[permissions] Add SettingsPermissionGuard on data model and roles features (#10063)
Adding SettingsPermissionsGuard to execute permission check. The guard is added directly in resolver, either at resolver level (ex: roles) or resolver-endpoint level (ex: metadata). this can be challenged !
This commit is contained in:
Marie
@ -1,6 +1,7 @@
|
||||
import { Module } from '@nestjs/common';
|
||||
import { TypeOrmModule } from '@nestjs/typeorm';
|
||||
|
||||
import { FeatureFlagModule } from 'src/engine/core-modules/feature-flag/feature-flag.module';
|
||||
import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-workspace.entity';
|
||||
import { UserWorkspaceModule } from 'src/engine/core-modules/user-workspace/user-workspace.module';
|
||||
import { PermissionsModule } from 'src/engine/metadata-modules/permissions/permissions.module';
|
||||
@ -17,6 +18,7 @@ import { UserRoleModule } from 'src/engine/metadata-modules/user-role/user-role.
|
||||
UserRoleModule,
|
||||
PermissionsModule,
|
||||
UserWorkspaceModule,
|
||||
FeatureFlagModule,
|
||||
],
|
||||
providers: [RoleService, RoleResolver],
|
||||
exports: [RoleService],
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
import { UseFilters, UseGuards } from '@nestjs/common';
|
||||
import {
|
||||
Args,
|
||||
Mutation,
|
||||
@ -12,70 +13,48 @@ import { isDefined, SettingsFeatures } from 'twenty-shared';
|
||||
import { UserWorkspaceService } from 'src/engine/core-modules/user-workspace/user-workspace.service';
|
||||
import { WorkspaceMember } from 'src/engine/core-modules/user/dtos/workspace-member.dto';
|
||||
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
|
||||
import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
|
||||
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
|
||||
import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service';
|
||||
import { permissionsGraphqlApiExceptionHandler } from 'src/engine/metadata-modules/permissions/utils/permissions-graphql-api-exception-handler';
|
||||
import { SettingsPermissionsGuard } from 'src/engine/guards/settings-permissions.guard';
|
||||
import { PermissionsGraphqlApiExceptionFilter } from 'src/engine/metadata-modules/permissions/utils/permissions-graphql-api-exception.filter';
|
||||
import { RoleDTO } from 'src/engine/metadata-modules/role/dtos/role.dto';
|
||||
import { RoleService } from 'src/engine/metadata-modules/role/role.service';
|
||||
import { UserRoleService } from 'src/engine/metadata-modules/user-role/user-role.service';
|
||||
import { WorkspaceMemberWorkspaceEntity } from 'src/modules/workspace-member/standard-objects/workspace-member.workspace-entity';
|
||||
|
||||
@Resolver(() => RoleDTO)
|
||||
@UseGuards(SettingsPermissionsGuard(SettingsFeatures.ROLES))
|
||||
@UseFilters(PermissionsGraphqlApiExceptionFilter)
|
||||
export class RoleResolver {
|
||||
constructor(
|
||||
private readonly userRoleService: UserRoleService,
|
||||
private readonly permissionsService: PermissionsService,
|
||||
private readonly roleService: RoleService,
|
||||
private readonly userWorkspaceService: UserWorkspaceService,
|
||||
) {}
|
||||
|
||||
@Query(() => [RoleDTO])
|
||||
async getRoles(
|
||||
@AuthUserWorkspaceId() userWorkspaceId: string,
|
||||
@AuthWorkspace() workspace: Workspace,
|
||||
): Promise<RoleDTO[]> {
|
||||
try {
|
||||
await this.permissionsService.validateUserHasWorkspaceSettingPermissionOrThrow(
|
||||
{
|
||||
userWorkspaceId,
|
||||
setting: SettingsFeatures.ROLES,
|
||||
},
|
||||
);
|
||||
async getRoles(@AuthWorkspace() workspace: Workspace): Promise<RoleDTO[]> {
|
||||
const roles = await this.roleService.getWorkspaceRoles(workspace.id);
|
||||
|
||||
const roles = await this.roleService.getWorkspaceRoles(workspace.id);
|
||||
|
||||
return roles.map((role) => ({
|
||||
id: role.id,
|
||||
label: role.label,
|
||||
canUpdateAllSettings: role.canUpdateAllSettings,
|
||||
description: role.description,
|
||||
workspaceId: role.workspaceId,
|
||||
createdAt: role.createdAt,
|
||||
updatedAt: role.updatedAt,
|
||||
isEditable: role.isEditable,
|
||||
userWorkspaceRoles: role.userWorkspaceRoles,
|
||||
}));
|
||||
} catch (error) {
|
||||
return permissionsGraphqlApiExceptionHandler(error);
|
||||
}
|
||||
return roles.map((role) => ({
|
||||
id: role.id,
|
||||
label: role.label,
|
||||
canUpdateAllSettings: role.canUpdateAllSettings,
|
||||
description: role.description,
|
||||
workspaceId: role.workspaceId,
|
||||
createdAt: role.createdAt,
|
||||
updatedAt: role.updatedAt,
|
||||
isEditable: role.isEditable,
|
||||
userWorkspaceRoles: role.userWorkspaceRoles,
|
||||
}));
|
||||
}
|
||||
|
||||
@Mutation(() => WorkspaceMember)
|
||||
async updateWorkspaceMemberRole(
|
||||
@AuthUserWorkspaceId() currentUserWorkspaceId: string,
|
||||
@AuthWorkspace() workspace: Workspace,
|
||||
@Args('workspaceMemberId') workspaceMemberId: string,
|
||||
@Args('roleId', { type: () => String, nullable: true })
|
||||
roleId: string | null,
|
||||
): Promise<WorkspaceMember> {
|
||||
await this.permissionsService.validateUserHasWorkspaceSettingPermissionOrThrow(
|
||||
{
|
||||
userWorkspaceId: currentUserWorkspaceId,
|
||||
setting: SettingsFeatures.ROLES,
|
||||
},
|
||||
);
|
||||
|
||||
const workspaceMember =
|
||||
await this.userWorkspaceService.getWorkspaceMemberOrThrow({
|
||||
workspaceMemberId,
|
||||
|
||||
Reference in New Issue
Block a user