[permissions] Implement object-records permissions in query builders (#11458)

In this PR we are

- (if permissionsV2 is enabled) executing permission checks at query
builder level. To do so we want to override the query builders methods
that are performing db calls (.execute(), .getMany(), ... etc.) For now
I have just overriden some of the query builders methods for the poc. To
do so I created custom query builder classes that extend typeorm's query
builder (selectQueryBuilder and updateQueryBuilder, for now and later I
will tackle softDeleteQueryBuilder, etc.).
- adding a notion of roles permissions version and roles permissions
object to datasources. We will now use one datasource per roleId and
rolePermissionVersion. Both rolesPermissionsVersion and rolesPermissions
objects are stored in redis and recomputed at role update or if queried
and found empty. Unlike for metadata version we don't need to store a
version in the db that stands for the source of truth. We also don't
need to destroy and recreate the datasource if the rolesPermissions
version changes, but only to update the value for rolesPermissions and
rolesPermissionsVersions on the existing datasource.

What this PR misses
- computing of roles permissions should take into account
objectPermissions table (for now it only looks at what's on the roles
table)
- pursue extension of query builder classes and overriding of their db
calling-methods
- what should the behaviour be for calls from twentyOrmGlobalManager
that don't have a roleId?

packages/twenty-server/src/engine/twenty-orm/entity-manager/entity.manager.ts

@@ -4,14 +4,17 @@ import {
   EntityTarget,
   ObjectLiteral,
   QueryRunner,
+  Repository,
 } from 'typeorm';
 
 import { WorkspaceInternalContext } from 'src/engine/twenty-orm/interfaces/workspace-internal-context.interface';
 
+import { WorkspaceDataSource } from 'src/engine/twenty-orm/datasource/workspace.datasource';
 import { WorkspaceRepository } from 'src/engine/twenty-orm/repository/workspace.repository';
 
 export class WorkspaceEntityManager extends EntityManager {
   private readonly internalContext: WorkspaceInternalContext;
+  readonly repositories: Map<string, Repository<any>>;
 
   constructor(
     internalContext: WorkspaceInternalContext,
@@ -20,27 +23,39 @@ export class WorkspaceEntityManager extends EntityManager {
   ) {
     super(connection, queryRunner);
     this.internalContext = internalContext;
+    this.repositories = new Map();
   }
 
   override getRepository<Entity extends ObjectLiteral>(
     target: EntityTarget<Entity>,
+    roleId?: string,
   ): WorkspaceRepository<Entity> {
-    // find already created repository instance and return it if found
-
-    const repoFromMap = this.repositories.get(target);
+    const dataSource = this.connection as WorkspaceDataSource;
+    const repositoryKey = `${dataSource.getMetadata(target).name}_${roleId ?? 'default'}${dataSource.rolesPermissionsVersion ? `_${dataSource.rolesPermissionsVersion}` : ''}${dataSource.featureFlagMapVersion ? `_${dataSource.featureFlagMapVersion}` : ''}`;
+    const repoFromMap = this.repositories.get(repositoryKey);
 
     if (repoFromMap) {
       return repoFromMap as WorkspaceRepository<Entity>;
     }
 
+    let objectPermissions = {};
+
+    if (roleId) {
+      const objectPermissionsByRoleId = dataSource.permissionsPerRoleId;
+
+      objectPermissions = objectPermissionsByRoleId?.[roleId] ?? {};
+    }
+
     const newRepository = new WorkspaceRepository<Entity>(
       this.internalContext,
       target,
       this,
+      dataSource.featureFlagMap,
       this.queryRunner,
+      objectPermissions,
     );
 
-    this.repositories.set(target, newRepository);
+    this.repositories.set(repositoryKey, newRepository);
 
     return newRepository;
   }