[permissions] Remove raw queries and restrict its usage (#12360)

Closes https://github.com/twentyhq/core-team-issues/issues/748

In the frame of the work on permissions we

- remove all raw queries possible to use repositories instead
- forbid usage workspaceDataSource.executeRawQueries()
- restrict usage of workspaceDataSource.query() to force developers to
pass on shouldBypassPermissionChecks to use it.

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts

@@ -31,6 +31,8 @@ export enum PermissionsExceptionCode {
   ROLE_NOT_EDITABLE = 'ROLE_NOT_EDITABLE',
   DEFAULT_ROLE_CANNOT_BE_DELETED = 'DEFAULT_ROLE_CANNOT_BE_DELETED',
   NO_PERMISSIONS_FOUND_IN_DATASOURCE = 'NO_PERMISSIONS_FOUND_IN_DATASOURCE',
+  METHOD_NOT_ALLOWED = 'METHOD_NOT_ALLOWED',
+  RAW_SQL_NOT_ALLOWED = 'RAW_SQL_NOT_ALLOWED',
 }
 
 export enum PermissionsExceptionMessage {

packages/twenty-server/src/engine/metadata-modules/permissions/utils/permission-graphql-api-exception-handler.util.ts

@@ -38,6 +38,8 @@ export const permissionGraphqlApiExceptionHandler = (
     case PermissionsExceptionCode.UNKNOWN_REQUIRED_PERMISSION:
     case PermissionsExceptionCode.NO_ROLE_FOUND_FOR_USER_WORKSPACE:
     case PermissionsExceptionCode.NO_PERMISSIONS_FOUND_IN_DATASOURCE:
+    case PermissionsExceptionCode.METHOD_NOT_ALLOWED:
+    case PermissionsExceptionCode.RAW_SQL_NOT_ALLOWED:
       throw error;
     default: {
       const _exhaustiveCheck: never = error.code;

packages/twenty-server/src/engine/metadata-modules/remote-server/remote-server.service.ts

@@ -271,6 +271,7 @@ export class RemoteServerService<T extends RemoteServerType> {
     const [parameters, rawQuery] =
       buildUpdateRemoteServerRawQuery(remoteServerToUpdate);
 
+    // TO DO: executeRawQuery is deprecated and will throw
     const updateResult = await this.workspaceDataSourceService.executeRawQuery(
       rawQuery,
       parameters,

packages/twenty-server/src/engine/metadata-modules/remote-server/remote-table/utils/fetch-table-columns.util.ts

@@ -8,6 +8,7 @@ export const fetchTableColumns = async (
 ): Promise<PostgresTableSchemaColumn[]> => {
   const schemaName = workspaceDataSourceService.getSchemaName(workspaceId);
 
+  // TODO: executeRawQuery is deprecated and will throw
   const res = await workspaceDataSourceService.executeRawQuery(
     `SELECT column_name, data_type, udt_name
         FROM information_schema.columns

packages/twenty-server/src/engine/metadata-modules/remote-server/remote-table/utils/get-remote-table-local-name.util.ts

@@ -1,11 +1,11 @@
 import { singular } from 'pluralize';
 import { DataSource } from 'typeorm';
 
-import { camelCase } from 'src/utils/camel-case';
 import {
   RemoteTableException,
   RemoteTableExceptionCode,
 } from 'src/engine/metadata-modules/remote-server/remote-table/remote-table.exception';
+import { camelCase } from 'src/utils/camel-case';
 
 const MAX_SUFFIX = 10;
 
@@ -19,6 +19,7 @@ const isNameAvailable = async (
   workspaceSchemaName: string,
   workspaceDataSource: DataSource,
 ) => {
+  // TO DO workspaceDataSource.query method is not allowed, this will throw
   const numberOfTablesWithSameName = +(
     await workspaceDataSource.query(
       `SELECT count(table_name) FROM information_schema.tables WHERE table_name LIKE '${tableName}' AND table_schema IN ('core', 'metadata', '${workspaceSchemaName}')`,