Implement updateRole (#10009)

In this PR, we are implementing the updateRole endpoint with the
following rules

1. A user can only update a member's role if they have the permission (=
the admin role)
2. Admin role can't be unassigned if there are no other admin in the
workspace
3. (For now) as members can only have one role for now, when they are
assigned a new role, they are first unassigned the other role (if any)
4. (For now) removing a member's admin role = leaving the member with no
role = calling updateRole with a null roleId

packages/twenty-server/src/engine/metadata-modules/permissions/permissions.exception.ts

@@ -14,4 +14,7 @@ export enum PermissionsExceptionCode {
   TOO_MANY_ADMIN_CANDIDATES = 'TOO_MANY_ADMIN_CANDIDATES',
   USER_WORKSPACE_ALREADY_HAS_ROLE = 'USER_WORKSPACE_ALREADY_HAS_ROLE',
   PERMISSION_DENIED = 'PERMISSION_DENIED',
+  WORKSPACE_MEMBER_NOT_FOUND = 'WORKSPACE_MEMBER_NOT_FOUND',
+  ROLE_NOT_FOUND = 'ROLE_NOT_FOUND',
+  CANNOT_UNASSIGN_LAST_ADMIN = 'CANNOT_UNASSIGN_LAST_ADMIN',
 }

packages/twenty-server/src/engine/metadata-modules/permissions/permissions.module.ts

@@ -7,7 +7,7 @@ import { UserWorkspace } from 'src/engine/core-modules/user-workspace/user-works
 import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service';
 import { RoleEntity } from 'src/engine/metadata-modules/role/role.entity';
 import { UserWorkspaceRoleEntity } from 'src/engine/metadata-modules/role/user-workspace-role.entity';
-import { UserRoleModule } from 'src/engine/metadata-modules/userRole/userRole.module';
+import { UserRoleModule } from 'src/engine/metadata-modules/user-role/user-role.module';
 
 @Module({
   imports: [

packages/twenty-server/src/engine/metadata-modules/permissions/permissions.service.ts

@@ -7,7 +7,7 @@ import {
   PermissionsException,
   PermissionsExceptionCode,
 } from 'src/engine/metadata-modules/permissions/permissions.exception';
-import { UserRoleService } from 'src/engine/metadata-modules/userRole/userRole.service';
+import { UserRoleService } from 'src/engine/metadata-modules/user-role/user-role.service';
 
 @Injectable()
 export class PermissionsService {
@@ -21,8 +21,8 @@ export class PermissionsService {
   }: {
     userWorkspaceId: string;
   }): Promise<Record<SettingsFeatures, boolean>> {
-    const roleOfUserWorkspace =
-      await this.userRoleService.getRoleForUserWorkspace(userWorkspaceId);
+    const [roleOfUserWorkspace] =
+      await this.userRoleService.getRolesForUserWorkspace(userWorkspaceId);
 
     let hasPermissionOnSettingFeature = false;
 
@@ -46,8 +46,8 @@ export class PermissionsService {
     userWorkspaceId: string;
     setting: SettingsFeatures;
   }): Promise<void> {
-    const userWorkspaceRole =
-      await this.userRoleService.getRoleForUserWorkspace(userWorkspaceId);
+    const [userWorkspaceRole] =
+      await this.userRoleService.getRolesForUserWorkspace(userWorkspaceId);
 
     if (userWorkspaceRole?.canUpdateAllSettings === true) {
       return;

packages/twenty-server/src/engine/metadata-modules/permissions/utils/permissions-graphql-api-exception-handler.ts

@@ -11,6 +11,7 @@ export const permissionsGraphqlApiExceptionHandler = (error: Error) => {
   if (error instanceof PermissionsException) {
     switch (error.code) {
       case PermissionsExceptionCode.PERMISSION_DENIED:
+      case PermissionsExceptionCode.CANNOT_UNASSIGN_LAST_ADMIN:
         throw new ForbiddenError(error.message);
       default:
         throw new InternalServerError(error.message);