[permissions] Add permissions check layer in entityManager (#11818)

First and main step of https://github.com/twentyhq/core-team-issues/issues/747 We are implementing a permission check layer in our custom WorkspaceEntityManager by overriding all the db-executing methods (this PR only overrides some as a POC, the rest will be done in the next PR). Our custom repositories call entity managers under the hood to interact with the db so this solves the repositories case too. This is still behind the feature flag IsPermissionsV2Enabled. In the next PR - finish overriding all the methods required in WorkspaceEntityManager - add tests
2025-05-05 16:06:54 +02:00
parent 5f8040af5d
commit a9e73c6340
62 changed files with 1194 additions and 933 deletions
--- a/packages/twenty-server/src/database/commands/data-seed-dev-workspace.command.ts
+++ b/packages/twenty-server/src/database/commands/data-seed-dev-workspace.command.ts
@ -1,7 +1,7 @@
 import { Logger } from '@nestjs/common';

 import { Command, CommandRunner } from 'nest-commander';
-import { DataSource, EntityManager } from 'typeorm';
+import { DataSource } from 'typeorm';

 import { seedCoreSchema } from 'src/database/typeorm-seeds/core';
 import {
@ -43,6 +43,7 @@ import { SURVEY_RESULTS_DATA_SEEDS } from 'src/engine/seeder/data-seeds/survey-r
 import { PETS_METADATA_SEEDS } from 'src/engine/seeder/metadata-seeds/pets-metadata-seeds';
 import { SURVEY_RESULTS_METADATA_SEEDS } from 'src/engine/seeder/metadata-seeds/survey-results-metadata-seeds';
 import { SeederService } from 'src/engine/seeder/seeder.service';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
 import { shouldSeedWorkspaceFavorite } from 'src/engine/utils/should-seed-workspace-favorite';
 import { createWorkspaceViews } from 'src/engine/workspace-manager/standard-objects-prefill-data/create-workspace-views';
 import { seedViewWithDemoData } from 'src/engine/workspace-manager/standard-objects-prefill-data/seed-view-with-demo-data';
@ -169,7 +170,7 @@ export class DataSeedWorkspaceCommand extends CommandRunner {
    dataSourceMetadata: DataSourceEntity,
  ) {
    await workspaceDataSource.transaction(
-      async (entityManager: EntityManager) => {
+      async (entityManager: WorkspaceEntityManager) => {
        const { objectMetadataStandardIdToIdMap } =
          await this.objectMetadataService.getObjectMetadataStandardIdToIdMap(
            dataSourceMetadata.workspaceId,
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/api-key.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/api-key.ts
@ -1,15 +1,17 @@
-import { EntityManager } from 'typeorm';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'apiKey';

 const API_KEY_ID = '20202020-f401-4d8a-a731-64d007c27bad';

 export const seedApiKey = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, ['id', 'name', 'expiresAt'])
    .orIgnore()
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-channel-event-association.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-channel-event-association.ts
@ -1,13 +1,15 @@
-import { EntityManager } from 'typeorm';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'calendarChannelEventAssociation';

 export const seedCalendarChannelEventAssociations = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-channel.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-channel.ts
@ -1,16 +1,17 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_CONNECTED_ACCOUNT_IDS } from 'src/database/typeorm-seeds/workspace/connected-account';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
 import { CalendarChannelVisibility } from 'src/modules/calendar/common/standard-objects/calendar-channel.workspace-entity';

 const tableName = 'calendarChannel';

 export const seedCalendarChannels = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-event-participants.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-event-participants.ts
@ -1,17 +1,18 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_PERSON_IDS } from 'src/database/typeorm-seeds/workspace/seedPeople';
 import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
 import { CalendarEventParticipantResponseStatus } from 'src/modules/calendar/common/standard-objects/calendar-event-participant.workspace-entity';

 const tableName = 'calendarEventParticipant';

 export const seedCalendarEventParticipants = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-events.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/calendar-events.ts
@ -1,13 +1,15 @@
-import { EntityManager } from 'typeorm';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'calendarEvent';

 export const seedCalendarEvents = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/companies.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/companies.ts
@ -1,6 +1,5 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'company';

@ -21,11 +20,13 @@ export const DEV_SEED_COMPANY_IDS = {
 };

 export const seedCompanies = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/connected-account.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/connected-account.ts
@ -1,6 +1,5 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'connectedAccount';

@ -11,11 +10,13 @@ export const DEV_SEED_CONNECTED_ACCOUNT_IDS = {
 };

 export const seedConnectedAccount = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/favorites.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/favorites.ts
@ -1,15 +1,18 @@
-import { EntityManager } from 'typeorm';
 import { v4 } from 'uuid';

