From 3a78e6f88924e251f144000c17a990953d5278ca Mon Sep 17 00:00:00 2001 From: Marie <51697796+ijreilly@users.noreply.github.com> Date: Thu, 30 Jan 2025 16:05:33 +0100 Subject: [PATCH] Introduce userWorkspaceRoles and Roles + seed standard admin role at workspace creation (#9929) Closes https://github.com/twentyhq/core-team-issues/issues/303 --- .../1738248281689-createPermissionsTable.ts | 25 +++++++ .../environment/environment-variables.ts | 5 ++ .../constants/admin-role-label.constants.ts | 1 + .../permissions/permissions.exception.ts | 15 ++++ .../permissions/permissions.module.ts | 19 +++++ .../permissions/permissions.service.ts | 74 +++++++++++++++++++ .../permissions/role.entity.ts | 44 +++++++++++ .../permissions/user-workspace-role.entity.ts | 39 ++++++++++ .../workspace-manager.module.ts | 5 ++ .../workspace-manager.service.ts | 54 +++++++++++++- 10 files changed, 279 insertions(+), 2 deletions(-) create mode 100644 packages/twenty-server/src/database/typeorm/metadata/migrations/1738248281689-createPermissionsTable.ts create mode 100644 packages/twenty-server/src/engine/metadata-modules/permissions/constants/admin-role-label.constants.ts create mode 100644 packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts create mode 100644 packages/twenty-server/src/engine/metadata-modules/permissions/permissions.module.ts create mode 100644 packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts create mode 100644 packages/twenty-server/src/engine/metadata-modules/permissions/role.entity.ts create mode 100644 packages/twenty-server/src/engine/metadata-modules/permissions/user-workspace-role.entity.ts diff --git a/packages/twenty-server/src/database/typeorm/metadata/migrations/1738248281689-createPermissionsTable.ts b/packages/twenty-server/src/database/typeorm/metadata/migrations/1738248281689-createPermissionsTable.ts new file mode 100644 index 000000000..6475b594d --- /dev/null +++ b/packages/twenty-server/src/database/typeorm/metadata/migrations/1738248281689-createPermissionsTable.ts @@ -0,0 +1,25 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +export class CreatePermissionsTable1738248281689 implements MigrationInterface { + name = 'CreatePermissionsTable1738248281689'; + + public async up(queryRunner: QueryRunner): Promise { + await queryRunner.query( + `CREATE TABLE "metadata"."role" ("id" uuid NOT NULL DEFAULT uuid_generate_v4(), "label" character varying NOT NULL, "canUpdateAllSettings" boolean NOT NULL DEFAULT false, "description" text, "workspaceId" uuid NOT NULL, "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "updatedAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "isEditable" boolean NOT NULL DEFAULT true, CONSTRAINT "PK_b36bcfe02fc8de3c57a8b2391c2" PRIMARY KEY ("id"))`, + ); + await queryRunner.query( + `CREATE TABLE "metadata"."userWorkspaceRole" ("id" uuid NOT NULL DEFAULT uuid_generate_v4(), "workspaceId" uuid NOT NULL, "roleId" uuid NOT NULL, "userWorkspaceId" uuid NOT NULL, "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "updatedAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), CONSTRAINT "IndexOnUserWorkspaceRoleUnique" UNIQUE ("userWorkspaceId", "roleId"), CONSTRAINT "PK_9c02cbdd9053fbb6791e21b7146" PRIMARY KEY ("id"))`, + ); + await queryRunner.query( + `ALTER TABLE "metadata"."userWorkspaceRole" ADD CONSTRAINT "FK_0b70755f23a3705f1bea0ddc7d4" FOREIGN KEY ("roleId") REFERENCES "metadata"."role"("id") ON DELETE CASCADE ON UPDATE NO ACTION`, + ); + } + + public async down(queryRunner: QueryRunner): Promise { + await queryRunner.query( + `ALTER TABLE "metadata"."userWorkspaceRole" DROP CONSTRAINT "FK_0b70755f23a3705f1bea0ddc7d4"`, + ); + await queryRunner.query(`DROP TABLE "metadata"."userWorkspaceRole"`); + await queryRunner.query(`DROP TABLE "metadata"."role"`); + } +} diff --git a/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts b/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts index 5547a1638..0123c0735 100644 --- a/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts +++ b/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts @@ -94,6 +94,11 @@ export class