admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[permisions] Bypass permission checks with api key (#10516)

Browse Source 
Closes https://github.com/twentyhq/core-team-issues/issues/325
This commit is contained in:
Marie
2025-02-28 07:50:49 +01:00
committed by GitHub
parent 0dc1cd9df1
commit a3a05c63f6
8 changed files with 103 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
packages/twenty-server/src/engine/api/graphql/graphql-query-runner/interfaces/base-resolver-service.ts
View File

@ -1,7 +1,11 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import graphqlFields from 'graphql-fields'; import graphqlFields from 'graphql-fields';
import { capitalize, PermissionsOnAllObjectRecords } from 'twenty-shared'; import {
capitalize,
isDefined,
PermissionsOnAllObjectRecords,
} from 'twenty-shared';
import { DataSource, ObjectLiteral } from 'typeorm'; import { DataSource, ObjectLiteral } from 'typeorm';
import { ObjectRecord } from 'src/engine/api/graphql/workspace-query-builder/interfaces/object-record.interface'; import { ObjectRecord } from 'src/engine/api/graphql/workspace-query-builder/interfaces/object-record.interface';
@ -24,10 +28,6 @@ import { QueryRunnerArgsFactory } from 'src/engine/api/graphql/workspace-query-r
import { workspaceQueryRunnerGraphqlApiExceptionHandler } from 'src/engine/api/graphql/workspace-query-runner/utils/workspace-query-runner-graphql-api-exception-handler.util'; import { workspaceQueryRunnerGraphqlApiExceptionHandler } from 'src/engine/api/graphql/workspace-query-runner/utils/workspace-query-runner-graphql-api-exception-handler.util';
import { WorkspaceQueryHookService } from 'src/engine/api/graphql/workspace-query-runner/workspace-query-hook/workspace-query-hook.service'; import { WorkspaceQueryHookService } from 'src/engine/api/graphql/workspace-query-runner/workspace-query-hook/workspace-query-hook.service';
import { RESOLVER_METHOD_NAMES } from 'src/engine/api/graphql/workspace-resolver-builder/constants/resolver-method-names'; import { RESOLVER_METHOD_NAMES } from 'src/engine/api/graphql/workspace-resolver-builder/constants/resolver-method-names';
import {
AuthException,
AuthExceptionCode,
} from 'src/engine/core-modules/auth/auth.exception';
import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum'; import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service'; import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants'; import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants';
@ -193,32 +193,24 @@ export abstract class GraphqlQueryBaseResolverService<
objectMetadataItemWithFieldMaps.nameSingular, objectMetadataItemWithFieldMaps.nameSingular,
) )
) { ) {
if (!authContext.apiKey) { const permissionRequired: SettingsPermissions =
if (!authContext.userWorkspaceId) { SYSTEM_OBJECTS_PERMISSIONS_REQUIREMENTS[
throw new AuthException( objectMetadataItemWithFieldMaps.nameSingular
'Missing userWorkspaceId in authContext', ];
AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
const permissionRequired: SettingsPermissions = const userHasPermission =
SYSTEM_OBJECTS_PERMISSIONS_REQUIREMENTS[ await this.permissionsService.userHasWorkspaceSettingPermission({
objectMetadataItemWithFieldMaps.nameSingular userWorkspaceId: authContext.userWorkspaceId,
]; _setting: permissionRequired,
workspaceId: authContext.workspace.id,
isExecutedByApiKey: isDefined(authContext.apiKey),
});
const userHasPermission = if (!userHasPermission) {
await this.permissionsService.userHasWorkspaceSettingPermission({ throw new PermissionsException(
userWorkspaceId: authContext.userWorkspaceId, PermissionsExceptionMessage.PERMISSION_DENIED,
_setting: permissionRequired, PermissionsExceptionCode.PERMISSION_DENIED,
workspaceId: authContext.workspace.id, );
});
if (!userHasPermission) {
throw new PermissionsException(
PermissionsExceptionMessage.PERMISSION_DENIED,
PermissionsExceptionCode.PERMISSION_DENIED,
);
}
} }
} }
} }
@ -230,30 +222,22 @@ export abstract class GraphqlQueryBaseResolverService<
operationName: WorkspaceResolverBuilderMethodNames; operationName: WorkspaceResolverBuilderMethodNames;
options: WorkspaceQueryRunnerOptions; options: WorkspaceQueryRunnerOptions;
}) { }) {
if (!options.authContext.apiKey) { const requiredPermission =
if (!options.authContext.userWorkspaceId) { this.getRequiredPermissionForMethod(operationName);
throw new AuthException(
'Missing userWorkspaceId in authContext',
AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
const requiredPermission = const userHasPermission =
this.getRequiredPermissionForMethod(operationName); await this.permissionsService.userHasObjectRecordsPermission({
userWorkspaceId: options.authContext.userWorkspaceId,
requiredPermission,
workspaceId: options.authContext.workspace.id,
isExecutedByApiKey: isDefined(options.authContext.apiKey),
});
const userHasPermission = if (!userHasPermission) {
await this.permissionsService.userHasObjectRecordsPermission({ throw new PermissionsException(
userWorkspaceId: options.authContext.userWorkspaceId, PermissionsExceptionMessage.PERMISSION_DENIED,
requiredPermission, PermissionsExceptionCode.PERMISSION_DENIED,
workspaceId: options.authContext.workspace.id, );
});
if (!userHasPermission) {
throw new PermissionsException(
PermissionsExceptionMessage.PERMISSION_DENIED,
PermissionsExceptionCode.PERMISSION_DENIED,
);
}
} }
} }

