[permissions] Add permission gates on workspaceMember (#10447)

- Adding permission gates on workspaceMember to only allow user with admin permissions OR users attempting to update or delete themself to perform write operations on workspaceMember object - Reverting some changes to treat workflow objects as regular metadata objects (any user can interact with them) - (fix) Block updates on soft deleted records
2025-02-24 16:59:28 +01:00
parent 970aa4c5a1
commit e4f06a7c97
20 changed files with 655 additions and 37 deletions
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/interfaces/base-resolver-service.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/interfaces/base-resolver-service.ts
@ -1,11 +1,7 @@
 import { Inject, Injectable } from '@nestjs/common';

 import graphqlFields from 'graphql-fields';
-import {
-  capitalize,
-  isObjectRecordUnderObjectRecordsPermissions,
-  PermissionsOnAllObjectRecords,
-} from 'twenty-shared';
+import { capitalize, PermissionsOnAllObjectRecords } from 'twenty-shared';
 import { DataSource, ObjectLiteral } from 'typeorm';

 import { ObjectRecord } from 'src/engine/api/graphql/workspace-query-builder/interfaces/object-record.interface';
@ -103,12 +99,9 @@ export abstract class GraphqlQueryBaseResolverService<

      if (
        featureFlagsMap[FeatureFlagKey.IsPermissionsEnabled] &&
-        isObjectRecordUnderObjectRecordsPermissions({
-          isCustom: objectMetadataItemWithFieldMaps.isCustom,
-          nameSingular: objectMetadataItemWithFieldMaps.nameSingular,
-        })
+        !objectMetadataItemWithFieldMaps.isSystem
      ) {
-        await this.validateCustomObjectPermissionsOrThrow({
+        await this.validateObjectRecordPermissionsOrThrow({
          operationName,
          options,
        });
@ -230,7 +223,7 @@ export abstract class GraphqlQueryBaseResolverService<
    }
  }

-  private async validateCustomObjectPermissionsOrThrow({
+  private async validateObjectRecordPermissionsOrThrow({
    operationName,
    options,
  }: {
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/resolvers/graphql-query-update-many-resolver.service.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/resolvers/graphql-query-update-many-resolver.service.ts
@ -1,5 +1,7 @@
 import { Injectable } from '@nestjs/common';

+import isEmpty from 'lodash.isempty';
+
 import {
  GraphqlQueryBaseResolverService,
  GraphqlQueryResolverExecutionArgs,
@ -9,6 +11,10 @@ import { WorkspaceQueryRunnerOptions } from 'src/engine/api/graphql/workspace-qu
 import { UpdateManyResolverArgs } from 'src/engine/api/graphql/workspace-resolver-builder/interfaces/workspace-resolvers-builder.interface';

 import { QUERY_MAX_RECORDS } from 'src/engine/api/graphql/graphql-query-runner/constants/query-max-records.constant';
+import {
+  GraphqlQueryRunnerException,
+  GraphqlQueryRunnerExceptionCode,
+} from 'src/engine/api/graphql/graphql-query-runner/errors/graphql-query-runner.exception';
 import { ObjectRecordsToGraphqlConnectionHelper } from 'src/engine/api/graphql/graphql-query-runner/helpers/object-records-to-graphql-connection.helper';
 import { assertIsValidUuid } from 'src/engine/api/graphql/workspace-query-runner/utils/assert-is-valid-uuid.util';
 import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
@ -49,6 +55,13 @@ export class GraphqlQueryUpdateManyResolverService extends GraphqlQueryBaseResol
      objectMetadataMaps,
    );

+    if (isEmpty(formattedExistingRecords)) {
+      throw new GraphqlQueryRunnerException(
+        'Records not found',
+        GraphqlQueryRunnerExceptionCode.RECORD_NOT_FOUND,
+      );
+    }
+
    const tableName = computeTableName(
      objectMetadataItemWithFieldMaps.nameSingular,
      objectMetadataItemWithFieldMaps.isCustom,
--- a/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/resolvers/graphql-query-update-one-resolver.service.ts
+++ b/packages/twenty-server/src/engine/api/graphql/graphql-query-runner/resolvers/graphql-query-update-one-resolver.service.ts
@ -1,5 +1,7 @@
 import { Injectable } from '@nestjs/common';

+import isEmpty from 'lodash.isempty';
+
 import {
  GraphqlQueryBaseResolverService,
  GraphqlQueryResolverExecutionArgs,
@ -53,6 +55,13 @@ export class GraphqlQueryUpdateOneResolverService extends GraphqlQueryBaseResolv
      objectMetadataMaps,
    );

+    if (isEmpty(formattedExistingRecords)) {
+      throw new GraphqlQueryRunnerException(
+        'Record not found',
+        GraphqlQueryRunnerExceptionCode.RECORD_NOT_FOUND,
+      );
+    }
+
    const nonFormattedUpdatedObjectRecords = await queryBuilder
      .update(data)
      .where({ id: executionArgs.args.id })