admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[permission] Override query builders db-executing methods (#11714)

Browse Source 
closes https://github.com/twentyhq/core-team-issues/issues/843
This commit is contained in:
Marie
2025-04-24 18:20:21 +02:00
committed by GitHub
parent e55ecb4dcd
commit e750ef28a1
16 changed files with 1546 additions and 408 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/create-many-object-records-permissions.integration-spec.ts
View File

@ -9,55 +9,160 @@ import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('createManyObjectRecordsPermissions', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: randomUUID(),
},
{
id: randomUUID(),
},
],
describe('permissions V2 disabled', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: randomUUID(),
},
{
id: randomUUID(),
},
],
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ createPeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
it('should create multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
expect(response.body.data).toStrictEqual({ createPeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
const graphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
it('should create multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const response = await makeGraphqlAPIRequest(graphqlOperation);
const graphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
expect(response.body.data).toBeDefined();
expect(response.body.data.createPeople).toBeDefined();
expect(response.body.data.createPeople).toHaveLength(2);
expect(response.body.data.createPeople[0].id).toBe(personId1);
expect(response.body.data.createPeople[1].id).toBe(personId2);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.createPeople).toBeDefined();
expect(response.body.data.createPeople).toHaveLength(2);
expect(response.body.data.createPeople[0].id).toBe(personId1);
expect(response.body.data.createPeople[1].id).toBe(personId2);
});
// describe('permissions V2 enabled', () => {
// beforeAll(async () => {
// const enablePermissionsQuery = updateFeatureFlagFactory(
// SEED_APPLE_WORKSPACE_ID,
// 'IsPermissionsV2Enabled',
// true,
// );
// await makeGraphqlAPIRequest(enablePermissionsQuery);
// });
// afterAll(async () => {
// const disablePermissionsQuery = updateFeatureFlagFactory(
// SEED_APPLE_WORKSPACE_ID,
// 'IsPermissionsV2Enabled',
// false,
// );
// await makeGraphqlAPIRequest(disablePermissionsQuery);
// });
// it('should throw a permission error when user does not have permission (guest role)', async () => {
// const graphqlOperation = createManyOperationFactory({
// objectMetadataSingularName: 'person',
// objectMetadataPluralName: 'people',
// gqlFields: PERSON_GQL_FIELDS,
// data: [
// {
// id: randomUUID(),
// },
// {
// id: randomUUID(),
// },
// ],
// });
// const response =
// await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
// expect(response.body.data).toStrictEqual({ createPeople: null });
// expect(response.body.errors).toBeDefined();
// expect(response.body.errors[0].message).toBe(
// PermissionsExceptionMessage.PERMISSION_DENIED,
// );
// expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
// });
// it('should create multiple object records when user has permission (admin role)', async () => {
// const personId1 = randomUUID();
// const personId2 = randomUUID();
// const graphqlOperation = createManyOperationFactory({
// objectMetadataSingularName: 'person',
// objectMetadataPluralName: 'people',
// gqlFields: PERSON_GQL_FIELDS,
// data: [
// {
// id: personId1,
// },
// {
// id: personId2,
// },
// ],
// });
// const response = await makeGraphqlAPIRequest(graphqlOperation);
// expect(response.body.data).toBeDefined();
// expect(response.body.data.createPeople).toBeDefined();
// expect(response.body.data.createPeople).toHaveLength(2);
// expect(response.body.data.createPeople[0].id).toBe(personId1);
// expect(response.body.data.createPeople[1].id).toBe(personId2);
// });
// it('should create multiple object records when executed by api key', async () => {
// const personId1 = randomUUID();
// const personId2 = randomUUID();
// const graphqlOperation = createManyOperationFactory({
// objectMetadataSingularName: 'person',
// objectMetadataPluralName: 'people',
// gqlFields: PERSON_GQL_FIELDS,
// data: [
// {
// id: personId1,
// },
// {
// id: personId2,
// },
// ],
// });
// const response = await makeGraphqlAPIRequestWithApiKey(graphqlOperation);
// expect(response.body.data).toBeDefined();
// expect(response.body.data.createPeople).toBeDefined();
// expect(response.body.data.createPeople).toHaveLength(2);
// expect(response.body.data.createPeople[0].id).toBe(personId1);
// expect(response.body.data.createPeople[1].id).toBe(personId2);
// });
// });
});

137
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/create-one-object-records-permissions.integration-spec.ts
View File