7
packages/twenty-server/src/engine/core-modules/billing/billing.resolver.ts
View File

@ -4,6 +4,7 @@ import { UseFilters, UseGuards } from '@nestjs/common';
import { Args, Mutation, Query, Resolver } from '@nestjs/graphql'; import { Args, Mutation, Query, Resolver } from '@nestjs/graphql';
import { GraphQLError } from 'graphql'; import { GraphQLError } from 'graphql';
import { isDefined } from 'twenty-shared';
import { BillingCheckoutSessionInput } from 'src/engine/core-modules/billing/dtos/inputs/billing-checkout-session.input'; import { BillingCheckoutSessionInput } from 'src/engine/core-modules/billing/dtos/inputs/billing-checkout-session.input';
import { BillingProductInput } from 'src/engine/core-modules/billing/dtos/inputs/billing-product.input'; import { BillingProductInput } from 'src/engine/core-modules/billing/dtos/inputs/billing-product.input';
@ -25,6 +26,7 @@ import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/featu
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service'; import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
import { User } from 'src/engine/core-modules/user/user.entity'; import { User } from 'src/engine/core-modules/user/user.entity';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity'; import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { AuthApiKey } from 'src/engine/decorators/auth/auth-api-key.decorator';
import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator'; import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator'; import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator'; import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
@ -98,10 +100,12 @@ export class BillingResolver {
plan, plan,
requirePaymentMethod, requirePaymentMethod,
}: BillingCheckoutSessionInput, }: BillingCheckoutSessionInput,
@AuthApiKey() apiKey?: string,
) { ) {
await this.validateCanCheckoutSessionPermissionOrThrow({ await this.validateCanCheckoutSessionPermissionOrThrow({
workspaceId: workspace.id, workspaceId: workspace.id,
userWorkspaceId, userWorkspaceId,
isExecutedByApiKey: isDefined(apiKey),
}); });
const isBillingPlansEnabled = const isBillingPlansEnabled =
await this.featureFlagService.isFeatureEnabled( await this.featureFlagService.isFeatureEnabled(
@ -177,9 +181,11 @@ export class BillingResolver {
private async validateCanCheckoutSessionPermissionOrThrow({ private async validateCanCheckoutSessionPermissionOrThrow({
workspaceId, workspaceId,
userWorkspaceId, userWorkspaceId,
isExecutedByApiKey,
}: { }: {
workspaceId: string; workspaceId: string;
userWorkspaceId: string; userWorkspaceId: string;
isExecutedByApiKey: boolean;
}) { }) {
const isPermissionsEnabled = await this.featureFlagService.isFeatureEnabled( const isPermissionsEnabled = await this.featureFlagService.isFeatureEnabled(
FeatureFlagKey.IsPermissionsEnabled, FeatureFlagKey.IsPermissionsEnabled,
@ -203,6 +209,7 @@ export class BillingResolver {
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
_setting: SettingsPermissions.WORKSPACE, _setting: SettingsPermissions.WORKSPACE,
isExecutedByApiKey,
}); });
if (!userHasPermission) { if (!userHasPermission) {

