[permissions] Remove raw queries and restrict its usage (#12360)

Closes https://github.com/twentyhq/core-team-issues/issues/748

In the frame of the work on permissions we

- remove all raw queries possible to use repositories instead
- forbid usage workspaceDataSource.executeRawQueries()
- restrict usage of workspaceDataSource.query() to force developers to
pass on shouldBypassPermissionChecks to use it.

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts

@@ -31,6 +31,8 @@ export enum PermissionsExceptionCode {
   ROLE_NOT_EDITABLE = 'ROLE_NOT_EDITABLE',
   DEFAULT_ROLE_CANNOT_BE_DELETED = 'DEFAULT_ROLE_CANNOT_BE_DELETED',
   NO_PERMISSIONS_FOUND_IN_DATASOURCE = 'NO_PERMISSIONS_FOUND_IN_DATASOURCE',
+  METHOD_NOT_ALLOWED = 'METHOD_NOT_ALLOWED',
+  RAW_SQL_NOT_ALLOWED = 'RAW_SQL_NOT_ALLOWED',
 }
 
 export enum PermissionsExceptionMessage {

packages/twenty-server/src/engine/metadata-modules/permissions/utils/permission-graphql-api-exception-handler.util.ts

@@ -38,6 +38,8 @@ export const permissionGraphqlApiExceptionHandler = (
     case PermissionsExceptionCode.UNKNOWN_REQUIRED_PERMISSION:
     case PermissionsExceptionCode.NO_ROLE_FOUND_FOR_USER_WORKSPACE:
     case PermissionsExceptionCode.NO_PERMISSIONS_FOUND_IN_DATASOURCE:
+    case PermissionsExceptionCode.METHOD_NOT_ALLOWED:
+    case PermissionsExceptionCode.RAW_SQL_NOT_ALLOWED:
       throw error;
     default: {
       const _exhaustiveCheck: never = error.code;