[permissions] Writing permission does not go without reading permission (#12573)

Closes https://github.com/twentyhq/core-team-issues/issues/868 We should not allow to grant any writing permission (update, soft delete, delete) on an object or at role-level without the reading permission at the same level. This has been implemented in the front-end at role level, and is yet to be done at object level (@Weiko)
2025-06-16 12:04:38 +02:00
parent bee1717d37
commit cdc4badec3
11 changed files with 1009 additions and 30 deletions
--- a/packages/twenty-server/test/integration/graphql/utils/create-custom-role-operation-factory.util.ts
+++ b/packages/twenty-server/test/integration/graphql/utils/create-custom-role-operation-factory.util.ts
@ -0,0 +1,39 @@
+import gql from 'graphql-tag';
+
+export const createRoleOperation = ({
+  label,
+  description,
+  canUpdateAllSettings,
+  canReadAllObjectRecords,
+  canDestroyAllObjectRecords,
+  canUpdateAllObjectRecords,
+  canSoftDeleteAllObjectRecords,
+}: {
+  label: string;
+  description: string;
+  canUpdateAllSettings: boolean;
+  canReadAllObjectRecords: boolean;
+  canDestroyAllObjectRecords: boolean;
+  canUpdateAllObjectRecords: boolean;
+  canSoftDeleteAllObjectRecords: boolean;
+}) => ({
+  query: gql`
+    mutation CreateOneRole($createRoleInput: CreateRoleInput!) {
+      createOneRole(createRoleInput: $createRoleInput) {
+        id
+        label
+      }
+    }
+  `,
+  variables: {
+    createRoleInput: {
+      label,
+      description,
+      canUpdateAllSettings,
+      canReadAllObjectRecords,
+      canUpdateAllObjectRecords,
+      canSoftDeleteAllObjectRecords,
+      canDestroyAllObjectRecords,
+    },
+  },
+});
--- a/packages/twenty-server/test/integration/graphql/utils/upsert-object-permission-operation-factory.util.ts
+++ b/packages/twenty-server/test/integration/graphql/utils/upsert-object-permission-operation-factory.util.ts
@ -0,0 +1,39 @@
+import gql from 'graphql-tag';
+
+export const createUpsertObjectPermissionsOperation = (
+  roleId: string,
+  objectPermissions: Array<{
+    objectMetadataId: string;
+    canReadObjectRecords?: boolean;
+    canUpdateObjectRecords?: boolean;
+    canSoftDeleteObjectRecords?: boolean;
+    canDestroyObjectRecords?: boolean;
+  }>,
+  selectedFields: string[] = [
+    'objectMetadataId',
+    'canReadObjectRecords',
+    'canUpdateObjectRecords',
+    'canSoftDeleteObjectRecords',
+    'canDestroyObjectRecords',
+  ],
+) => ({
+  query: gql`
+      mutation UpsertObjectPermissions(
+        $roleId: String!
+        $objectPermissions: [ObjectPermissionInput!]!
+      ) {
+        upsertObjectPermissions(
+          upsertObjectPermissionsInput: {
+            roleId: $roleId
+            objectPermissions: $objectPermissions
+          }
+        ) {
+          ${selectedFields.join('\n')}
+        }
+      }
+    `,
+  variables: {
+    roleId,
+    objectPermissions,
+  },
+});