[permissions] Writing permission does not go without reading permission (#12573)

Closes https://github.com/twentyhq/core-team-issues/issues/868 We should not allow to grant any writing permission (update, soft delete, delete) on an object or at role-level without the reading permission at the same level. This has been implemented in the front-end at role level, and is yet to be done at object level (@Weiko)
2025-06-16 12:04:38 +02:00
parent bee1717d37
commit cdc4badec3
11 changed files with 1009 additions and 30 deletions
--- a/packages/twenty-server/test/integration/graphql/utils/create-custom-role-operation-factory.util.ts
+++ b/packages/twenty-server/test/integration/graphql/utils/create-custom-role-operation-factory.util.ts
@ -0,0 +1,39 @@
+import gql from 'graphql-tag';
+
+export const createRoleOperation = ({
+  label,
+  description,
+  canUpdateAllSettings,
+  canReadAllObjectRecords,
+  canDestroyAllObjectRecords,
+  canUpdateAllObjectRecords,
+  canSoftDeleteAllObjectRecords,
+}: {
+  label: string;
+  description: string;
+  canUpdateAllSettings: boolean;
+  canReadAllObjectRecords: boolean;
+  canDestroyAllObjectRecords: boolean;
+  canUpdateAllObjectRecords: boolean;
+  canSoftDeleteAllObjectRecords: boolean;
+}) => ({
+  query: gql`
+    mutation CreateOneRole($createRoleInput: CreateRoleInput!) {
+      createOneRole(createRoleInput: $createRoleInput) {
+        id
+        label
+      }
+    }
+  `,
+  variables: {
+    createRoleInput: {
+      label,
+      description,
+      canUpdateAllSettings,
+      canReadAllObjectRecords,
+      canUpdateAllObjectRecords,
+      canSoftDeleteAllObjectRecords,
+      canDestroyAllObjectRecords,
+    },
+  },
+});