[permissions] Add SettingsPermissionGuard on data model and roles features (#10063)

Adding SettingsPermissionsGuard to execute permission check. The guard is added directly in resolver, either at resolver level (ex: roles) or resolver-endpoint level (ex: metadata). this can be challenged !
2025-02-07 16:48:04 +01:00
parent 859e7c94f9
commit a24e411384
11 changed files with 144 additions and 64 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/relation-metadata/relation-metadata.module.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/relation-metadata/relation-metadata.module.ts
@ -5,12 +5,17 @@ import {
  PagingStrategies,
 } from '@ptc-org/nestjs-query-graphql';
 import { NestjsQueryTypeOrmModule } from '@ptc-org/nestjs-query-typeorm';
+import { SettingsFeatures } from 'twenty-shared';

+import { FeatureFlagModule } from 'src/engine/core-modules/feature-flag/feature-flag.module';
+import { SettingsPermissionsGuard } from 'src/engine/guards/settings-permissions.guard';
 import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
 import { FieldMetadataEntity } from 'src/engine/metadata-modules/field-metadata/field-metadata.entity';
 import { FieldMetadataModule } from 'src/engine/metadata-modules/field-metadata/field-metadata.module';
 import { IndexMetadataModule } from 'src/engine/metadata-modules/index-metadata/index-metadata.module';
 import { ObjectMetadataModule } from 'src/engine/metadata-modules/object-metadata/object-metadata.module';
+import { PermissionsModule } from 'src/engine/metadata-modules/permissions/permissions.module';
+import { PermissionsGraphqlApiExceptionFilter } from 'src/engine/metadata-modules/permissions/utils/permissions-graphql-api-exception.filter';
 import { RelationMetadataGraphqlApiExceptionInterceptor } from 'src/engine/metadata-modules/relation-metadata/interceptors/relation-metadata-graphql-api-exception.interceptor';
 import { RelationMetadataResolver } from 'src/engine/metadata-modules/relation-metadata/relation-metadata.resolver';
 import { WorkspaceMetadataVersionModule } from 'src/engine/metadata-modules/workspace-metadata-version/workspace-metadata-version.module';
@ -39,6 +44,8 @@ import { RelationMetadataDTO } from './dtos/relation-metadata.dto';
        WorkspaceMigrationModule,
        WorkspaceCacheStorageModule,
        WorkspaceMetadataVersionModule,
+        FeatureFlagModule,
+        PermissionsModule,
      ],
      services: [RelationMetadataService],
      resolvers: [
@ -48,11 +55,15 @@ import { RelationMetadataDTO } from './dtos/relation-metadata.dto';
          ServiceClass: RelationMetadataService,
          CreateDTOClass: CreateRelationInput,
          pagingStrategy: PagingStrategies.CURSOR,
-          create: { many: { disabled: true } },
+          create: {
+            many: { disabled: true },
+            guards: [SettingsPermissionsGuard(SettingsFeatures.DATA_MODEL)],
+          },
          update: { disabled: true },
          delete: { disabled: true },
          guards: [WorkspaceAuthGuard],
          interceptors: [RelationMetadataGraphqlApiExceptionInterceptor],
+          filters: [PermissionsGraphqlApiExceptionFilter],
        },
      ],
    }),
--- a/packages/twenty-server/src/engine/metadata-modules/relation-metadata/relation-metadata.resolver.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/relation-metadata/relation-metadata.resolver.ts
@ -1,9 +1,13 @@
-import { UseGuards } from '@nestjs/common';
+import { UseFilters, UseGuards } from '@nestjs/common';
 import { Args, Mutation, Resolver } from '@nestjs/graphql';

+import { SettingsFeatures } from 'twenty-shared';
+
 import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
 import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
+import { SettingsPermissionsGuard } from 'src/engine/guards/settings-permissions.guard';
 import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
+import { PermissionsGraphqlApiExceptionFilter } from 'src/engine/metadata-modules/permissions/utils/permissions-graphql-api-exception.filter';
 import { DeleteOneRelationInput } from 'src/engine/metadata-modules/relation-metadata/dtos/delete-relation.input';
 import { RelationMetadataDTO } from 'src/engine/metadata-modules/relation-metadata/dtos/relation-metadata.dto';
 import { RelationMetadataService } from 'src/engine/metadata-modules/relation-metadata/relation-metadata.service';
@ -11,11 +15,13 @@ import { relationMetadataGraphqlApiExceptionHandler } from 'src/engine/metadata-

@UseGuards(WorkspaceAuthGuard)
@Resolver()
+@UseFilters(PermissionsGraphqlApiExceptionFilter)
 export class RelationMetadataResolver {
  constructor(
    private readonly relationMetadataService: RelationMetadataService,
  ) {}

+  @UseGuards(SettingsPermissionsGuard(SettingsFeatures.DATA_MODEL))
  @Mutation(() => RelationMetadataDTO)
  async deleteOneRelation(
    @Args('input') input: DeleteOneRelationInput,