@ -9,39 +9,118 @@ import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('createOneObjectRecordsPermissions', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: randomUUID(),
},
describe('permissions V2 disabled', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: randomUUID(),
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ createPerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
it('should create an object record when user has permission (admin role)', async () => {
const personId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
expect(response.body.data).toStrictEqual({ createPerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
it('should create an object record when user has permission (admin role)', async () => {
const personId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
expect(response.body.data).toBeDefined();
expect(response.body.data.createPerson).toBeDefined();
expect(response.body.data.createPerson.id).toBe(personId);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.createPerson).toBeDefined();
expect(response.body.data.createPerson.id).toBe(personId);
});
// describe('permissions V2 enabled', () => {
// beforeAll(async () => {
// const enablePermissionsQuery = updateFeatureFlagFactory(
// SEED_APPLE_WORKSPACE_ID,
// 'IsPermissionsV2Enabled',
// true,
// );
// await makeGraphqlAPIRequest(enablePermissionsQuery);
// });
// afterAll(async () => {
// const disablePermissionsQuery = updateFeatureFlagFactory(
// SEED_APPLE_WORKSPACE_ID,
// 'IsPermissionsV2Enabled',
// false,
// );
// await makeGraphqlAPIRequest(disablePermissionsQuery);
// });
// it('should throw a permission error when user does not have permission (guest role)', async () => {
// const graphqlOperation = createOneOperationFactory({
// objectMetadataSingularName: 'person',
// gqlFields: PERSON_GQL_FIELDS,
// data: {
// id: randomUUID(),
// },
// });
// const response =
// await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
// expect(response.body.data).toStrictEqual({ createPerson: null });
// expect(response.body.errors).toBeDefined();
// expect(response.body.errors[0].message).toBe(
// PermissionsExceptionMessage.PERMISSION_DENIED,
// );
// expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
// });
// it('should create an object record when user has permission (admin role)', async () => {
// const personId = randomUUID();
// const graphqlOperation = createOneOperationFactory({
// objectMetadataSingularName: 'person',
// gqlFields: PERSON_GQL_FIELDS,
// data: {
// id: personId,
// },
// });
// const response = await makeGraphqlAPIRequest(graphqlOperation);
// expect(response.body.data).toBeDefined();
// expect(response.body.data.createPerson).toBeDefined();
// expect(response.body.data.createPerson.id).toBe(personId);
// });
// it('should create an object record when executed by api key', async () => {
// const personId = randomUUID();
// const graphqlOperation = createOneOperationFactory({
// objectMetadataSingularName: 'person',
// gqlFields: PERSON_GQL_FIELDS,
// data: {
// id: personId,
// },
// });
// const response = await makeGraphqlAPIRequestWithApiKey(graphqlOperation);
// expect(response.body.data).toBeDefined();
// expect(response.body.data.createPerson).toBeDefined();
// expect(response.body.data.createPerson.id).toBe(personId);
// });
// });
});

227
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/delete-many-object-records-permissions.integration-spec.ts
View File

@ -3,72 +3,205 @@ import { randomUUID } from 'node:crypto';
import { PERSON_GQL_FIELDS } from 'test/integration/constants/person-gql-fields.constants';
import { createManyOperationFactory } from 'test/integration/graphql/utils/create-many-operation-factory.util';
import { deleteManyOperationFactory } from 'test/integration/graphql/utils/delete-many-operation-factory.util';
import { makeGraphqlAPIRequestWithApiKey } from 'test/integration/graphql/utils/make-graphql-api-request-with-api-key.util';
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('deleteManyObjectRecordsPermissions', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
describe('permissions V2 disabled', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
},
},
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ deletePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
it('should delete multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
expect(response.body.data).toStrictEqual({ deletePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequest(deleteGraphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePeople).toBeDefined();
expect(response.body.data.deletePeople).toHaveLength(2);
expect(response.body.data.deletePeople[0].id).toBe(personId1);
expect(response.body.data.deletePeople[1].id).toBe(personId2);
});
});
it('should delete multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
describe('permissions V2 enabled', () => {
beforeAll(async () => {
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
await makeGraphqlAPIRequest(createGraphqlOperation);
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
const response = await makeGraphqlAPIRequest(deleteGraphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
},
},
});
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePeople).toBeDefined();
expect(response.body.data.deletePeople).toHaveLength(2);
expect(response.body.data.deletePeople[0].id).toBe(personId1);
expect(response.body.data.deletePeople[1].id).toBe(personId2);
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ deletePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should delete multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequest(deleteGraphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePeople).toBeDefined();
expect(response.body.data.deletePeople).toHaveLength(2);
expect(response.body.data.deletePeople[0].id).toBe(personId1);
expect(response.body.data.deletePeople[1].id).toBe(personId2);
});
it('should delete multiple object records when executed by api key', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequestWithApiKey(
deleteGraphqlOperation,
);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePeople).toBeDefined();
expect(response.body.data.deletePeople).toHaveLength(2);
expect(response.body.data.deletePeople[0].id).toBe(personId1);
expect(response.body.data.deletePeople[1].id).toBe(personId2);
});
});
});

