admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[field-level permissions] Upsert fieldPermission + use fieldPermission to compute permissions (#13050)

Browse Source 
In this PR

- introduction of fieldPermission entity
- addition of upsertFieldPermission in role resolver
- computing of permissions taking fieldPermission into account. In order
to limit what is stored in Redis we only store fields restrictions. For
instance for objectMetadata with id XXX with a restriction on field with
id YYY we store:
`"XXX":{"canRead":true,"canUpdate":false,"canSoftDelete":false,"canDestroy":false,"restrictedFields":{"YYY":{"canRead":false,"canUpdate":null}}}`

---------

Co-authored-by: Charles Bochet <charlesBochet@users.noreply.github.com>
This commit is contained in:
Marie
2025-07-09 10:47:59 +02:00
committed by GitHub
parent 6ba6860e1c
commit 1cb60f943e
49 changed files with 1343 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
packages/twenty-server/test/integration/graphql/suites/settings-permissions/roles.integration-spec.ts
View File

@ -3,6 +3,7 @@ import { deleteOneRoleOperationFactory } from 'test/integration/graphql/utils/de
import { createOneObjectMetadata } from 'test/integration/metadata/suites/object-metadata/utils/create-one-object-metadata.util';
import { deleteOneObjectMetadata } from 'test/integration/metadata/suites/object-metadata/utils/delete-one-object-metadata.util';
import { fieldTextMock } from 'src/engine/api/__mocks__/object-metadata-item.mock';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { SettingPermissionType } from 'src/engine/metadata-modules/permissions/constants/setting-permission-type.constants';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
@ -537,6 +538,27 @@ describe('roles permissions', () => {
);
});
});
describe('upsertFieldPermissions', () => {
it('should throw a permission error when user does not have permission to upsert field permission (member role)', async () => {
const query = {
query: `
mutation UpsertFieldPermissions {
upsertFieldPermissions(upsertFieldPermissionsInput: {roleId: "${guestRoleId}", fieldPermissions: [{objectMetadataId: "${listingObjectId}", fieldMetadataId: "${fieldTextMock.id}", canReadFieldValue: false, canUpdateFieldValue: false}]}) {
id
roleId
objectMetadataId
fieldMetadataId
canReadFieldValue
canUpdateFieldValue
}
}
`,
};
await assertPermissionDeniedForMemberWithMemberRole({ query });
});
});
});
describe('upsertSettingPermissions', () => {

5
packages/twenty-server/test/integration/metadata/suites/agent/agent-tool.service.integration-spec.ts
View File

@ -47,6 +47,7 @@ describe('AgentToolService Integration', () => {
canUpdate: true,
canSoftDelete: true,
canDestroy: true,
restrictedFields: {},
},
},
},
@ -91,6 +92,7 @@ describe('AgentToolService Integration', () => {
canUpdate: false,
canSoftDelete: false,
canDestroy: false,
restrictedFields: {},
},
},
},
@ -168,6 +170,7 @@ describe('AgentToolService Integration', () => {
canUpdate: true,
canSoftDelete: true,
canDestroy: false,
restrictedFields: {},
},
},
},
@ -767,12 +770,14 @@ describe('AgentToolService Integration', () => {
canUpdate: true,
canSoftDelete: false,
canDestroy: false,
restrictedFields: {},
},
[secondObjectMetadata.id]: {
canRead: true,
canUpdate: false,
canSoftDelete: true,
canDestroy: false,
restrictedFields: {},
},
},
},

2
packages/twenty-server/test/integration/metadata/suites/agent/utils/agent-tool-test-utils.ts
View File

@ -158,6 +158,7 @@ export const createAgentToolTestModule =
targetRelationFields: [],
dataSource: {} as any,
objectPermissions: [],
fieldPermissions: [],
};
return {
@ -207,6 +208,7 @@ export const setupBasicPermissions = (context: AgentToolTestContext) => {
canUpdate: true,
canSoftDelete: true,
canDestroy: false,
restrictedFields: {},
},
},
},