[field-level permissions] Upsert fieldPermission + use fieldPermission to compute permissions (#13050)

In this PR - introduction of fieldPermission entity - addition of upsertFieldPermission in role resolver - computing of permissions taking fieldPermission into account. In order to limit what is stored in Redis we only store fields restrictions. For instance for objectMetadata with id XXX with a restriction on field with id YYY we store: `"XXX":{"canRead":true,"canUpdate":false,"canSoftDelete":false,"canDestroy":false,"restrictedFields":{"YYY":{"canRead":false,"canUpdate":null}}}` --------- Co-authored-by: Charles Bochet <charlesBochet@users.noreply.github.com>
2025-07-09 10:47:59 +02:00
parent 6ba6860e1c
commit 1cb60f943e
49 changed files with 1343 additions and 47 deletions
--- a/packages/twenty-server/test/integration/graphql/suites/settings-permissions/roles.integration-spec.ts
+++ b/packages/twenty-server/test/integration/graphql/suites/settings-permissions/roles.integration-spec.ts
@ -3,6 +3,7 @@ import { deleteOneRoleOperationFactory } from 'test/integration/graphql/utils/de
 import { createOneObjectMetadata } from 'test/integration/metadata/suites/object-metadata/utils/create-one-object-metadata.util';
 import { deleteOneObjectMetadata } from 'test/integration/metadata/suites/object-metadata/utils/delete-one-object-metadata.util';

+import { fieldTextMock } from 'src/engine/api/__mocks__/object-metadata-item.mock';
 import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
 import { SettingPermissionType } from 'src/engine/metadata-modules/permissions/constants/setting-permission-type.constants';
 import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
@ -537,6 +538,27 @@ describe('roles permissions', () => {
            );
          });
      });
+
+      describe('upsertFieldPermissions', () => {
+        it('should throw a permission error when user does not have permission to upsert field permission (member role)', async () => {
+          const query = {
+            query: `
+              mutation UpsertFieldPermissions {
+                upsertFieldPermissions(upsertFieldPermissionsInput: {roleId: "${guestRoleId}", fieldPermissions: [{objectMetadataId: "${listingObjectId}", fieldMetadataId: "${fieldTextMock.id}", canReadFieldValue: false, canUpdateFieldValue: false}]}) {
+                  id
+                  roleId
+                  objectMetadataId
+                  fieldMetadataId
+                  canReadFieldValue
+                  canUpdateFieldValue
+                }
+              }
+            `,
+          };
+
+          await assertPermissionDeniedForMemberWithMemberRole({ query });
+        });
+      });
    });

    describe('upsertSettingPermissions', () => {