192
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/delete-one-object-records-permissions.integration-spec.ts
View File

@ -3,56 +3,178 @@ import { randomUUID } from 'node:crypto';
import { PERSON_GQL_FIELDS } from 'test/integration/constants/person-gql-fields.constants';
import { createOneOperationFactory } from 'test/integration/graphql/utils/create-one-operation-factory.util';
import { deleteOneOperationFactory } from 'test/integration/graphql/utils/delete-one-operation-factory.util';
import { makeGraphqlAPIRequestWithApiKey } from 'test/integration/graphql/utils/make-graphql-api-request-with-api-key.util';
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('deleteOneObjectRecordsPermissions', () => {
const personId = randomUUID();
beforeAll(async () => {
const createOnePersonRecordOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createOnePersonRecordOperation);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
describe('permissions V2 disabled', () => {
const personId = randomUUID();
const graphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
beforeAll(async () => {
const createOnePersonRecordOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createOnePersonRecordOperation);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const personId = randomUUID();
const graphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
expect(response.body.data).toStrictEqual({ deletePerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ deletePerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should delete an object record when user has permission (admin role)', async () => {
const deleteGraphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response = await makeGraphqlAPIRequest(deleteGraphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePerson).toBeDefined();
expect(response.body.data.deletePerson.id).toBe(personId);
});
});
it('should delete an object record when user has permission (admin role)', async () => {
const deleteGraphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
describe('permissions V2 enabled', () => {
const personId = randomUUID();
beforeAll(async () => {
const createOnePersonRecordOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createOnePersonRecordOperation);
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
const response = await makeGraphqlAPIRequest(deleteGraphqlOperation);
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePerson).toBeDefined();
expect(response.body.data.deletePerson.id).toBe(personId);
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const personId = randomUUID();
const createGraphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const deleteGraphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response = await makeGraphqlAPIRequestWithGuestRole(
deleteGraphqlOperation,
);
expect(response.body.data).toStrictEqual({ deletePerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should delete an object record when user has permission (admin role)', async () => {
const personId = randomUUID();
const createGraphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const deleteGraphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response = await makeGraphqlAPIRequest(deleteGraphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePerson).toBeDefined();
expect(response.body.data.deletePerson.id).toBe(personId);
});
it('should delete an object record when executed by api key', async () => {
const personId = randomUUID();
const createGraphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const deleteGraphqlOperation = deleteOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response = await makeGraphqlAPIRequestWithApiKey(
deleteGraphqlOperation,
);
expect(response.body.data).toBeDefined();
expect(response.body.data.deletePerson).toBeDefined();
expect(response.body.data.deletePerson.id).toBe(personId);
});
});
});

184
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/destroy-many-object-records-permissions.integration-spec.ts
View File

@ -5,70 +5,160 @@ import { createManyOperationFactory } from 'test/integration/graphql/utils/creat
import { destroyManyOperationFactory } from 'test/integration/graphql/utils/destroy-many-operation-factory.util';
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('destroyManyObjectRecordsPermissions', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = destroyManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
describe('permissions V2 disabled', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = destroyManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
},
},
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ destroyPeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
it('should destroy multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
expect(response.body.data).toStrictEqual({ destroyPeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const graphqlOperation = destroyManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.destroyPeople).toBeDefined();
expect(response.body.data.destroyPeople).toHaveLength(2);
expect(response.body.data.destroyPeople[0].id).toBe(personId1);
expect(response.body.data.destroyPeople[1].id).toBe(personId2);
});
});
it('should destroy multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
describe('permissions V2 enabled', () => {
beforeAll(async () => {
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
await makeGraphqlAPIRequest(createGraphqlOperation);
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
const graphqlOperation = destroyManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = destroyManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
},
},
});
expect(response.body.data).toBeDefined();
expect(response.body.data.destroyPeople).toBeDefined();
expect(response.body.data.destroyPeople).toHaveLength(2);
expect(response.body.data.destroyPeople[0].id).toBe(personId1);
expect(response.body.data.destroyPeople[1].id).toBe(personId2);
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ destroyPeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should destroy multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const graphqlOperation = destroyManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.destroyPeople).toBeDefined();
expect(response.body.data.destroyPeople).toHaveLength(2);
expect(response.body.data.destroyPeople[0].id).toBe(personId1);
expect(response.body.data.destroyPeople[1].id).toBe(personId2);
});
});
});