EnvironmentVariables { @IsBoolean() TELEMETRY_ENABLED = true; + @CastToBoolean() + @IsOptional() + @IsBoolean() + PERMISSIONS_ENABLED = false; + @CastToBoolean() @IsOptional() @IsBoolean() diff --git a/packages/twenty-server/src/engine/metadata-modules/permissions/constants/admin-role-label.constants.ts b/packages/twenty-server/src/engine/metadata-modules/permissions/constants/admin-role-label.constants.ts new file mode 100644 index 000000000..c75ece64f --- /dev/null +++ b/packages/twenty-server/src/engine/metadata-modules/permissions/constants/admin-role-label.constants.ts @@ -0,0 +1 @@ +export const ADMIN_ROLE_LABEL = 'Admin'; diff --git a/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts new file mode 100644 index 000000000..a3b9308bc --- /dev/null +++ b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts @@ -0,0 +1,15 @@ +import { CustomException } from 'src/utils/custom-exception'; + +export class PermissionsException extends CustomException { + code: PermissionsExceptionCode; + constructor(message: string, code: PermissionsExceptionCode) { + super(message, code); + } +} + +export enum PermissionsExceptionCode { + ADMIN_ROLE_NOT_FOUND = 'ADMIN_ROLE_NOT_FOUND', + USER_WORKSPACE_NOT_FOUND = 'USER_WORKSPACE_NOT_FOUND', + WORKSPACE_ID_ROLE_USER_WORKSPACE_MISMATCH = 'WORKSPACE_ID_ROLE_USER_WORKSPACE_MISMATCH', + TOO_MANY_ADMIN_CANDIDATES = 'TOO_MANY_ADMIN_CANDIDATES', +} diff --git a/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.module.ts b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.module.ts new file mode 100644 index 000000000..6ef3bad33 --- /dev/null +++ b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.module.ts @@ -0,0 +1,19 @@ +import { Module } from '@nestjs/common'; +import { TypeOrmModule } from '@nestjs/typeorm'; + +import { FeatureFlagModule } from 'src/engine/core-modules/feature-flag/feature-flag.module'; +import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-workspace.entity'; +import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service'; +import { RoleEntity } from 'src/engine/metadata-modules/permissions/role.entity'; +import { UserWorkspaceRoleEntity } from 'src/engine/metadata-modules/permissions/user-workspace-role.entity'; + +@Module({ + imports: [ + TypeOrmModule.forFeature([RoleEntity, UserWorkspaceRoleEntity], 'metadata'), + FeatureFlagModule, + TypeOrmModule.forFeature([UserWorkspace], 'core'), + ], + providers: [PermissionsService], + exports: [PermissionsService], +}) +export class PermissionsModule {} diff --git a/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts new file mode 100644 index 000000000..af0746159 --- /dev/null +++ b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts @@ -0,0 +1,74 @@ +import { Injectable } from '@nestjs/common'; +import { InjectRepository } from '@nestjs/typeorm'; + +import { Repository } from 'typeorm'; + +import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service'; +import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-workspace.entity'; +import { ADMIN_ROLE_LABEL } from 'src/engine/metadata-modules/permissions/constants/admin-role-label.constants'; +import { + PermissionsException, + PermissionsExceptionCode, +} from 'src/engine/metadata-modules/permissions/permissions.exception'; +import { RoleEntity } from 'src/engine/metadata-modules/permissions/role.entity'; +import { UserWorkspaceRoleEntity } from 'src/engine/metadata-modules/permissions/user-workspace-role.entity'; +import { isDefined } from 'src/utils/is-defined'; + +@Injectable() +export class PermissionsService { + constructor( + @InjectRepository(RoleEntity, 'metadata') + private readonly roleRepository: Repository, + @InjectRepository(UserWorkspaceRoleEntity, 'metadata') + private readonly userWorkspaceRoleRepository: Repository, + @InjectRepository(UserWorkspace, 'core') + private readonly userWorkspaceRepository: Repository, + private readonly environmentService: EnvironmentService, + ) {} + + public async createAdminRole({ + workspaceId, + }: { + workspaceId: string; + }): Promise { + return this.roleRepository.save({ + label: ADMIN_ROLE_LABEL, + description: 