Forbid upsert of objectPermissions on system objects (#12382)

Closes https://github.com/twentyhq/core-team-issues/issues/865
2025-06-02 17:03:37 +02:00
parent e13d83b660
commit dc205370df
14 changed files with 358 additions and 125 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts
@ -18,19 +18,20 @@ export enum PermissionsExceptionCode {
  ROLE_NOT_FOUND = 'ROLE_NOT_FOUND',
  CANNOT_UNASSIGN_LAST_ADMIN = 'CANNOT_UNASSIGN_LAST_ADMIN',
  CANNOT_DELETE_LAST_ADMIN_USER = 'CANNOT_DELETE_LAST_ADMIN_USER',
-  UNKNOWN_OPERATION_NAME = 'UNKNOWN_OPERATION_NAME',
+  UNKNOWN_OPERATION_NAME = 'UNKNOWN_OPERATION_NAME_PERMISSIONS',
  UNKNOWN_REQUIRED_PERMISSION = 'UNKNOWN_REQUIRED_PERMISSION',
  CANNOT_UPDATE_SELF_ROLE = 'CANNOT_UPDATE_SELF_ROLE',
  NO_ROLE_FOUND_FOR_USER_WORKSPACE = 'NO_ROLE_FOUND_FOR_USER_WORKSPACE',
-  INVALID_ARG = 'INVALID_ARG',
+  INVALID_ARG = 'INVALID_ARG_PERMISSIONS',
  PERMISSIONS_V2_NOT_ENABLED = 'PERMISSIONS_V2_NOT_ENABLED',
  ROLE_LABEL_ALREADY_EXISTS = 'ROLE_LABEL_ALREADY_EXISTS',
  DEFAULT_ROLE_NOT_FOUND = 'DEFAULT_ROLE_NOT_FOUND',
-  OBJECT_METADATA_NOT_FOUND = 'OBJECT_METADATA_NOT_FOUND',
-  INVALID_SETTING = 'INVALID_SETTING',
+  OBJECT_METADATA_NOT_FOUND = 'OBJECT_METADATA_NOT_FOUND_PERMISSIONS',
+  INVALID_SETTING = 'INVALID_SETTING_PERMISSIONS',
  ROLE_NOT_EDITABLE = 'ROLE_NOT_EDITABLE',
  DEFAULT_ROLE_CANNOT_BE_DELETED = 'DEFAULT_ROLE_CANNOT_BE_DELETED',
  NO_PERMISSIONS_FOUND_IN_DATASOURCE = 'NO_PERMISSIONS_FOUND_IN_DATASOURCE',
+  CANNOT_ADD_OBJECT_PERMISSION_ON_SYSTEM_OBJECT = 'CANNOT_ADD_OBJECT_PERMISSION_ON_SYSTEM_OBJECT',
  METHOD_NOT_ALLOWED = 'METHOD_NOT_ALLOWED',
  RAW_SQL_NOT_ALLOWED = 'RAW_SQL_NOT_ALLOWED',
 }
@ -58,4 +59,5 @@ export enum PermissionsExceptionMessage {
  ROLE_NOT_EDITABLE = 'Role is not editable',
  DEFAULT_ROLE_CANNOT_BE_DELETED = 'Default role cannot be deleted',
  NO_PERMISSIONS_FOUND_IN_DATASOURCE = 'No permissions found in datasource',
+  CANNOT_ADD_OBJECT_PERMISSION_ON_SYSTEM_OBJECT = 'Cannot add object permission on system object',
 }
--- a/packages/twenty-server/src/engine/metadata-modules/permissions/utils/permission-graphql-api-exception-handler.util.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/permissions/utils/permission-graphql-api-exception-handler.util.ts
@ -19,6 +19,7 @@ export const permissionGraphqlApiExceptionHandler = (
    case PermissionsExceptionCode.PERMISSIONS_V2_NOT_ENABLED:
    case PermissionsExceptionCode.ROLE_LABEL_ALREADY_EXISTS:
    case PermissionsExceptionCode.ROLE_NOT_EDITABLE:
+    case PermissionsExceptionCode.CANNOT_ADD_OBJECT_PERMISSION_ON_SYSTEM_OBJECT:
      throw new ForbiddenError(error.message);
    case PermissionsExceptionCode.INVALID_ARG:
    case PermissionsExceptionCode.INVALID_SETTING: