[permissions] Add permission gates on API & Webhooks + Security settings (#10133)

Closes https://github.com/twentyhq/core-team-issues/issues/312 Closes https://github.com/twentyhq/core-team-issues/issues/315
2025-02-12 10:40:26 +01:00
parent 08fd227049
commit e4ae76ac20
16 changed files with 220 additions and 44 deletions
--- a/packages/twenty-server/src/engine/api/graphql/graphql-config/graphql-config.service.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-config/graphql-config.service.ts
@ -70,7 +70,13 @@ export class GraphQLConfigService
        let workspace: Workspace | undefined;

        try {
-          const { user, workspace, apiKey, workspaceMemberId } = context.req;
+          const {
+            user,
+            workspace,
+            apiKey,
+            workspaceMemberId,
+            userWorkspaceId,
+          } = context.req;

          if (!workspace) {
            return new GraphQLSchema({});
@ -81,6 +87,7 @@ export class GraphQLConfigService
            workspace,
            apiKey,
            workspaceMemberId,
+            userWorkspaceId,
          });
        } catch (error) {
          if (error instanceof UnauthorizedException) {
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/constants/system-objects-permissions-requirements.constant.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/constants/system-objects-permissions-requirements.constant.ts
@ -0,0 +1,6 @@
+import { SettingsFeatures } from 'twenty-shared';
+
+export const SYSTEM_OBJECTS_PERMISSIONS_REQUIREMENTS = {
+  apiKey: SettingsFeatures.API_KEYS_AND_WEBHOOKS,
+  webhook: SettingsFeatures.API_KEYS_AND_WEBHOOKS,
+} as const;
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/graphql-query-runner.module.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/graphql-query-runner.module.ts
@ -21,6 +21,7 @@ import { ApiEventEmitterService } from 'src/engine/api/graphql/graphql-query-run
 import { WorkspaceQueryHookModule } from 'src/engine/api/graphql/workspace-query-runner/workspace-query-hook/workspace-query-hook.module';
 import { WorkspaceQueryRunnerModule } from 'src/engine/api/graphql/workspace-query-runner/workspace-query-runner.module';
 import { FeatureFlagModule } from 'src/engine/core-modules/feature-flag/feature-flag.module';
+import { PermissionsModule } from 'src/engine/metadata-modules/permissions/permissions.module';

 const graphqlQueryResolvers = [
  GraphqlQueryCreateManyResolverService,
@ -44,6 +45,7 @@ const graphqlQueryResolvers = [
    WorkspaceQueryHookModule,
    WorkspaceQueryRunnerModule,
    FeatureFlagModule,
+    PermissionsModule,
  ],
  providers: [
    ApiEventEmitterService,
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/interfaces/base-resolver-service.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/interfaces/base-resolver-service.ts
@ -1,7 +1,7 @@
 import { Inject, Injectable } from '@nestjs/common';

 import graphqlFields from 'graphql-fields';
-import { capitalize } from 'twenty-shared';
+import { capitalize, SettingsFeatures } from 'twenty-shared';
 import { DataSource, ObjectLiteral } from 'typeorm';

 import { ObjectRecord } from 'src/engine/api/graphql/workspace-query-builder/interfaces/object-record.interface';
@ -14,6 +14,7 @@ import {
  WorkspaceResolverBuilderMethodNames,
 } from 'src/engine/api/graphql/workspace-resolver-builder/interfaces/workspace-resolvers-builder.interface';