142
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/destroy-one-object-records-permissions.integration-spec.ts
View File

@ -5,54 +5,126 @@ import { createOneOperationFactory } from 'test/integration/graphql/utils/create
import { destroyOneOperationFactory } from 'test/integration/graphql/utils/destroy-one-operation-factory.util';
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('destroyOneObjectRecordsPermissions', () => {
const personId = randomUUID();
beforeAll(async () => {
const createGraphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createGraphqlOperation);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
describe('permissions V2 disabled', () => {
const personId = randomUUID();
const graphqlOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
beforeAll(async () => {
const createGraphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createGraphqlOperation);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const personId = randomUUID();
const graphqlOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
expect(response.body.data).toStrictEqual({ destroyPerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ destroyPerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should destroy an object record when user has permission (admin role)', async () => {
const graphqlOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.destroyPerson).toBeDefined();
expect(response.body.data.destroyPerson.id).toBe(personId);
});
});
it('should destroy an object record when user has permission (admin role)', async () => {
const graphqlOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
describe('permissions V2 enabled', () => {
const personId = randomUUID();
beforeAll(async () => {
const createGraphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
data: {
id: personId,
},
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
expect(response.body.data).toBeDefined();
expect(response.body.data.destroyPerson).toBeDefined();
expect(response.body.data.destroyPerson.id).toBe(personId);
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const personId = randomUUID();
const graphqlOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ destroyPerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should destroy an object record when user has permission (admin role)', async () => {
const graphqlOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'person',
gqlFields: PERSON_GQL_FIELDS,
recordId: personId,
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.destroyPerson).toBeDefined();
expect(response.body.data.destroyPerson.id).toBe(personId);
});
});
});

227
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/restore-many-object-records-permissions.integration-spec.ts
View File

@ -6,87 +6,192 @@ import { deleteManyOperationFactory } from 'test/integration/graphql/utils/delet
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { restoreManyOperationFactory } from 'test/integration/graphql/utils/restore-many-operation-factory.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('restoreManyObjectRecordsPermissions', () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
describe('permissions V2 disabled', () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
beforeAll(async () => {
// Create people
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
beforeAll(async () => {
// Create people
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
// Delete people
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(deleteGraphqlOperation);
});
await makeGraphqlAPIRequest(createGraphqlOperation);
// Delete people
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = restoreManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ restorePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
await makeGraphqlAPIRequest(deleteGraphqlOperation);
it('should restore multiple object records when user has permission (admin role)', async () => {
const graphqlOperation = restoreManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.restorePeople).toBeDefined();
expect(response.body.data.restorePeople).toHaveLength(2);
expect(response.body.data.restorePeople[0].id).toBe(personId1);
expect(response.body.data.restorePeople[1].id).toBe(personId2);
});
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = restoreManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
describe('permissions V2 enabled', () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
beforeAll(async () => {
// Create people
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
// Delete people
const deleteGraphqlOperation = deleteManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
},
});
await makeGraphqlAPIRequest(deleteGraphqlOperation);
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
expect(response.body.data).toStrictEqual({ restorePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should restore multiple object records when user has permission (admin role)', async () => {
const graphqlOperation = restoreManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = restoreManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
expect(response.body.data).toBeDefined();
expect(response.body.data.restorePeople).toBeDefined();
expect(response.body.data.restorePeople).toHaveLength(2);
expect(response.body.data.restorePeople[0].id).toBe(personId1);
expect(response.body.data.restorePeople[1].id).toBe(personId2);
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ restorePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should restore multiple object records when user has permission (admin role)', async () => {
const graphqlOperation = restoreManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.restorePeople).toBeDefined();
expect(response.body.data.restorePeople).toHaveLength(2);
expect(response.body.data.restorePeople[0].id).toBe(personId1);
expect(response.body.data.restorePeople[1].id).toBe(personId2);
});
});
});

