admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[permissions] Update updateRole logic + disallow self role-assignment (#10476)

Browse Source 
In this PR

- updateWorkspaceMemberRole api was changed to stop allowing null as a
valid value for roleId. it is not possible anymore to just unassign a
role from a user. instead it is only possible to assign a different role
to a user, which will unassign them from their previous role. For this
reason in the FE the bins icons next to the workspaceMember on a role
page were removed
- updateWorkspaceMemberRole will throw if a user attempts to update
their own role
- tests tests tests!
This commit is contained in:
Marie
2025-02-25 15:20:07 +01:00
committed by GitHub
parent 2247d3fa91
commit 9fe5c96d56
12 changed files with 253 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
packages/twenty-server/test/integration/graphql/suites/settings-permissions/roles.integration-spec.ts
View File

@ -3,8 +3,10 @@ import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graph
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
const client = request(`http://localhost:${APP_PORT}`);
describe('roles permissions', () => {
@ -55,44 +57,46 @@ describe('roles permissions', () => {
expect(resp.status).toBe(200);
expect(resp.body.errors).toBeUndefined();
expect(resp.body.data.getRoles).toHaveLength(3);
expect(resp.body.data.getRoles).toEqual([
{
label: 'Guest',
workspaceMembers: [
{
id: '20202020-1553-45c6-a028-5a9064cce07f',
name: {
firstName: 'Phil',
lastName: 'Schiler',
expect(resp.body.data.getRoles).toEqual(
expect.arrayContaining([
{
label: 'Guest',
workspaceMembers: [
{
id: '20202020-1553-45c6-a028-5a9064cce07f',
name: {
firstName: 'Phil',
lastName: 'Schiler',
},
},
},
],
},
{
label: 'Admin',
workspaceMembers: [
{
id: '20202020-0687-4c41-b707-ed1bfca972a7',
name: {
firstName: 'Tim',
lastName: 'Apple',
],
},
{
label: 'Admin',
workspaceMembers: [
{
id: '20202020-0687-4c41-b707-ed1bfca972a7',
name: {
firstName: 'Tim',
lastName: 'Apple',
},
},
},
],
},
{
label: 'Member',
workspaceMembers: [
{
id: '20202020-77d5-4cb6-b60a-f4a835a85d61',
name: {
firstName: 'Jony',
lastName: 'Ive',
],
},
{
label: 'Member',
workspaceMembers: [
{
id: '20202020-77d5-4cb6-b60a-f4a835a85d61',
name: {
firstName: 'Jony',
lastName: 'Ive',
},
},
},
],
},
]);
],
},
]),
);
});
it('should throw a permission error when user does not have permission (member role)', async () => {
const query = {
@ -129,7 +133,7 @@ describe('roles permissions', () => {
});
describe('updateWorkspaceMemberRole', () => {
it('should throw a permission error when user does not have permission (member role)', async () => {
it('should throw a permission error when user does not have permission to update roles (member role)', async () => {
const query = {
query: `
mutation UpdateWorkspaceMemberRole {
@ -154,5 +158,106 @@ describe('roles permissions', () => {
expect(res.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
});
it('should throw a permission error when tries to update their own role (admin role)', async () => {
const query = {
query: `
mutation UpdateWorkspaceMemberRole {
updateWorkspaceMemberRole(workspaceMemberId: "${DEV_SEED_WORKSPACE_MEMBER_IDS.TIM}", roleId: "test-role-id") {
id
}
}
`,
};
await client
.post('/graphql')
.set('Authorization', `Bearer ${ADMIN_ACCESS_TOKEN}`)
.send(query)
.expect(200)
.expect((res) => {
expect(res.body.data).toBeNull();
expect(res.body.errors).toBeDefined();
expect(res.body.errors[0].message).toBe(
PermissionsExceptionMessage.CANNOT_UPDATE_SELF_ROLE,
);
expect(res.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
});
it('should allow to update role when user has permission (admin role)', async () => {
// Arrange
const getRolesQuery = {
query: `
query GetRoles {
getRoles {
id
label
}
}
`,
};
const resp = await client
.post('/graphql')
.set('Authorization', `Bearer ${ADMIN_ACCESS_TOKEN}`)
.send(getRolesQuery);
const memberRoleId = resp.body.data.getRoles.find(
(role) => role.label === 'Member',
).id;
const guestRoleId = resp.body.data.getRoles.find(
(role) => role.label === 'Guest',
).id;
const updateRoleQuery = {
query: `
mutation UpdateWorkspaceMemberRole {
updateWorkspaceMemberRole(workspaceMemberId: "${DEV_SEED_WORKSPACE_MEMBER_IDS.PHIL}", roleId: "${memberRoleId}") {
id
}
}
`,
};
// Act and assert
await client
.post('/graphql')
.set('Authorization', `Bearer ${ADMIN_ACCESS_TOKEN}`)
.send(updateRoleQuery)
.expect(200)
.expect((res) => {
expect(res.body.data).toBeDefined();
expect(res.body.errors).toBeUndefined();
expect(res.body.data.updateWorkspaceMemberRole.id).toBe(
DEV_SEED_WORKSPACE_MEMBER_IDS.PHIL,
);
});
// Clean
const rollbackRoleUpdateQuery = {
query: `
mutation UpdateWorkspaceMemberRole {
updateWorkspaceMemberRole(workspaceMemberId: "${DEV_SEED_WORKSPACE_MEMBER_IDS.PHIL}", roleId: "${guestRoleId}") {
id
}
}
`,
};
await client
.post('/graphql')
.set('Authorization', `Bearer ${ADMIN_ACCESS_TOKEN}`)
.send(rollbackRoleUpdateQuery)
.expect(200)
.expect((res) => {
expect(res.body.data).toBeDefined();
expect(res.body.errors).toBeUndefined();
expect(res.body.data.updateWorkspaceMemberRole.id).toBe(
DEV_SEED_WORKSPACE_MEMBER_IDS.PHIL,
);
});
});
});
});