'Admin role', + canUpdateAllSettings: true, + isEditable: false, + workspaceId, + }); + } + + public async assignRoleToUserWorkspace({ + workspaceId, + userWorkspaceId, + roleId, + }: { + workspaceId: string; + userWorkspaceId: string; + roleId: string; + }): Promise { + const userWorkspace = await this.userWorkspaceRepository.findOne({ + where: { + id: userWorkspaceId, + }, + }); + + if (!isDefined(userWorkspace)) { + throw new PermissionsException( + 'User workspace not found', + PermissionsExceptionCode.USER_WORKSPACE_NOT_FOUND, + ); + } + await this.userWorkspaceRoleRepository.save({ + roleId, + userWorkspaceId: userWorkspace.id, + workspaceId, + }); + } + + public async isPermissionsEnabled(): Promise { + return this.environmentService.get('PERMISSIONS_ENABLED') === true; + } +} diff --git a/packages/twenty-server/src/engine/metadata-modules/permissions/role.entity.ts b/packages/twenty-server/src/engine/metadata-modules/permissions/role.entity.ts new file mode 100644 index 000000000..454371a86 --- /dev/null +++ b/packages/twenty-server/src/engine/metadata-modules/permissions/role.entity.ts @@ -0,0 +1,44 @@ +import { + Column, + CreateDateColumn, + Entity, + OneToMany, + PrimaryGeneratedColumn, + Relation, + UpdateDateColumn, +} from 'typeorm'; + +import { UserWorkspaceRoleEntity } from 'src/engine/metadata-modules/permissions/user-workspace-role.entity'; + +@Entity('role') +export class RoleEntity { + @PrimaryGeneratedColumn('uuid') + id: string; + + @Column({ nullable: false }) + label: string; + + @Column({ nullable: false, default: false }) + canUpdateAllSettings: boolean; + + @Column({ nullable: true, type: 'text' }) + description: string; + + @Column({ nullable: false, type: 'uuid' }) + workspaceId: string; + + @CreateDateColumn({ type: 'timestamptz' }) + createdAt: Date; + + @UpdateDateColumn({ type: 'timestamptz' }) + updatedAt: Date; + + @Column({ nullable: false, default: true }) + isEditable: boolean; + + @OneToMany( + () => UserWorkspaceRoleEntity, + (userWorkspaceRole: UserWorkspaceRoleEntity) => userWorkspaceRole.role, + ) + userWorkspaceRoles: Relation; +} diff --git a/packages/twenty-server/src/engine/metadata-modules/permissions/user-workspace-role.entity.ts b/packages/twenty-server/src/engine/metadata-modules/permissions/user-workspace-role.entity.ts new file mode 100644 index 000000000..4b8a23c3a --- /dev/null +++ b/packages/twenty-server/src/engine/metadata-modules/permissions/user-workspace-role.entity.ts @@ -0,0 +1,39 @@ +import { + Column, + CreateDateColumn, + Entity, + ManyToOne, + PrimaryGeneratedColumn, + Relation, + Unique, + UpdateDateColumn, +} from 'typeorm'; + +import { RoleEntity } from 'src/engine/metadata-modules/permissions/role.entity'; + +@Entity('userWorkspaceRole') +@Unique('IndexOnUserWorkspaceRoleUnique', ['userWorkspaceId', 'roleId']) +export class UserWorkspaceRoleEntity { + @PrimaryGeneratedColumn('uuid') + id: string; + + @Column({ nullable: false, type: 'uuid' }) + workspaceId: string; + + @Column({ nullable: false, type: 'uuid' }) + roleId: string; + + @ManyToOne(() => RoleEntity, (role) => role.userWorkspaceRoles, { + onDelete: 'CASCADE', + }) + role: Relation; + + @Column({ nullable: false, type: 'uuid' }) + userWorkspaceId: string; + + @CreateDateColumn({ type: 'timestamptz' }) + createdAt: Date; + + @UpdateDateColumn({ type: 'timestamptz' }) + updatedAt: Date; +} diff --git a/packages/twenty-server/src/engine/workspace-manager/workspace-manager.module.ts b/packages/twenty-server/src/engine/workspace-manager/workspace-manager.module.ts index a5c82a968..916c14f96 100644 --- a/packages/twenty-server/src/engine/workspace-manager/workspace-manager.module.ts +++ b/packages/twenty-server/src/engine/workspace-manager/workspace-manager.module.ts @@ -1,8 +1,11 @@ import { Module } from '@nestjs/common'; +import { TypeOrmModule } from '@nestjs/typeorm'; import { FeatureFlagModule } from 'src/engine/core-modules/feature-flag/feature-flag.module'; +import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-workspace.entity'; import { DataSourceModule } from 