[permissions] Enforce object-records permission checks in resolvers (#10304)

Closes https://github.com/twentyhq/core-team-issues/issues/393 - enforcing object-records permission checks in resolvers for now. we will move the logic to a lower level asap - add integration tests that will still be useful when we have moved the logic - introduce guest seeded role to test limited permissions on object-records
2025-02-19 11:21:03 +01:00
parent 33178fa8b2
commit 861face2a8
48 changed files with 1372 additions and 144 deletions
--- a/packages/twenty-server/test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util.ts
+++ b/packages/twenty-server/test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util.ts
@ -0,0 +1,21 @@
+import { ASTNode, print } from 'graphql';
+import request from 'supertest';
+
+type GraphqlOperation = {
+  query: ASTNode;
+  variables?: Record<string, unknown>;
+};
+
+export const makeGraphqlAPIRequestWithGuestRole = (
+  graphqlOperation: GraphqlOperation,
+) => {
+  const client = request(`http://localhost:${APP_PORT}`);
+
+  return client
+    .post('/graphql')
+    .set('Authorization', `Bearer ${GUEST_ACCESS_TOKEN}`)
+    .send({
+      query: print(graphqlOperation.query),
+      variables: graphqlOperation.variables || {},
+    });
+};
--- a/packages/twenty-server/test/integration/graphql/utils/restore-many-operation-factory.util.ts
+++ b/packages/twenty-server/test/integration/graphql/utils/restore-many-operation-factory.util.ts
@ -0,0 +1,27 @@
+import gql from 'graphql-tag';
+import { capitalize } from 'twenty-shared';
+
+type RestoreManyOperationFactoryParams = {
+  objectMetadataSingularName: string;
+  objectMetadataPluralName: string;
+  gqlFields: string;
+  filter: object;
+};
+
+export const restoreManyOperationFactory = ({
+  objectMetadataSingularName,
+  objectMetadataPluralName,
+  gqlFields,
+  filter,
+}: RestoreManyOperationFactoryParams) => ({
+  query: gql`
+    mutation Restore${capitalize(objectMetadataPluralName)}($filter: ${capitalize(objectMetadataSingularName)}FilterInput!) {
+      restore${capitalize(objectMetadataPluralName)}(filter: $filter) {
+        ${gqlFields}
+      }
+    }
+  `,
+  variables: {
+    filter,
+  },
+});
--- a/packages/twenty-server/test/integration/graphql/utils/restore-one-operation-factory.util.ts
+++ b/packages/twenty-server/test/integration/graphql/utils/restore-one-operation-factory.util.ts
@ -0,0 +1,25 @@
+import gql from 'graphql-tag';
+import { capitalize } from 'twenty-shared';
+
+type RestoreOneOperationFactoryParams = {
+  objectMetadataSingularName: string;
+  gqlFields: string;
+  recordId: string;
+};
+
+export const restoreOneOperationFactory = ({
+  objectMetadataSingularName,
+  gqlFields,
+  recordId,
+}: RestoreOneOperationFactoryParams) => ({
+  query: gql`
+    mutation Restore${capitalize(objectMetadataSingularName)}($${objectMetadataSingularName}Id: ID!) {
+      restore${capitalize(objectMetadataSingularName)}(id: $${objectMetadataSingularName}Id) {
+        ${gqlFields}
+      }
+    }
+  `,
+  variables: {
+    [`${objectMetadataSingularName}Id`]: recordId,
+  },
+});