[permissions] Add permissions check layer in entityManager (#11818)

First and main step of https://github.com/twentyhq/core-team-issues/issues/747 We are implementing a permission check layer in our custom WorkspaceEntityManager by overriding all the db-executing methods (this PR only overrides some as a POC, the rest will be done in the next PR). Our custom repositories call entity managers under the hood to interact with the db so this solves the repositories case too. This is still behind the feature flag IsPermissionsV2Enabled. In the next PR - finish overriding all the methods required in WorkspaceEntityManager - add tests
2025-05-05 16:06:54 +02:00
parent 5f8040af5d
commit a9e73c6340
62 changed files with 1194 additions and 933 deletions
--- a/packages/twenty-server/test/integration/graphql/suites/object-records-permissions/create-one-object-records-permissions.integration-spec.ts
+++ b/packages/twenty-server/test/integration/graphql/suites/object-records-permissions/create-one-object-records-permissions.integration-spec.ts
@ -2,9 +2,12 @@ import { randomUUID } from 'node:crypto';

 import { PERSON_GQL_FIELDS } from 'test/integration/constants/person-gql-fields.constants';
 import { createOneOperationFactory } from 'test/integration/graphql/utils/create-one-operation-factory.util';
+import { makeGraphqlAPIRequestWithApiKey } from 'test/integration/graphql/utils/make-graphql-api-request-with-api-key.util';
 import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
 import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
+import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';

+import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
 import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
 import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';

@ -48,79 +51,79 @@ describe('createOneObjectRecordsPermissions', () => {
    });
  });

-  // describe('permissions V2 enabled', () => {
-  //   beforeAll(async () => {
-  //     const enablePermissionsQuery = updateFeatureFlagFactory(
-  //       SEED_APPLE_WORKSPACE_ID,
-  //       'IsPermissionsV2Enabled',
-  //       true,
-  //     );
+  describe('permissions V2 enabled', () => {
+    beforeAll(async () => {
+      const enablePermissionsQuery = updateFeatureFlagFactory(
+        SEED_APPLE_WORKSPACE_ID,
+        'IsPermissionsV2Enabled',
+        true,
+      );

-  //     await makeGraphqlAPIRequest(enablePermissionsQuery);
-  //   });
+      await makeGraphqlAPIRequest(enablePermissionsQuery);
+    });

-  //   afterAll(async () => {
-  //     const disablePermissionsQuery = updateFeatureFlagFactory(
-  //       SEED_APPLE_WORKSPACE_ID,
-  //       'IsPermissionsV2Enabled',
-  //       false,
-  //     );
+    afterAll(async () => {
+      const disablePermissionsQuery = updateFeatureFlagFactory(
+        SEED_APPLE_WORKSPACE_ID,
+        'IsPermissionsV2Enabled',
+        false,
+      );

-  //     await makeGraphqlAPIRequest(disablePermissionsQuery);
-  //   });
+      await makeGraphqlAPIRequest(disablePermissionsQuery);
+    });

-  //   it('should throw a permission error when user does not have permission (guest role)', async () => {
-  //     const graphqlOperation = createOneOperationFactory({
-  //       objectMetadataSingularName: 'person',
-  //       gqlFields: PERSON_GQL_FIELDS,
-  //       data: {
-  //         id: randomUUID(),
-  //       },
-  //     });
+    it('should throw a permission error when user does not have permission (guest role)', async () => {
+      const graphqlOperation = createOneOperationFactory({
+        objectMetadataSingularName: 'person',
+        gqlFields: PERSON_GQL_FIELDS,
+        data: {
+          id: randomUUID(),
+        },
+      });

-  //     const response =
-  //       await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
+      const response =
+        await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);

-  //     expect(response.body.data).toStrictEqual({ createPerson: null });
-  //     expect(response.body.errors).toBeDefined();
-  //     expect(response.body.errors[0].message).toBe(
-  //       PermissionsExceptionMessage.PERMISSION_DENIED,
-  //     );
-  //     expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
-  //   });
+      expect(response.body.data).toStrictEqual({ createPerson: null });
+      expect(response.body.errors).toBeDefined();
+      expect(response.body.errors[0].message).toBe(
+        PermissionsExceptionMessage.PERMISSION_DENIED,
+      );
+      expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
+    });

-  //   it('should create an object record when user has permission (admin role)', async () => {
-  //     const personId = randomUUID();
-  //     const graphqlOperation = createOneOperationFactory({
-  //       objectMetadataSingularName: 'person',
-  //       gqlFields: PERSON_GQL_FIELDS,
-  //       data: {
-  //         id: personId,
-  //       },
-  //     });
+    it('should create an object record when user has permission (admin role)', async () => {
+      const personId = randomUUID();
+      const graphqlOperation = createOneOperationFactory({
+        objectMetadataSingularName: 'person',
+        gqlFields: PERSON_GQL_FIELDS,
+        data: {
+          id: personId,
+        },
+      });

-  //     const response = await makeGraphqlAPIRequest(graphqlOperation);
+      const response = await makeGraphqlAPIRequest(graphqlOperation);

-  //     expect(response.body.data).toBeDefined();
-  //     expect(response.body.data.createPerson).toBeDefined();
-  //     expect(response.body.data.createPerson.id).toBe(personId);
-  //   });
+      expect(response.body.data).toBeDefined();
+      expect(response.body.data.createPerson).toBeDefined();
+      expect(response.body.data.createPerson.id).toBe(personId);
+    });

-  //   it('should create an object record when executed by api key', async () => {
-  //     const personId = randomUUID();
-  //     const graphqlOperation = createOneOperationFactory({
-  //       objectMetadataSingularName: 'person',
-  //       gqlFields: PERSON_GQL_FIELDS,
-  //       data: {
-  //         id: personId,
-  //       },
-  //     });
+    it('should create an object record when executed by api key', async () => {
+      const personId = randomUUID();
+      const graphqlOperation = createOneOperationFactory({
+        objectMetadataSingularName: 'person',
+        gqlFields: PERSON_GQL_FIELDS,
+        data: {
+          id: personId,
+        },
+      });

-  //     const response = await makeGraphqlAPIRequestWithApiKey(graphqlOperation);
+      const response = await makeGraphqlAPIRequestWithApiKey(graphqlOperation);

-  //     expect(response.body.data).toBeDefined();
-  //     expect(response.body.data.createPerson).toBeDefined();
-  //     expect(response.body.data.createPerson.id).toBe(personId);
-  //   });
-  // });
+      expect(response.body.data).toBeDefined();
+      expect(response.body.data.createPerson).toBeDefined();
+      expect(response.body.data.createPerson.id).toBe(personId);
+    });
+  });
 });