[permissions] Add conditional permission gate on billing's checkoutSession (#10387)

Following a conversation with @etiennejouan and @martmull, we are adding a permission gate on billing resolver's checkoutSession, which should only be accessible to entitled users or at workspace creation (when there are no roles yet), when the subscription is incomplete
2025-02-21 15:01:36 +01:00
parent 0571eb2cf6
commit 6fb81e757b
6 changed files with 121 additions and 11 deletions
--- a/packages/twenty-server/test/integration/graphql/suites/settings-permissions/workspace.integration-spec.ts
+++ b/packages/twenty-server/test/integration/graphql/suites/settings-permissions/workspace.integration-spec.ts
@ -4,6 +4,7 @@ import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graph
 import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';

 import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
+import { BillingPlanKey } from 'src/engine/core-modules/billing/enums/billing-plan-key.enum';
 import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
 import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';

@ -406,6 +407,52 @@ describe('WorkspaceResolver', () => {
          });
      });
    });
+
+    describe('checkoutSession', () => {
+      it('should throw a permission error when user does not have permission (member role)', async () => {
+        const queryData = {
+          query: `
+            mutation CheckoutSession(
+              $recurringInterval: SubscriptionInterval!
+              $successUrlPath: String!
+              $plan: BillingPlanKey!
+              $requirePaymentMethod: Boolean
+            ) {
+              checkoutSession(
+                recurringInterval: $recurringInterval
+                successUrlPath: $successUrlPath
+                plan: $plan
+                requirePaymentMethod: $requirePaymentMethod
+              ) {
+                url
+              }
+            }
+          `,
+          variables: {
+            recurringInterval: 'Month',
+            successUrlPath: '/settings/billing',
+            plan: BillingPlanKey.PRO,
+            requirePaymentMethod: true,
+          },
+        };
+
+        await client
+          .post('/graphql')
+          .set('Authorization', `Bearer ${MEMBER_ACCESS_TOKEN}`)
+          .send(queryData)
+          .expect(200)
+          .expect((res) => {
+            expect(res.body.data).toBeNull();
+            expect(res.body.errors).toBeDefined();
+            expect(res.body.errors[0].message).toBe(
+              PermissionsExceptionMessage.PERMISSION_DENIED,
+            );
+            expect(res.body.errors[0].extensions.code).toBe(
+              ErrorCode.FORBIDDEN,
+            );
+          });
+      });
+    });
  });

  describe('lab', () => {