281
packages/twenty-server/test/integration/graphql/suites/object-records-permissions/update-many-object-records-permissions.integration-spec.ts
View File

@ -2,81 +2,248 @@ import { randomUUID } from 'node:crypto';
import { PERSON_GQL_FIELDS } from 'test/integration/constants/person-gql-fields.constants';
import { createManyOperationFactory } from 'test/integration/graphql/utils/create-many-operation-factory.util';
import { makeGraphqlAPIRequestWithApiKey } from 'test/integration/graphql/utils/make-graphql-api-request-with-api-key.util';
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { updateManyOperationFactory } from 'test/integration/graphql/utils/update-many-operation-factory.util';
import { SEED_APPLE_WORKSPACE_ID } from 'src/database/typeorm-seeds/core/workspaces';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
describe('updateManyObjectRecordsPermissions', () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
describe('permissions V2 disabled', () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
beforeAll(async () => {
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
beforeAll(async () => {
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
});
await makeGraphqlAPIRequest(createGraphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
},
},
data: {
jobTitle: 'Architect',
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ updatePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should update multiple object records when user has permission (admin role)', async () => {
const graphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
data: {
jobTitle: 'Architect',
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.updatePeople).toBeDefined();
expect(response.body.data.updatePeople).toHaveLength(2);
expect(response.body.data.updatePeople[0].jobTitle).toBe('Architect');
expect(response.body.data.updatePeople[1].jobTitle).toBe('Architect');
});
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [randomUUID(), randomUUID()],
},
},
data: {
jobTitle: 'Architect',
},
describe('permissions V2 enabled', () => {
beforeAll(async () => {
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
const response = await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
expect(response.body.data).toStrictEqual({ updatePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should update multiple object records when user has permission (admin role)', async () => {
const graphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
data: {
jobTitle: 'Architect',
},
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
it('should throw a permission error when user does not have permission (guest role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
expect(response.body.data).toBeDefined();
expect(response.body.data.updatePeople).toBeDefined();
expect(response.body.data.updatePeople).toHaveLength(2);
expect(response.body.data.updatePeople[0].jobTitle).toBe('Architect');
expect(response.body.data.updatePeople[1].jobTitle).toBe('Architect');
await makeGraphqlAPIRequest(createGraphqlOperation);
const updateGraphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
data: {
jobTitle: 'Senior Developer',
},
});
const response = await makeGraphqlAPIRequestWithGuestRole(
updateGraphqlOperation,
);
expect(response.body.data).toStrictEqual({ updatePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
it('should update multiple object records when user has permission (admin role)', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const updateGraphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
data: {
jobTitle: 'Tech Lead',
},
});
const response = await makeGraphqlAPIRequest(updateGraphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.updatePeople).toBeDefined();
expect(response.body.data.updatePeople).toHaveLength(2);
expect(response.body.data.updatePeople[0].id).toBe(personId1);
expect(response.body.data.updatePeople[1].id).toBe(personId2);
expect(response.body.data.updatePeople[0].jobTitle).toBe('Tech Lead');
expect(response.body.data.updatePeople[1].jobTitle).toBe('Tech Lead');
});
it('should update multiple object records when executed by api key', async () => {
const personId1 = randomUUID();
const personId2 = randomUUID();
const createGraphqlOperation = createManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
data: [
{
id: personId1,
},
{
id: personId2,
},
],
});
await makeGraphqlAPIRequest(createGraphqlOperation);
const updateGraphqlOperation = updateManyOperationFactory({
objectMetadataSingularName: 'person',
objectMetadataPluralName: 'people',
gqlFields: PERSON_GQL_FIELDS,
filter: {
id: {
in: [personId1, personId2],
},
},
data: {
jobTitle: 'Product Manager',
},
});
const response = await makeGraphqlAPIRequestWithApiKey(
updateGraphqlOperation,
);
expect(response.body.data).toBeDefined();
expect(response.body.data.updatePeople).toBeDefined();
expect(response.body.data.updatePeople).toHaveLength(2);
expect(response.body.data.updatePeople[0].id).toBe(personId1);
expect(response.body.data.updatePeople[1].id).toBe(personId2);
expect(response.body.data.updatePeople[0].jobTitle).toBe(
'Product Manager',
);
expect(response.body.data.updatePeople[1].jobTitle).toBe(
'Product Manager',
);
});
});
});