10
packages/twenty-server/src/engine/core-modules/workspace/services/workspace.service.ts
View File

@ -139,9 +139,11 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
async updateWorkspaceById({ async updateWorkspaceById({
payload, payload,
userWorkspaceId, userWorkspaceId,
apiKey,
}: { }: {
payload: Partial<Workspace> & { id: string }; payload: Partial<Workspace> & { id: string };
userWorkspaceId?: string; userWorkspaceId?: string;
apiKey?: string;
}) { }) {
const workspace = await this.workspaceRepository.findOneBy({ const workspace = await this.workspaceRepository.findOneBy({
id: payload.id, id: payload.id,
@ -159,12 +161,14 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
payload, payload,
userWorkspaceId, userWorkspaceId,
workspaceId: workspace.id, workspaceId: workspace.id,
apiKey,
}); });
await this.validateWorkspacePermissions({ await this.validateWorkspacePermissions({
payload, payload,
userWorkspaceId, userWorkspaceId,
workspaceId: workspace.id, workspaceId: workspace.id,
apiKey,
}); });
} }
@ -395,10 +399,12 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
payload, payload,
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
apiKey,
}: { }: {
payload: Partial<Workspace>; payload: Partial<Workspace>;
userWorkspaceId?: string; userWorkspaceId?: string;
workspaceId: string; workspaceId: string;
apiKey?: string;
}) { }) {
if ( if (
'isGoogleAuthEnabled' in payload || 'isGoogleAuthEnabled' in payload ||
@ -415,6 +421,7 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
userWorkspaceId, userWorkspaceId,
_setting: SettingsPermissions.SECURITY, _setting: SettingsPermissions.SECURITY,
workspaceId: workspaceId, workspaceId: workspaceId,
isExecutedByApiKey: isDefined(apiKey),
}); });
if (!userHasPermission) { if (!userHasPermission) {
@ -430,10 +437,12 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
payload, payload,
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
apiKey,
}: { }: {
payload: Partial<Workspace>; payload: Partial<Workspace>;
userWorkspaceId?: string; userWorkspaceId?: string;
workspaceId: string; workspaceId: string;
apiKey?: string;
}) { }) {
if ( if (
'displayName' in payload || 'displayName' in payload ||
@ -450,6 +459,7 @@ export class WorkspaceService extends TypeOrmQueryService<Workspace> {
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
_setting: SettingsPermissions.WORKSPACE, _setting: SettingsPermissions.WORKSPACE,
isExecutedByApiKey: isDefined(apiKey),
}); });
if (!userHasPermission) { if (!userHasPermission) {

3
packages/twenty-server/src/engine/core-modules/workspace/workspace.resolver.ts
View File

@ -39,6 +39,7 @@ import { workspaceUrls } from 'src/engine/core-modules/workspace/dtos/workspace-
import { getAuthProvidersByWorkspace } from 'src/engine/core-modules/workspace/utils/get-auth-providers-by-workspace.util'; import { getAuthProvidersByWorkspace } from 'src/engine/core-modules/workspace/utils/get-auth-providers-by-workspace.util';
import { workspaceGraphqlApiExceptionHandler } from 'src/engine/core-modules/workspace/utils/workspace-graphql-api-exception-handler.util'; import { workspaceGraphqlApiExceptionHandler } from 'src/engine/core-modules/workspace/utils/workspace-graphql-api-exception-handler.util';
import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate'; import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate';
import { AuthApiKey } from 'src/engine/decorators/auth/auth-api-key.decorator';
import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator'; import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator'; import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator'; import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
@ -110,6 +111,7 @@ export class WorkspaceResolver {
@Args('data') data: UpdateWorkspaceInput, @Args('data') data: UpdateWorkspaceInput,
@AuthWorkspace() workspace: Workspace, @AuthWorkspace() workspace: Workspace,
@AuthUserWorkspaceId() userWorkspaceId: string, @AuthUserWorkspaceId() userWorkspaceId: string,
@AuthApiKey() apiKey?: string,
) { ) {
try { try {
return await this.workspaceService.updateWorkspaceById({ return await this.workspaceService.updateWorkspaceById({
@ -118,6 +120,7 @@ export class WorkspaceResolver {
id: workspace.id, id: workspace.id,
}, },
userWorkspaceId, userWorkspaceId,
apiKey,
}); });
} catch (error) { } catch (error) {
workspaceGraphqlApiExceptionHandler(error); workspaceGraphqlApiExceptionHandler(error);

