflowTriggerController which is callable by
external parties without permissions (ex:
workflowCommonWorkspaceService.getWorkflowVersionOrFail). This is
something we may want to change in the future (still to discuss), by
removing the guard at resolver-level and relying on
shouldBypassPermissionChecks at getRepository and made in a way that we
only bypass for external parties.
- Add checks bypass for actions performed by workflows since they should
not be restricted in our current vision
- Add tests
This commit is contained in:
Marie
2025-06-11 18:47:29 +02:00
committed by GitHub
parent e33f2fadd8
commit 04dd0e50bb
34 changed files with 864 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/twenty-server/src/modules/workflow/workflow-trigger/automated-trigger/listeners/database-event-trigger.listener.ts
View File

@ -206,6 +206,7 @@ export class DatabaseEventTriggerListener {
await this.twentyORMGlobalManager.getRepositoryForWorkspace(
workspaceId,
relatedObjectMetadataNameSingular,
{ shouldBypassPermissionChecks: true },
);
record[joinField.name] = await relatedObjectRepository.findOne({
@ -254,6 +255,7 @@ export class DatabaseEventTriggerListener {
await this.twentyORMGlobalManager.getRepositoryForWorkspace<WorkflowAutomatedTriggerWorkspaceEntity>(
workspaceId,
automatedTriggerTableName,
{ shouldBypassPermissionChecks: true },
);
const eventListeners = await workflowAutomatedTriggerRepository.find({

12
packages/twenty-server/src/modules/workflow/workflow-trigger/jobs/workflow-trigger.job.ts
View File

@ -10,7 +10,7 @@ import { MessageQueue } from 'src/engine/core-modules/message-queue/message-queu
import { MessageQueueService } from 'src/engine/core-modules/message-queue/services/message-queue.service';
import { handleWorkflowTriggerException } from 'src/engine/core-modules/workflow/filters/workflow-trigger-graphql-api-exception.filter';
import { FieldActorSource } from 'src/engine/metadata-modules/field-metadata/composite-types/actor.composite-type';
import { TwentyORMManager } from 'src/engine/twenty-orm/twenty-orm.manager';
import { TwentyORMGlobalManager } from 'src/engine/twenty-orm/twenty-orm-global.manager';
import {
WorkflowVersionStatus,
WorkflowVersionWorkspaceEntity,
@ -33,7 +33,7 @@ const DEFAULT_WORKFLOW_NAME = 'Workflow';
@Processor({ queueName: MessageQueue.workflowQueue, scope: Scope.REQUEST })
export class WorkflowTriggerJob {
constructor(
private readonly twentyORMManager: TwentyORMManager,
private readonly twentyORMGlobalManager: TwentyORMGlobalManager,
private readonly workflowRunnerWorkspaceService: WorkflowRunnerWorkspaceService,
@InjectMessageQueue(MessageQueue.workflowQueue)
private readonly messageQueueService: MessageQueueService,
@ -43,8 +43,10 @@ export class WorkflowTriggerJob {
async handle(data: WorkflowTriggerJobData): Promise<void> {
try {
const workflowRepository =
await this.twentyORMManager.getRepository<WorkflowWorkspaceEntity>(
await this.twentyORMGlobalManager.getRepositoryForWorkspace<WorkflowWorkspaceEntity>(
data.workspaceId,
'workflow',
{ shouldBypassPermissionChecks: true },
);
const workflow = await workflowRepository.findOneBy({
@ -66,8 +68,10 @@ export class WorkflowTriggerJob {
}
const workflowVersionRepository =
await this.twentyORMManager.getRepository<WorkflowVersionWorkspaceEntity>(
await this.twentyORMGlobalManager.getRepositoryForWorkspace<WorkflowVersionWorkspaceEntity>(
data.workspaceId,
'workflowVersion',
{ shouldBypassPermissionChecks: true },
);
const workflowVersion = await workflowVersionRepository.findOneBy({

32
packages/twenty-server/src/modules/workflow/workflow-trigger/workspace-services/workflow-trigger.workspace-service.ts
View File

