[permissions] Add object records permissions to role entity (#10255)

Closes https://github.com/twentyhq/core-team-issues/issues/388 - Add object records-related permissions to role entity - Add it to queriable `currentUserWorkspace` (used in FE)
2025-02-17 18:32:39 +01:00
parent 5b4cb4bd2c
commit cb3bd1353a
22 changed files with 255 additions and 60 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts
@ -1,6 +1,6 @@
 import { Injectable } from '@nestjs/common';

-import { SettingsFeatures } from 'twenty-shared';
+import { PermissionsOnAllObjectRecords, SettingsFeatures } from 'twenty-shared';

 import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
 import { UserRoleService } from 'src/engine/metadata-modules/user-role/user-role.service';
@ -12,13 +12,21 @@ export class PermissionsService {
    private readonly userRoleService: UserRoleService,
  ) {}

-  public async getUserWorkspaceSettingsPermissions({
+  public async getUserWorkspacePermissions({
    userWorkspaceId,
+    workspaceId,
  }: {
    userWorkspaceId: string;
-  }): Promise<Record<SettingsFeatures, boolean>> {
+    workspaceId: string;
+  }): Promise<{
+    settingsPermissions: Record<SettingsFeatures, boolean>;
+    objectRecordsPermissions: Record<PermissionsOnAllObjectRecords, boolean>;
+  }> {
    const [roleOfUserWorkspace] = await this.userRoleService
-      .getRolesByUserWorkspaces([userWorkspaceId])
+      .getRolesByUserWorkspaces({
+        userWorkspaceIds: [userWorkspaceId],
+        workspaceId,
+      })
      .then((roles) => roles?.get(userWorkspaceId) ?? []);

    let hasPermissionOnSettingFeature = false;
@ -27,24 +35,48 @@ export class PermissionsService {
      hasPermissionOnSettingFeature = true;
    }

-    return Object.keys(SettingsFeatures).reduce(
+    const settingsPermissionsMap = Object.keys(SettingsFeatures).reduce(
      (acc, feature) => ({
        ...acc,
        [feature]: hasPermissionOnSettingFeature,
      }),
      {} as Record<SettingsFeatures, boolean>,
    );
+
+    const objectRecordsPermissionsMap: Record<
+      PermissionsOnAllObjectRecords,
+      boolean
+    > = {
+      [PermissionsOnAllObjectRecords.READ_ALL_OBJECT_RECORDS]:
+        roleOfUserWorkspace?.canReadAllObjectRecords ?? false,
+      [PermissionsOnAllObjectRecords.UPDATE_ALL_OBJECT_RECORDS]:
+        roleOfUserWorkspace?.canUpdateAllObjectRecords ?? false,
+      [PermissionsOnAllObjectRecords.SOFT_DELETE_ALL_OBJECT_RECORDS]:
+        roleOfUserWorkspace?.canSoftDeleteAllObjectRecords ?? false,
+      [PermissionsOnAllObjectRecords.DESTROY_ALL_OBJECT_RECORDS]:
+        roleOfUserWorkspace?.canDestroyAllObjectRecords ?? false,
+    };
+
+    return {
+      settingsPermissions: settingsPermissionsMap,
+      objectRecordsPermissions: objectRecordsPermissionsMap,
+    };
  }

  public async userHasWorkspaceSettingPermission({
    userWorkspaceId,
+    workspaceId,
    _setting,
  }: {
    userWorkspaceId: string;
+    workspaceId: string;
    _setting: SettingsFeatures;
  }): Promise<boolean> {
    const [roleOfUserWorkspace] = await this.userRoleService
-      .getRolesByUserWorkspaces([userWorkspaceId])
+      .getRolesByUserWorkspaces({
+        userWorkspaceIds: [userWorkspaceId],
+        workspaceId,
+      })
      .then((roles) => roles?.get(userWorkspaceId) ?? []);

    if (roleOfUserWorkspace?.canUpdateAllSettings === true) {