11
packages/twenty-server/src/engine/decorators/auth/auth-api-key.decorator.ts Normal file
View File

@ -0,0 +1,11 @@
import { createParamDecorator, ExecutionContext } from '@nestjs/common';
import { getRequest } from 'src/utils/extract-request';
export const AuthApiKey = createParamDecorator(
(data: unknown, ctx: ExecutionContext) => {
const request = getRequest(ctx);
return request.apiKey;
},
);

3
packages/twenty-server/src/engine/guards/settings-permissions.guard.ts
View File

@ -7,6 +7,8 @@ import {
} from '@nestjs/common'; } from '@nestjs/common';
import { GqlExecutionContext } from '@nestjs/graphql'; import { GqlExecutionContext } from '@nestjs/graphql';
import { isDefined } from 'twenty-shared';
import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum'; import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service'; import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants'; import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants';
@ -47,6 +49,7 @@ export const SettingsPermissionsGuard = (
userWorkspaceId, userWorkspaceId,
_setting: requiredPermission, _setting: requiredPermission,
workspaceId, workspaceId,
isExecutedByApiKey: isDefined(ctx.getContext().req.apiKey),
}); });
if (hasPermission === true) { if (hasPermission === true) {

36
packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts
View File

@ -1,7 +1,11 @@
import { Injectable } from '@nestjs/common'; import { Injectable } from '@nestjs/common';
import { PermissionsOnAllObjectRecords } from 'twenty-shared'; import { isDefined, PermissionsOnAllObjectRecords } from 'twenty-shared';
import {
AuthException,
AuthExceptionCode,
} from 'src/engine/core-modules/auth/auth.exception';
import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service'; import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants'; import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants';
import { import {
@ -74,11 +78,24 @@ export class PermissionsService {
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
_setting, _setting,
isExecutedByApiKey,
}: { }: {
userWorkspaceId: string; userWorkspaceId?: string;
workspaceId: string; workspaceId: string;
_setting: SettingsPermissions; _setting: SettingsPermissions;
isExecutedByApiKey: boolean;
}): Promise<boolean> { }): Promise<boolean> {
if (isExecutedByApiKey) {
return true;
}
if (!isDefined(userWorkspaceId)) {
throw new AuthException(
'Missing userWorkspaceId or apiKey in authContext',
AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
const [roleOfUserWorkspace] = await this.userRoleService const [roleOfUserWorkspace] = await this.userRoleService
.getRolesByUserWorkspaces({ .getRolesByUserWorkspaces({
userWorkspaceIds: [userWorkspaceId], userWorkspaceIds: [userWorkspaceId],
@ -97,11 +114,24 @@ export class PermissionsService {
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
requiredPermission, requiredPermission,
isExecutedByApiKey,
}: { }: {
userWorkspaceId: string; userWorkspaceId?: string;
workspaceId: string; workspaceId: string;
requiredPermission: PermissionsOnAllObjectRecords; requiredPermission: PermissionsOnAllObjectRecords;
isExecutedByApiKey: boolean;
}): Promise<boolean> { }): Promise<boolean> {
if (isExecutedByApiKey) {
return true;
}
if (!isDefined(userWorkspaceId)) {
throw new AuthException(
'Missing userWorkspaceId or apiKey in authContext',
AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
const [roleOfUserWorkspace] = await this.userRoleService const [roleOfUserWorkspace] = await this.userRoleService
.getRolesByUserWorkspaces({ .getRolesByUserWorkspaces({
userWorkspaceIds: [userWorkspaceId], userWorkspaceIds: [userWorkspaceId],

1
packages/twenty-server/src/modules/workspace-member/query-hooks/workspace-member-pre-query-hook.service.ts
View File

@ -66,6 +66,7 @@ export class WorkspaceMemberPreQueryHookService {
userWorkspaceId, userWorkspaceId,
workspaceId, workspaceId,
_setting: SettingsPermissions.WORKSPACE_MEMBERS, _setting: SettingsPermissions.WORKSPACE_MEMBERS,
isExecutedByApiKey: isDefined(apiKey),
}) })
) { ) {
return; return;