@ -9,7 +9,7 @@ import { ObjectMetadataEntity } from 'src/engine/metadata-modules/object-metadat
import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
import { ScopedWorkspaceContextFactory } from 'src/engine/twenty-orm/factories/scoped-workspace-context.factory';
import { WorkspaceRepository } from 'src/engine/twenty-orm/repository/workspace.repository';
import { TwentyORMManager } from 'src/engine/twenty-orm/twenty-orm.manager';
import { TwentyORMGlobalManager } from 'src/engine/twenty-orm/twenty-orm-global.manager';
import { WorkspaceEventEmitter } from 'src/engine/workspace-event-emitter/workspace-event-emitter';
import { AutomatedTriggerType } from 'src/modules/workflow/common/standard-objects/workflow-automated-trigger.workspace-entity';
import {
@ -36,7 +36,7 @@ import { assertNever } from 'src/utils/assert';
@Injectable()
export class WorkflowTriggerWorkspaceService {
constructor(
private readonly twentyORMManager: TwentyORMManager,
private readonly twentyORMGlobalManager: TwentyORMGlobalManager,
private readonly workflowCommonWorkspaceService: WorkflowCommonWorkspaceService,
private readonly scopedWorkspaceContextFactory: ScopedWorkspaceContextFactory,
private readonly workflowRunnerWorkspaceService: WorkflowRunnerWorkspaceService,
@ -68,9 +68,10 @@ export class WorkflowTriggerWorkspaceService {
payload: object;
createdBy: ActorMetadata;
}) {
await this.workflowCommonWorkspaceService.getWorkflowVersionOrFail(
await this.workflowCommonWorkspaceService.getWorkflowVersionOrFail({
workflowVersionId,
);
workspaceId: this.getWorkspaceId(),
});
return this.workflowRunnerWorkspaceService.run({
workspaceId: this.getWorkspaceId(),
@ -81,9 +82,12 @@ export class WorkflowTriggerWorkspaceService {
}
async activateWorkflowVersion(workflowVersionId: string) {
const workspaceId = this.getWorkspaceId();
const workflowVersionRepository =
await this.twentyORMManager.getRepository<WorkflowVersionWorkspaceEntity>(
await this.twentyORMGlobalManager.getRepositoryForWorkspace<WorkflowVersionWorkspaceEntity>(
this.getWorkspaceId(),
'workflowVersion',
{ shouldBypassPermissionChecks: true }, // settings permissions are checked at resolver-level
);
const workflowVersionNullable = await workflowVersionRepository.findOne({
@ -96,8 +100,10 @@ export class WorkflowTriggerWorkspaceService {
);
const workflowRepository =
await this.twentyORMManager.getRepository<WorkflowWorkspaceEntity>(
await this.twentyORMGlobalManager.getRepositoryForWorkspace<WorkflowWorkspaceEntity>(
workspaceId,
'workflow',
{ shouldBypassPermissionChecks: true }, // settings permissions are checked at resolver-level
);
const workflow = await workflowRepository.findOne({
@ -113,7 +119,10 @@ export class WorkflowTriggerWorkspaceService {
assertVersionCanBeActivated(workflowVersion, workflow);
const workspaceDataSource = await this.twentyORMManager.getDatasource();
const workspaceDataSource =
await this.twentyORMGlobalManager.getDataSourceForWorkspace({
workspaceId: this.getWorkspaceId(),
});
const queryRunner = workspaceDataSource.createQueryRunner();
await queryRunner.connect();
@ -142,7 +151,10 @@ export class WorkflowTriggerWorkspaceService {
}
async deactivateWorkflowVersion(workflowVersionId: string) {
const workspaceDataSource = await this.twentyORMManager.getDatasource();
const workspaceDataSource =
await this.twentyORMGlobalManager.getDataSourceForWorkspace({
workspaceId: this.getWorkspaceId(),
});
const queryRunner = workspaceDataSource.createQueryRunner();
await queryRunner.connect();
@ -150,8 +162,10 @@ export class WorkflowTriggerWorkspaceService {
try {
const workflowVersionRepository =
await this.twentyORMManager.getRepository<WorkflowVersionWorkspaceEntity>(
await this.twentyORMGlobalManager.getRepositoryForWorkspace<WorkflowVersionWorkspaceEntity>(
this.getWorkspaceId(),
'workflowVersion',
{ shouldBypassPermissionChecks: true },
);
await this.performDeactivationSteps(