[Permissions] Implement getRoles (#9955)

In this PR - introducing roles module to separate roles logic (assign a Role, get a workspace's roles etc.) from permission logic (check if a user has a permission) - Introduces getRoles endpoint to fetch a workspace's roles - introduces the first permission check: getRoles in only accessible to users with permission on ROLE setting. Implemented validatesUserHasWorkspaceSettingPermissionOrThrow
2025-02-03 19:14:18 +01:00
parent caee5b1f89
commit 351e768038
18 changed files with 413 additions and 50 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/role/role.resolver.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/role/role.resolver.ts
@ -0,0 +1,65 @@
+import { Parent, Query, ResolveField, Resolver } from '@nestjs/graphql';
+
+import { SettingsFeatures } from 'twenty-shared';
+
+import { WorkspaceMember } from 'src/engine/core-modules/user/dtos/workspace-member.dto';
+import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
+import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
+import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
+import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service';
+import { permissionsGraphqlApiExceptionHandler } from 'src/engine/metadata-modules/permissions/utils/permissions-graphql-api-exception-handler';
+import { RoleDTO } from 'src/engine/metadata-modules/role/dtos/role.dto';
+import { RoleService } from 'src/engine/metadata-modules/role/role.service';
+import { UserRoleService } from 'src/engine/metadata-modules/userRole/userRole.service';
+import { WorkspaceMemberWorkspaceEntity } from 'src/modules/workspace-member/standard-objects/workspace-member.workspace-entity';
+
+@Resolver(() => RoleDTO)
+export class RoleResolver {
+  constructor(
+    private readonly userRoleService: UserRoleService,
+    private readonly permissionsService: PermissionsService,
+    private readonly roleService: RoleService,
+  ) {}
+
+  @Query(() => [RoleDTO])
+  async getRoles(
+    @AuthUserWorkspaceId() userWorkspaceId: string,
+    @AuthWorkspace() workspace: Workspace,
+  ): Promise<RoleDTO[]> {
+    try {
+      await this.permissionsService.validateUserHasWorkspaceSettingPermissionOrThrow(
+        {
+          userWorkspaceId,
+          setting: SettingsFeatures.ROLES,
+        },
+      );
+
+      const roles = await this.roleService.getWorkspaceRoles(workspace.id);
+
+      return roles.map((role) => ({
+        id: role.id,
+        label: role.label,
+        canUpdateAllSettings: role.canUpdateAllSettings,
+        description: role.description,
+        workspaceId: role.workspaceId,
+        createdAt: role.createdAt,
+        updatedAt: role.updatedAt,
+        isEditable: role.isEditable,
+        userWorkspaceRoles: role.userWorkspaceRoles,
+      }));
+    } catch (error) {
+      return permissionsGraphqlApiExceptionHandler(error);
+    }
+  }
+
+  @ResolveField('workspaceMembers', () => [WorkspaceMember])
+  async getWorkspaceMembersAssignedToRole(
+    @Parent() role: RoleDTO,
+    @AuthWorkspace() workspace: Workspace,
+  ): Promise<WorkspaceMemberWorkspaceEntity[]> {
+    return this.userRoleService.getWorkspaceMembersAssignedToRole(
+      role.id,
+      workspace.id,
+    );
+  }
+}