'src/engine/metadata-modules/data-source/data-source.module'; import { ObjectMetadataModule } from 'src/engine/metadata-modules/object-metadata/object-metadata.module'; +import { PermissionsModule } from 'src/engine/metadata-modules/permissions/permissions.module'; import { WorkspaceMigrationModule } from 'src/engine/metadata-modules/workspace-migration/workspace-migration.module'; import { SeederModule } from 'src/engine/seeder/seeder.module'; import { WorkspaceDataSourceModule } from 'src/engine/workspace-datasource/workspace-datasource.module'; @@ -21,6 +24,8 @@ import { WorkspaceManagerService } from './workspace-manager.service'; WorkspaceSyncMetadataModule, WorkspaceHealthModule, FeatureFlagModule, + PermissionsModule, + TypeOrmModule.forFeature([UserWorkspace], 'core'), ], exports: [WorkspaceManagerService], providers: [WorkspaceManagerService], diff --git a/packages/twenty-server/src/engine/workspace-manager/workspace-manager.service.ts b/packages/twenty-server/src/engine/workspace-manager/workspace-manager.service.ts index 39eb7d12b..84ca314c2 100644 --- a/packages/twenty-server/src/engine/workspace-manager/workspace-manager.service.ts +++ b/packages/twenty-server/src/engine/workspace-manager/workspace-manager.service.ts @@ -1,9 +1,18 @@ import { Injectable } from '@nestjs/common'; +import { InjectRepository } from '@nestjs/typeorm'; -import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service'; +import isEmpty from 'lodash.isempty'; +import { Repository } from 'typeorm'; + +import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-workspace.entity'; import { DataSourceEntity } from 'src/engine/metadata-modules/data-source/data-source.entity'; import { DataSourceService } from 'src/engine/metadata-modules/data-source/data-source.service'; import { ObjectMetadataService } from 'src/engine/metadata-modules/object-metadata/object-metadata.service'; +import { + PermissionsException, + PermissionsExceptionCode, +} from 'src/engine/metadata-modules/permissions/permissions.exception'; +import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service'; import { WorkspaceMigrationService } from 'src/engine/metadata-modules/workspace-migration/workspace-migration.service'; import { PETS_DATA_SEEDS } from 'src/engine/seeder/data-seeds/pets-data-seeds'; import { SURVEY_RESULTS_DATA_SEEDS } from 'src/engine/seeder/data-seeds/survey-results-data-seeds'; @@ -24,7 +33,9 @@ export class WorkspaceManagerService { private readonly seederService: SeederService, private readonly dataSourceService: DataSourceService, private readonly workspaceSyncMetadataService: WorkspaceSyncMetadataService, - private readonly featureFlagService: FeatureFlagService, + private readonly permissionsService: PermissionsService, + @InjectRepository(UserWorkspace, 'core') + private readonly userWorkspaceRepository: Repository, ) {} /** @@ -49,6 +60,13 @@ export class WorkspaceManagerService { dataSourceId: dataSourceMetadata.id, }); + const permissionsEnabled = + await this.permissionsService.isPermissionsEnabled(); + + if (permissionsEnabled === true) { + await this.initPermissions(workspaceId); + } + await this.prefillWorkspaceWithStandardObjects( dataSourceMetadata, workspaceId, @@ -168,4 +186,36 @@ export class WorkspaceManagerService { // Delete schema await this.workspaceDataSourceService.deleteWorkspaceDBSchema(workspaceId); } + + private async initPermissions(workspaceId: string) { + const adminRole = await this.permissionsService.createAdminRole({ + workspaceId, + }); + + const userWorkspace = await this.userWorkspaceRepository.find({ + where: { + workspaceId, + }, + }); + + if (isEmpty(userWorkspace)) { + throw new PermissionsException( + 'User workspace not found', + PermissionsExceptionCode.USER_WORKSPACE_NOT_FOUND, + ); + } + + if (userWorkspace.length > 1) { + throw new PermissionsException( + 'Multiple user workspaces found, cannot tell which one should be admin', + PermissionsExceptionCode.TOO_MANY_ADMIN_CANDIDATES, + ); + } + + await this.permissionsService.assignRoleToUserWorkspace({ + workspaceId, + userWorkspaceId: userWorkspace[0].id, + roleId: adminRole.id, + }); + } }