Files
twenty/packages/twenty-server/src/engine/guards/settings-permissions.guard.ts
Marie 12cc61e096 [permissions] Add workspace + security settings permission gates (#10204)
In this PR

- closing https://github.com/twentyhq/core-team-issues/issues/313
- adding permission gates on workspace settings and security settings
- adding integration tests for each of the protected setting and
security
2025-02-14 17:32:42 +01:00

65 lines
1.9 KiB
TypeScript

import {
CanActivate,
ExecutionContext,
Injectable,
mixin,
Type,
} from '@nestjs/common';
import { GqlExecutionContext } from '@nestjs/graphql';
import { SettingsFeatures } from 'twenty-shared';
import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
import {
PermissionsException,
PermissionsExceptionCode,
PermissionsExceptionMessage,
} from 'src/engine/metadata-modules/permissions/permissions.exception';
import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service';
export const SettingsPermissionsGuard = (
requiredPermission: SettingsFeatures,
): Type<CanActivate> => {
@Injectable()
class SettingsPermissionsMixin implements CanActivate {
constructor(
private readonly featureFlagService: FeatureFlagService,
private readonly permissionsService: PermissionsService,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const ctx = GqlExecutionContext.create(context);
const workspaceId = ctx.getContext().req.workspace.id;
const permissionsEnabled = await this.featureFlagService.isFeatureEnabled(
FeatureFlagKey.IsPermissionsEnabled,
workspaceId,
);
if (!permissionsEnabled) {
return true;
}
const userWorkspaceId = ctx.getContext().req.userWorkspaceId;
const hasPermission =
await this.permissionsService.userHasWorkspaceSettingPermission({
userWorkspaceId,
_setting: requiredPermission,
});
if (hasPermission === true) {
return true;
}
throw new PermissionsException(
PermissionsExceptionMessage.PERMISSION_DENIED,
PermissionsExceptionCode.PERMISSION_DENIED,
);
}
}
return mixin(SettingsPermissionsMixin);
};