[permissions] Remove raw queries and restrict its usage (#12360)

Closes https://github.com/twentyhq/core-team-issues/issues/748 In the frame of the work on permissions we - remove all raw queries possible to use repositories instead - forbid usage workspaceDataSource.executeRawQueries() - restrict usage of workspaceDataSource.query() to force developers to pass on shouldBypassPermissionChecks to use it. --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2025-06-02 10:53:51 +02:00
parent 1ef7b7a474
commit 9706f0df13
49 changed files with 495 additions and 754 deletions
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/graphql-query-parsers/graphql-query-filter/graphql-query-filter-condition.parser.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/graphql-query-parsers/graphql-query-filter/graphql-query-filter-condition.parser.ts
@ -1,13 +1,9 @@
-import {
-  Brackets,
-  NotBrackets,
-  SelectQueryBuilder,
-  WhereExpressionBuilder,
-} from 'typeorm';
+import { Brackets, NotBrackets, WhereExpressionBuilder } from 'typeorm';

 import { ObjectRecordFilter } from 'src/engine/api/graphql/workspace-query-builder/interfaces/object-record.interface';

 import { FieldMetadataMap } from 'src/engine/metadata-modules/types/field-metadata-map';
+import { WorkspaceSelectQueryBuilder } from 'src/engine/twenty-orm/repository/workspace-select-query-builder';

 import { GraphqlQueryFilterFieldParser } from './graphql-query-filter-field.parser';

@ -30,11 +26,11 @@ export class GraphqlQueryFilterConditionParser {

  public parse(
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    queryBuilder: SelectQueryBuilder<any>,
+    queryBuilder: WorkspaceSelectQueryBuilder<any>,
    objectNameSingular: string,
    filter: Partial<ObjectRecordFilter>,
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  ): SelectQueryBuilder<any> {
+  ): WorkspaceSelectQueryBuilder<any> {
    if (!filter || Object.keys(filter).length === 0) {
      return queryBuilder;
    }
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/graphql-query-parsers/graphql-query.parser.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/graphql-query-parsers/graphql-query.parser.ts
@ -1,9 +1,4 @@
-import {
-  FindOptionsWhere,
-  ObjectLiteral,
-  OrderByCondition,
-  SelectQueryBuilder,
-} from 'typeorm';
+import { FindOptionsWhere, ObjectLiteral, OrderByCondition } from 'typeorm';

 import {
  ObjectRecordFilter,
@ -24,6 +19,7 @@ import { FieldMetadataMap } from 'src/engine/metadata-modules/types/field-metada
 import { ObjectMetadataItemWithFieldMaps } from 'src/engine/metadata-modules/types/object-metadata-item-with-field-maps';
 import { ObjectMetadataMaps } from 'src/engine/metadata-modules/types/object-metadata-maps';
 import { getObjectMetadataMapItemByNameSingular } from 'src/engine/metadata-modules/utils/get-object-metadata-map-item-by-name-singular.util';
+import { WorkspaceSelectQueryBuilder } from 'src/engine/twenty-orm/repository/workspace-select-query-builder';

 export class GraphqlQueryParser {
  private fieldMetadataMapByName: FieldMetadataMap;
@ -51,11 +47,11 @@ export class GraphqlQueryParser {

  public applyFilterToBuilder(
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    queryBuilder: SelectQueryBuilder<any>,
+    queryBuilder: WorkspaceSelectQueryBuilder<any>,
    objectNameSingular: string,
    recordFilter: Partial<ObjectRecordFilter>,
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  ): SelectQueryBuilder<any> {
+  ): WorkspaceSelectQueryBuilder<any> {
    return this.filterConditionParser.parse(
      queryBuilder,
      objectNameSingular,
@ -65,10 +61,10 @@ export class GraphqlQueryParser {

  public applyDeletedAtToBuilder(
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    queryBuilder: SelectQueryBuilder<any>,
+    queryBuilder: WorkspaceSelectQueryBuilder<any>,
    recordFilter: Partial<ObjectRecordFilter>,
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  ): SelectQueryBuilder<any> {
+  ): WorkspaceSelectQueryBuilder<any> {
    if (this.checkForDeletedAtFilter(recordFilter)) {
      queryBuilder.withDeleted();
    }
@ -104,12 +100,12 @@ export class GraphqlQueryParser {

  public applyOrderToBuilder(
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    queryBuilder: SelectQueryBuilder<any>,
+    queryBuilder: WorkspaceSelectQueryBuilder<any>,
    orderBy: ObjectRecordOrderBy,
    objectNameSingular: string,
    isForwardPagination = true,
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  ): SelectQueryBuilder<any> {
+  ): WorkspaceSelectQueryBuilder<any> {
    const parsedOrderBys = this.orderFieldParser.parse(
      orderBy,
      objectNameSingular,
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/helpers/process-aggregate.helper.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/helpers/process-aggregate.helper.ts
@ -5,6 +5,7 @@ import { SelectQueryBuilder } from 'typeorm';

