admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[permisions] Bypass permission checks with api key (#10516)

Browse Source 
Closes https://github.com/twentyhq/core-team-issues/issues/325
This commit is contained in:
Marie
2025-02-28 07:50:49 +01:00
committed by GitHub
parent 0dc1cd9df1
commit a3a05c63f6
8 changed files with 103 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts
View File

@ -1,7 +1,11 @@
import { Injectable } from '@nestjs/common';
import { PermissionsOnAllObjectRecords } from 'twenty-shared';
import { isDefined, PermissionsOnAllObjectRecords } from 'twenty-shared';
import {
AuthException,
AuthExceptionCode,
} from 'src/engine/core-modules/auth/auth.exception';
import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants';
import {
@ -74,11 +78,24 @@ export class PermissionsService {
userWorkspaceId,
workspaceId,
_setting,
isExecutedByApiKey,
}: {
userWorkspaceId: string;
userWorkspaceId?: string;
workspaceId: string;
_setting: SettingsPermissions;
isExecutedByApiKey: boolean;
}): Promise<boolean> {
if (isExecutedByApiKey) {
return true;
}
if (!isDefined(userWorkspaceId)) {
throw new AuthException(
'Missing userWorkspaceId or apiKey in authContext',
AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
const [roleOfUserWorkspace] = await this.userRoleService
.getRolesByUserWorkspaces({
userWorkspaceIds: [userWorkspaceId],
@ -97,11 +114,24 @@ export class PermissionsService {
userWorkspaceId,
workspaceId,
requiredPermission,
isExecutedByApiKey,
}: {
userWorkspaceId: string;
userWorkspaceId?: string;
workspaceId: string;
requiredPermission: PermissionsOnAllObjectRecords;
isExecutedByApiKey: boolean;
}): Promise<boolean> {
if (isExecutedByApiKey) {
return true;
}
if (!isDefined(userWorkspaceId)) {
throw new AuthException(
'Missing userWorkspaceId or apiKey in authContext',
AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
const [roleOfUserWorkspace] = await this.userRoleService
.getRolesByUserWorkspaces({
userWorkspaceIds: [userWorkspaceId],