[permissions] Filter tabs + registered actions according to permissions (#12657)

Note and task tabs in side panel should only show if user has reading permission on them. "Go to companies", "Go to workflows", etc. in command menu should only show is user has reading permission on related objects. <img width="507" alt="Capture d’écran 2025-06-17 à 11 09 50" src="https://github.com/user-attachments/assets/3a2a4c25-0b9b-4ee6-b18f-b019b8a56d47" /> <img width="505" alt="Capture d’écran 2025-06-17 à 11 09 56" src="https://github.com/user-attachments/assets/8a219955-cc8e-4dbf-a4f9-a50e1aaa4b59" /> **How to test** Assign a user with a custom role that has **no** read permissions on notes/tasks/workflows/companies/opportunities/people (no need to test them all but at least one between note and tasks; workflows; one between companies/opportunities/people). Check that you don't see the related tab / action. --------- Co-authored-by: Charles Bochet <charles@twenty.com>
2025-06-18 17:12:58 +02:00
parent e77e7e3149
commit da5ae34109
12 changed files with 206 additions and 35 deletions
--- a/packages/twenty-front/src/modules/object-record/record-show/constants/BaseRecordLayout.ts
+++ b/packages/twenty-front/src/modules/object-record/record-show/constants/BaseRecordLayout.ts
@ -44,6 +44,7 @@ export const BASE_RECORD_LAYOUT: RecordLayout = {
      Icon: IconCheckbox,
      position: 300,
      cards: [{ type: CardType.TaskCard }],
+      targetObjectNameSingular: CoreObjectNameSingular.Task,
      hide: {
        ifMobile: false,
        ifDesktop: false,
@ -51,6 +52,7 @@ export const BASE_RECORD_LAYOUT: RecordLayout = {
        ifFeaturesDisabled: [],
        ifRequiredObjectsInactive: [CoreObjectNameSingular.Task],
        ifRelationsMissing: ['taskTargets'],
+        ifNoReadPermission: true,
      },
    },
    notes: {
@ -58,6 +60,7 @@ export const BASE_RECORD_LAYOUT: RecordLayout = {
      Icon: IconNotes,
      position: 400,
      cards: [{ type: CardType.NoteCard }],
+      targetObjectNameSingular: CoreObjectNameSingular.Note,
      hide: {
        ifMobile: false,
        ifDesktop: false,
@ -65,6 +68,7 @@ export const BASE_RECORD_LAYOUT: RecordLayout = {
        ifFeaturesDisabled: [],
        ifRequiredObjectsInactive: [CoreObjectNameSingular.Note],
        ifRelationsMissing: ['noteTargets'],
+        ifNoReadPermission: true,
      },
    },
    files: {
--- a/packages/twenty-front/src/modules/object-record/record-show/hooks/useRecordShowContainerTabs.ts
+++ b/packages/twenty-front/src/modules/object-record/record-show/hooks/useRecordShowContainerTabs.ts
@ -2,6 +2,7 @@ import { currentWorkspaceState } from '@/auth/states/currentWorkspaceState';
 import { objectMetadataItemsState } from '@/object-metadata/states/objectMetadataItemsState';
 import { CoreObjectNameSingular } from '@/object-metadata/types/CoreObjectNameSingular';
 import { ObjectMetadataItem } from '@/object-metadata/types/ObjectMetadataItem';
+import { useObjectPermissions } from '@/object-record/hooks/useObjectPermissions';
 import { BASE_RECORD_LAYOUT } from '@/object-record/record-show/constants/BaseRecordLayout';
 import { CardType } from '@/object-record/record-show/types/CardType';
 import { RecordLayout } from '@/object-record/record-show/types/RecordLayout';
@ -10,6 +11,7 @@ import { SingleTabProps } from '@/ui/layout/tab-list/types/SingleTabProps';
 import { useIsMobile } from '@/ui/utilities/responsive/hooks/useIsMobile';
 import { useMemo } from 'react';
 import { useRecoilValue } from 'recoil';
+import { isDefined } from 'twenty-shared/utils';
 import {
  IconCalendarEvent,
  IconHome,
@ -30,6 +32,7 @@ export const useRecordShowContainerTabs = (
  const objectMetadataItems = useRecoilValue(objectMetadataItemsState);

  const currentWorkspace = useRecoilValue(currentWorkspaceState);
+  const { objectPermissionsByObjectMetadataId } = useObjectPermissions();

  // Object-specific layouts that override or extend the base layout
  const OBJECT_SPECIFIC_LAYOUTS: Partial<
@ -212,17 +215,19 @@ export const useRecordShowContainerTabs = (
    [],
  );

+  const baseRecordLayout = BASE_RECORD_LAYOUT;
+
  // Merge base layout with object-specific layout
  const recordLayout: RecordLayout = useMemo(() => {
    return {
-      ...BASE_RECORD_LAYOUT,
+      ...baseRecordLayout,
      ...(OBJECT_SPECIFIC_LAYOUTS[targetObjectNameSingular] || {}),
      tabs: {
-        ...BASE_RECORD_LAYOUT.tabs,
+        ...baseRecordLayout.tabs,
        ...(OBJECT_SPECIFIC_LAYOUTS[targetObjectNameSingular]?.tabs || {}),
      },
    };
-  }, [OBJECT_SPECIFIC_LAYOUTS, targetObjectNameSingular]);
+  }, [OBJECT_SPECIFIC_LAYOUTS, baseRecordLayout, targetObjectNameSingular]);

  return {
    layout: recordLayout,
@ -232,7 +237,7 @@ export const useRecordShowContainerTabs = (
          entry[1] !== null && entry[1] !== undefined,
      )
      .sort(([, a], [, b]) => a.position - b.position)
-      .map(([key, { title, Icon, hide, cards }]) => {
+      .map(([key, { title, Icon, hide, cards, targetObjectNameSingular }]) => {
        // Special handling for fields tab
        if (key === 'fields') {
          return {
@ -257,6 +262,16 @@ export const useRecordShowContainerTabs = (
            );
          });

+        const targetObjectMetadataId = objectMetadataItems.find(
+          (item) => item.nameSingular === targetObjectNameSingular,
+        )?.id;
+
+        const permissionHide =
+          hide.ifNoReadPermission &&
+          isDefined(targetObjectNameSingular) &&
+          !objectPermissionsByObjectMetadataId[targetObjectMetadataId]
+            ?.canReadObjectRecords;
+
        const requiredObjectsInactive =
          hide.ifRequiredObjectsInactive.length > 0 &&
          !hide.ifRequiredObjectsInactive.every((obj) =>
@ -286,7 +301,8 @@ export const useRecordShowContainerTabs = (
            baseHide ||
            featureNotEnabled ||
            requiredObjectsInactive ||
-            relationsDontExist,
+            relationsDontExist ||
+            permissionHide,
        };
      })
      // When isInRightDrawer === true, we merge first and second tab into first tab