Permission checks on twentyORM global manager (#11477)

In this PR we are handling permissions when using twentyORMGlobalManager, and handling permissions for rest api and api key
2025-04-23 17:57:48 +02:00
parent 28a1354928
commit 4257f30f12
54 changed files with 547 additions and 116 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/workspace-permissions-cache/workspace-permissions-cache.service.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/workspace-permissions-cache/workspace-permissions-cache.service.ts
@ -5,6 +5,7 @@ import {
  ObjectRecordsPermissions,
  ObjectRecordsPermissionsByRoleId,
 } from 'twenty-shared/types';
+import { isDefined } from 'twenty-shared/utils';
 import { In, Repository } from 'typeorm';

 import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
@ -51,19 +52,15 @@ export class WorkspacePermissionsCacheService {
    ignoreLock?: boolean;
    roleIds?: string[];
  }): Promise<void> {
-    const isPermissionsV2Enabled =
-      await this.featureFlagService.isFeatureEnabled(
-        FeatureFlagKey.IsPermissionsV2Enabled,
-        workspaceId,
-      );
+    if (!ignoreLock) {
+      const isAlreadyCaching =
+        await this.workspacePermissionsCacheStorageService.getRolesPermissionsOngoingCachingLock(
+          workspaceId,
+        );

-    const isAlreadyCaching =
-      await this.workspacePermissionsCacheStorageService.getRolesPermissionsOngoingCachingLock(
-        workspaceId,
-      );
-
-    if (!ignoreLock && isAlreadyCaching) {
-      return;
+      if (isAlreadyCaching) {
+        return;
+      }
    }

    await this.workspacePermissionsCacheStorageService.addRolesPermissionsOngoingCachingLock(
@ -80,6 +77,12 @@ export class WorkspacePermissionsCacheService {
          );
      }

+      const isPermissionsV2Enabled =
+        await this.featureFlagService.isFeatureEnabled(
+          FeatureFlagKey.IsPermissionsV2Enabled,
+          workspaceId,
+        );
+
      const recomputedRolesPermissions =
        await this.getObjectRecordPermissionsForRoles({
          workspaceId,
@ -109,13 +112,15 @@ export class WorkspacePermissionsCacheService {
    workspaceId: string;
    ignoreLock?: boolean;
  }): Promise<void> {
-    const isAlreadyCaching =
-      await this.workspacePermissionsCacheStorageService.getUserWorkspaceRoleMapOngoingCachingLock(
-        workspaceId,
-      );
+    if (!ignoreLock) {
+      const isAlreadyCaching =
+        await this.workspacePermissionsCacheStorageService.getUserWorkspaceRoleMapOngoingCachingLock(
+          workspaceId,
+        );

-    if (!ignoreLock && isAlreadyCaching) {
-      return;
+      if (isAlreadyCaching) {
+        return;
+      }
    }

    await this.workspacePermissionsCacheStorageService.addUserWorkspaceRoleMapOngoingCachingLock(
@ -183,6 +188,24 @@ export class WorkspacePermissionsCacheService {
    });
  }

+  async getRoleIdFromUserWorkspaceId({
+    workspaceId,
+    userWorkspaceId,
+  }: {
+    workspaceId: string;
+    userWorkspaceId?: string;
+  }): Promise<string | undefined> {
+    if (!isDefined(userWorkspaceId)) {
+      return;
+    }
+
+    const userWorkspaceRoleMap = await this.getUserWorkspaceRoleMapFromCache({
+      workspaceId,
+    });
+
+    return userWorkspaceRoleMap[userWorkspaceId];
+  }
+
  private async getObjectRecordPermissionsForRoles({
    workspaceId,
    isPermissionsV2Enabled,