[permisions] Bypass permission checks with api key (#10516)
Closes https://github.com/twentyhq/core-team-issues/issues/325
This commit is contained in:
Marie
@ -4,6 +4,7 @@ import { UseFilters, UseGuards } from '@nestjs/common';
|
||||
import { Args, Mutation, Query, Resolver } from '@nestjs/graphql';
|
||||
|
||||
import { GraphQLError } from 'graphql';
|
||||
import { isDefined } from 'twenty-shared';
|
||||
|
||||
import { BillingCheckoutSessionInput } from 'src/engine/core-modules/billing/dtos/inputs/billing-checkout-session.input';
|
||||
import { BillingProductInput } from 'src/engine/core-modules/billing/dtos/inputs/billing-product.input';
|
||||
@ -25,6 +26,7 @@ import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/featu
|
||||
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
|
||||
import { User } from 'src/engine/core-modules/user/user.entity';
|
||||
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
|
||||
import { AuthApiKey } from 'src/engine/decorators/auth/auth-api-key.decorator';
|
||||
import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
|
||||
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
|
||||
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
|
||||
@ -98,10 +100,12 @@ export class BillingResolver {
|
||||
plan,
|
||||
requirePaymentMethod,
|
||||
}: BillingCheckoutSessionInput,
|
||||
@AuthApiKey() apiKey?: string,
|
||||
) {
|
||||
await this.validateCanCheckoutSessionPermissionOrThrow({
|
||||
workspaceId: workspace.id,
|
||||
userWorkspaceId,
|
||||
isExecutedByApiKey: isDefined(apiKey),
|
||||
});
|
||||
const isBillingPlansEnabled =
|
||||
await this.featureFlagService.isFeatureEnabled(
|
||||
@ -177,9 +181,11 @@ export class BillingResolver {
|
||||
private async validateCanCheckoutSessionPermissionOrThrow({
|
||||
workspaceId,
|
||||
userWorkspaceId,
|
||||
isExecutedByApiKey,
|
||||
}: {
|
||||
workspaceId: string;
|
||||
userWorkspaceId: string;
|
||||
isExecutedByApiKey: boolean;
|
||||
}) {
|
||||
const isPermissionsEnabled = await this.featureFlagService.isFeatureEnabled(
|
||||
FeatureFlagKey.IsPermissionsEnabled,
|
||||
@ -203,6 +209,7 @@ export class BillingResolver {
|
||||
userWorkspaceId,
|
||||
workspaceId,
|
||||
_setting: SettingsPermissions.WORKSPACE,
|
||||
isExecutedByApiKey,
|
||||
});
|
||||
|
||||
if (!userHasPermission) {
|
||||
|
||||
@ -139,9 +139,11 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
|
||||
async updateWorkspaceById({
|
||||
payload,
|
||||
userWorkspaceId,
|
||||
apiKey,
|
||||
}: {
|
||||
payload: Partial<Workspace> & { id: string };
|
||||
userWorkspaceId?: string;
|
||||
apiKey?: string;
|
||||
}) {
|
||||
const workspace = await this.workspaceRepository.findOneBy({
|
||||
id: payload.id,
|
||||
@ -159,12 +161,14 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
|
||||
payload,
|
||||
userWorkspaceId,
|
||||
workspaceId: workspace.id,
|
||||
apiKey,
|
||||
});
|
||||
|
||||
await this.validateWorkspacePermissions({
|
||||
payload,
|
||||
userWorkspaceId,
|
||||
workspaceId: workspace.id,
|
||||
apiKey,
|
||||
});
|
||||
}
|
||||
|
||||
@ -395,10 +399,12 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
|
||||
payload,
|
||||
userWorkspaceId,
|
||||
workspaceId,
|
||||
apiKey,
|
||||
}: {
|
||||
payload: Partial<Workspace>;
|
||||
userWorkspaceId?: string;
|
||||
workspaceId: string;
|
||||
apiKey?: string;
|
||||
}) {
|
||||
if (
|
||||
'isGoogleAuthEnabled' in payload ||
|
||||
@ -415,6 +421,7 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
|
||||
userWorkspaceId,
|
||||
_setting: SettingsPermissions.SECURITY,
|
||||
workspaceId: workspaceId,
|
||||
isExecutedByApiKey: isDefined(apiKey),
|
||||
});
|
||||
|
||||
if (!userHasPermission) {
|
||||
@ -430,10 +437,12 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
|
||||
payload,
|
||||
userWorkspaceId,
|
||||
workspaceId,
|
||||
apiKey,
|
||||
}: {
|
||||
payload: Partial<Workspace>;
|
||||
userWorkspaceId?: string;
|
||||
workspaceId: string;
|
||||
apiKey?: string;
|
||||
}) {
|
||||
if (
|
||||
'displayName' in payload ||
|
||||
@ -450,6 +459,7 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
|
||||
userWorkspaceId,
|
||||
workspaceId,
|
||||
_setting: SettingsPermissions.WORKSPACE,
|
||||
isExecutedByApiKey: isDefined(apiKey),
|
||||
});
|
||||
|
||||
if (!userHasPermission) {
|
||||
|
||||
@ -39,6 +39,7 @@ import { workspaceUrls } from 'src/engine/core-modules/workspace/dtos/workspace-
|
||||
import { getAuthProvidersByWorkspace } from 'src/engine/core-modules/workspace/utils/get-auth-providers-by-workspace.util';
|
||||
import { workspaceGraphqlApiExceptionHandler } from 'src/engine/core-modules/workspace/utils/workspace-graphql-api-exception-handler.util';
|
||||
import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate';
|
||||
import { AuthApiKey } from 'src/engine/decorators/auth/auth-api-key.decorator';
|
||||
import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
|
||||
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
|
||||
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
|
||||
@ -110,6 +111,7 @@ export class WorkspaceResolver {
|
||||
@Args('data') data: UpdateWorkspaceInput,
|
||||
@AuthWorkspace() workspace: Workspace,
|
||||
@AuthUserWorkspaceId() userWorkspaceId: string,
|
||||
@AuthApiKey() apiKey?: string,
|
||||
) {
|
||||
try {
|
||||
return await this.workspaceService.updateWorkspaceById({
|
||||
@ -118,6 +120,7 @@ export class WorkspaceResolver {
|
||||
id: workspace.id,
|
||||
},
|
||||
userWorkspaceId,
|
||||
apiKey,
|
||||
});
|
||||
} catch (error) {
|
||||
workspaceGraphqlApiExceptionHandler(error);
|
||||
|
||||
Reference in New Issue
Block a user