 import { AggregateOperations } from 'src/engine/api/graphql/graphql-query-runner/constants/aggregate-operations.constant';
 import { AggregationField } from 'src/engine/api/graphql/workspace-schema-builder/utils/get-available-aggregations-from-object-fields.util';
+import { WorkspaceSelectQueryBuilder } from 'src/engine/twenty-orm/repository/workspace-select-query-builder';
 import { formatColumnNamesFromCompositeFieldAndSubfields } from 'src/engine/twenty-orm/utils/format-column-names-from-composite-field-and-subfield.util';

@Injectable()
@ -15,7 +16,7 @@ export class ProcessAggregateHelper {
  }: {
    selectedAggregatedFields: Record<string, AggregationField>;
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    queryBuilder: SelectQueryBuilder<any>;
+    queryBuilder: WorkspaceSelectQueryBuilder<any>;
  }) => {
    queryBuilder.select([]);

--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/helpers/process-nested-relations-v2.helper.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/helpers/process-nested-relations-v2.helper.ts
@ -1,11 +1,7 @@
 import { Injectable } from '@nestjs/common';

 import { FieldMetadataType } from 'twenty-shared/types';
-import {
-  FindOptionsRelations,
-  ObjectLiteral,
-  SelectQueryBuilder,
-} from 'typeorm';
+import { FindOptionsRelations, ObjectLiteral } from 'typeorm';

 import { ObjectRecord } from 'src/engine/api/graphql/workspace-query-builder/interfaces/object-record.interface';
 import { RelationType } from 'src/engine/metadata-modules/field-metadata/interfaces/relation-type.interface';
@ -22,6 +18,7 @@ import { ObjectMetadataItemWithFieldMaps } from 'src/engine/metadata-modules/typ
 import { ObjectMetadataMaps } from 'src/engine/metadata-modules/types/object-metadata-maps';
 import { getObjectMetadataMapItemByNameSingular } from 'src/engine/metadata-modules/utils/get-object-metadata-map-item-by-name-singular.util';
 import { WorkspaceDataSource } from 'src/engine/twenty-orm/datasource/workspace.datasource';
+import { WorkspaceSelectQueryBuilder } from 'src/engine/twenty-orm/repository/workspace-select-query-builder';
 import { formatResult } from 'src/engine/twenty-orm/utils/format-result.util';
 import { isFieldMetadataInterfaceOfType } from 'src/engine/utils/is-field-metadata-of-type.util';

@ -269,7 +266,7 @@ export class ProcessNestedRelationsV2Helper {
    sourceFieldName,
  }: {
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    referenceQueryBuilder: SelectQueryBuilder<any>;
+    referenceQueryBuilder: WorkspaceSelectQueryBuilder<any>;
    column: string;
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
    ids: any[];
--- a/packages/twenty-server/src/engine/api/graphql/workspace-query-runner/workspace-query-runner.module.ts
+++ b/packages/twenty-server/src/engine/api/graphql/workspace-query-runner/workspace-query-runner.module.ts
@ -13,9 +13,7 @@ import { FileModule } from 'src/engine/core-modules/file/file.module';
 import { RecordPositionModule } from 'src/engine/core-modules/record-position/record-position.module';
 import { RecordTransformerModule } from 'src/engine/core-modules/record-transformer/record-transformer.module';
 import { TelemetryModule } from 'src/engine/core-modules/telemetry/telemetry.module';
-import { ObjectMetadataRepositoryModule } from 'src/engine/object-metadata-repository/object-metadata-repository.module';
 import { WorkspaceDataSourceModule } from 'src/engine/workspace-datasource/workspace-datasource.module';
-import { WorkspaceMemberWorkspaceEntity } from 'src/modules/workspace-member/standard-objects/workspace-member.workspace-entity';

 import { EntityEventsToDbListener } from './listeners/entity-events-to-db.listener';

@ -25,7 +23,6 @@ import { EntityEventsToDbListener } from './listeners/entity-events-to-db.listen
    WorkspaceQueryBuilderModule,
    WorkspaceDataSourceModule,
    WorkspaceQueryHookModule,
-    ObjectMetadataRepositoryModule.forFeature([WorkspaceMemberWorkspaceEntity]),
    TypeOrmModule.forFeature([FeatureFlag], 'core'),
    AuditModule,
    TelemetryModule,