+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
+
 const tableName = 'favorite';

 export const seedWorkspaceFavorites = async (
  viewIds: string[],
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, ['id', 'viewId', 'position'])
    .values(
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/message-channel-message-associations.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/message-channel-message-associations.ts
@ -1,7 +1,6 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_MESSAGE_CHANNEL_IDS } from 'src/database/typeorm-seeds/workspace/message-channels';
 import { DEV_SEED_MESSAGE_IDS } from 'src/database/typeorm-seeds/workspace/messages';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
 import { MessageDirection } from 'src/modules/messaging/common/enums/message-direction.enum';

 const tableName = 'messageChannelMessageAssociation';
@ -13,11 +12,13 @@ export const DEV_SEED_MESSAGE_CHANNEL_MESSAGE_ASSOCIATION_IDS = {
 };

 export const seedMessageChannelMessageAssociation = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/message-channels.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/message-channels.ts
@ -1,6 +1,5 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_CONNECTED_ACCOUNT_IDS } from 'src/database/typeorm-seeds/workspace/connected-account';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';
 import {
  MessageChannelSyncStage,
  MessageChannelVisibility,
@ -15,11 +14,13 @@ export const DEV_SEED_MESSAGE_CHANNEL_IDS = {
 };

 export const seedMessageChannel = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/message-participants.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/message-participants.ts
@ -1,8 +1,7 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_MESSAGE_IDS } from 'src/database/typeorm-seeds/workspace/messages';
 import { DEV_SEED_PERSON_IDS } from 'src/database/typeorm-seeds/workspace/seedPeople';
 import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'messageParticipant';

@ -16,11 +15,13 @@ export const DEV_SEED_MESSAGE_PARTICIPANT_IDS = {
 };

 export const seedMessageParticipant = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/message-thread-subscribers.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/message-thread-subscribers.ts
@ -1,4 +1,4 @@
-import { EntityManager } from 'typeorm';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'messageThreadSubscriber';

@ -26,11 +26,13 @@ export const DEV_SEED_USER_IDS = {
 };

 export const seedMessageThreadSubscribers = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/message-threads.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/message-threads.ts
@ -1,4 +1,4 @@
-import { EntityManager } from 'typeorm';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'messageThread';

@ -11,11 +11,13 @@ export const DEV_SEED_MESSAGE_THREAD_IDS = {
 };

 export const seedMessageThread = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/messages.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/messages.ts
@ -1,6 +1,5 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_MESSAGE_THREAD_IDS } from 'src/database/typeorm-seeds/workspace/message-threads';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'message';

@ -11,11 +10,13 @@ export const DEV_SEED_MESSAGE_IDS = {
 };

 export const seedMessage = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/opportunities.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/opportunities.ts
@ -1,8 +1,7 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_COMPANY_IDS } from 'src/database/typeorm-seeds/workspace/companies';
 import { DEV_SEED_PERSON_IDS } from 'src/database/typeorm-seeds/workspace/seedPeople';
 import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'opportunity';

@ -14,11 +13,13 @@ export const DEV_SEED_OPPORTUNITY_IDS = {
 };

 export const seedOpportunity = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/seedPeople.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/seedPeople.ts
@ -1,7 +1,6 @@
-import { EntityManager } from 'typeorm';
-
 import { DEV_SEED_COMPANY_IDS } from 'src/database/typeorm-seeds/workspace/companies';
 import { DEV_SEED_WORKSPACE_MEMBER_IDS } from 'src/database/typeorm-seeds/workspace/workspace-members';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'person';

@ -24,11 +23,13 @@ export const DEV_SEED_PERSON_IDS = {
 };

 export const seedPeople = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
 ) => {
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',
--- a/packages/twenty-server/src/database/typeorm-seeds/workspace/workspace-members.ts
+++ b/packages/twenty-server/src/database/typeorm-seeds/workspace/workspace-members.ts
@ -1,11 +1,10 @@
-import { EntityManager } from 'typeorm';
-
+import { DEV_SEED_USER_IDS } from 'src/database/typeorm-seeds/core/users';
 import {
-  SEED_APPLE_WORKSPACE_ID,
  SEED_ACME_WORKSPACE_ID,
+  SEED_APPLE_WORKSPACE_ID,
 } from 'src/database/typeorm-seeds/core/workspaces';
 import { WorkspaceMember } from 'src/engine/core-modules/user/dtos/workspace-member.dto';
-import { DEV_SEED_USER_IDS } from 'src/database/typeorm-seeds/core/users';
+import { WorkspaceEntityManager } from 'src/engine/twenty-orm/entity-manager/workspace-entity-manager';

 const tableName = 'workspaceMember';

@ -26,7 +25,7 @@ type WorkspaceMembers = Pick<
 };

 export const seedWorkspaceMember = async (
-  entityManager: EntityManager,
+  entityManager: WorkspaceEntityManager,
  schemaName: string,
  workspaceId: string,
 ) => {
@ -78,7 +77,9 @@ export const seedWorkspaceMember = async (
    ];
  }
  await entityManager
-    .createQueryBuilder()
+    .createQueryBuilder(undefined, undefined, undefined, {
+      shouldBypassPermissionChecks: true,
+    })
    .insert()
    .into(`${schemaName}.${tableName}`, [
      'id',