+import { SYSTEM_OBJECTS_PERMISSIONS_REQUIREMENTS } from 'src/engine/api/graphql/graphql-query-runner/constants/system-objects-permissions-requirements.constant';
 import { GraphqlQuerySelectedFieldsResult } from 'src/engine/api/graphql/graphql-query-runner/graphql-query-parsers/graphql-query-selected-fields/graphql-selected-fields.parser';
 import { GraphqlQueryParser } from 'src/engine/api/graphql/graphql-query-runner/graphql-query-parsers/graphql-query.parser';
 import { ProcessNestedRelationsHelper } from 'src/engine/api/graphql/graphql-query-runner/helpers/process-nested-relations.helper';
@ -22,7 +23,18 @@ import { QueryResultGettersFactory } from 'src/engine/api/graphql/workspace-quer
 import { QueryRunnerArgsFactory } from 'src/engine/api/graphql/workspace-query-runner/factories/query-runner-args.factory';
 import { workspaceQueryRunnerGraphqlApiExceptionHandler } from 'src/engine/api/graphql/workspace-query-runner/utils/workspace-query-runner-graphql-api-exception-handler.util';
 import { WorkspaceQueryHookService } from 'src/engine/api/graphql/workspace-query-runner/workspace-query-hook/workspace-query-hook.service';
+import {
+  AuthException,
+  AuthExceptionCode,
+} from 'src/engine/core-modules/auth/auth.exception';
+import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
 import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
+import {
+  PermissionsException,
+  PermissionsExceptionCode,
+  PermissionsExceptionMessage,
+} from 'src/engine/metadata-modules/permissions/permissions.exception';
+import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service';
 import { WorkspaceRepository } from 'src/engine/twenty-orm/repository/workspace.repository';
 import { TwentyORMGlobalManager } from 'src/engine/twenty-orm/twenty-orm-global.manager';

@ -58,6 +70,8 @@ export abstract class GraphqlQueryBaseResolverService<
  protected readonly processNestedRelationsHelper: ProcessNestedRelationsHelper;
  @Inject()
  protected readonly featureFlagService: FeatureFlagService;
+  @Inject()
+  protected readonly permissionsService: PermissionsService;

  public async execute(
    args: Input,
@ -69,6 +83,18 @@ export abstract class GraphqlQueryBaseResolverService<

      await this.validate(args, options);

+      const permissionsEnabled = await this.featureFlagService.isFeatureEnabled(
+        FeatureFlagKey.IsPermissionsEnabled,
+        authContext.workspace.id,
+      );
+
+      if (
+        permissionsEnabled === true &&
+        objectMetadataItemWithFieldMaps.isSystem === true
+      ) {
+        await this.validateSystemObjectPermissions(options);
+      }
+
      const hookedArgs =
        await this.workspaceQueryHookService.executePreQueryHooks(
          authContext,
@ -146,6 +172,45 @@ export abstract class GraphqlQueryBaseResolverService<
    }
  }

+  private async validateSystemObjectPermissions(
+    options: WorkspaceQueryRunnerOptions,
+  ) {
+    const { authContext, objectMetadataItemWithFieldMaps } = options;
+
+    if (
+      Object.keys(SYSTEM_OBJECTS_PERMISSIONS_REQUIREMENTS).includes(
+        objectMetadataItemWithFieldMaps.nameSingular,
+      )
+    ) {
+      if (!authContext.apiKey) {
+        if (!authContext.userWorkspaceId) {
+          throw new AuthException(
+            'Missing userWorkspaceId in authContext',
+            AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
+          );
+        }
+
+        const permissionRequired: SettingsFeatures =
+          SYSTEM_OBJECTS_PERMISSIONS_REQUIREMENTS[
+            objectMetadataItemWithFieldMaps.nameSingular
+          ];
+
+        const userHasPermission =
+          await this.permissionsService.userHasWorkspaceSettingPermission({
+            userWorkspaceId: authContext.userWorkspaceId,
+            _setting: permissionRequired,
+          });
+
+        if (!userHasPermission) {
+          throw new PermissionsException(
+            PermissionsExceptionMessage.PERMISSION_DENIED,
+            PermissionsExceptionCode.PERMISSION_DENIED,
+          );
+        }
+      }
+    }
+  }
+
  protected abstract resolve(
    executionArgs: GraphqlQueryResolverExecutionArgs<Input>,
  ): Promise<Response>;