admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
47a03e39071f59dd047ff1ce37cebbcc54bc9c21
twenty/packages/twenty-server/test/integration/graphql/suites/settings-permissions/workflows.integration-spec.ts
Marie 04dd0e50bb [permissions] permissions and workflows (#12436) 
In this PR

- Determine object record permissions on workflows objects (workflow,
workflowVersion, workflowRun) base on settings permissions @Weiko
- Add Workflow permission guards on workflow resolvers @thomtrp . **Any
method within a resolver that has the SettingsPermission Guard is only
callable by a apiKey or a user that has the permission** (so not by
external parties).
- Add checks bypass in workflow services since 1) for actions gated by
settings permissions, the gate should be done at resolver level, so it
will have been done before the call to the service 2) some service
methods may be called by workflowTriggerController which is callable by
external parties without permissions (ex:
workflowCommonWorkspaceService.getWorkflowVersionOrFail). This is
something we may want to change in the future (still to discuss), by
removing the guard at resolver-level and relying on
shouldBypassPermissionChecks at getRepository and made in a way that we
only bypass for external parties.
- Add checks bypass for actions performed by workflows since they should
not be restricted in our current vision
- Add tests
2025-06-11 16:47:29 +00:00

371 lines
13 KiB
TypeScript
Raw Blame History

import { randomUUID } from 'node:crypto';
import { WORKFLOW_GQL_FIELDS } from 'test/integration/constants/workflow-gql-fields.constants';
import { createOneOperationFactory } from 'test/integration/graphql/utils/create-one-operation-factory.util';
import { destroyOneOperationFactory } from 'test/integration/graphql/utils/destroy-one-operation-factory.util';
import { makeGraphqlAPIRequestWithApiKey } from 'test/integration/graphql/utils/make-graphql-api-request-with-api-key.util';
import { makeGraphqlAPIRequestWithGuestRole } from 'test/integration/graphql/utils/make-graphql-api-request-with-guest-role.util';
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
import { updateOneOperationFactory } from 'test/integration/graphql/utils/update-one-operation-factory.util';
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
import { SEED_APPLE_WORKSPACE_ID } from 'src/engine/workspace-manager/dev-seeder/core/utils/seed-workspaces.util';
describe('workflowsPermissions', () => {
describe('createOne workflow', () => {
describe('permissions V2 disabled', () => {
it('should throw a permission error when user does not have permission (guest role)', async () => {
const workflowId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Test Workflow',
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ createWorkflow: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(
ErrorCode.FORBIDDEN,
);
});
it('should create a workflow when user has permission (admin role)', async () => {
const workflowId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Test Workflow Admin',
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.createWorkflow).toBeDefined();
expect(response.body.data.createWorkflow.id).toBe(workflowId);
expect(response.body.data.createWorkflow.name).toBe(
'Test Workflow Admin',
);
// Clean up - delete the created workflow
const destroyWorkflowOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: `
id
`,
recordId: response.body.data.createWorkflow.id,
});
await makeGraphqlAPIRequest(destroyWorkflowOperation);
});
});
describe('permissions V2 enabled', () => {
beforeAll(async () => {
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IS_PERMISSIONS_V2_ENABLED',
true,
);
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IS_PERMISSIONS_V2_ENABLED',
false,
);
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const workflowId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Test Workflow V2',
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ createWorkflow: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(
ErrorCode.FORBIDDEN,
);
});
it('should create a workflow when user has permission (admin role)', async () => {
const workflowId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Test Workflow Admin',
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.createWorkflow).toBeDefined();
expect(response.body.data.createWorkflow.id).toBe(workflowId);
expect(response.body.data.createWorkflow.name).toBe(
'Test Workflow Admin',
);
// Clean up - delete the created workflow
const destroyWorkflowOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: `
id
`,
recordId: response.body.data.createWorkflow.id,
});
await makeGraphqlAPIRequest(destroyWorkflowOperation);
});
it('should create a workflow when executed by api key', async () => {
const workflowId = randomUUID();
const graphqlOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Test Workflow API Key',
},
});
const response =
await makeGraphqlAPIRequestWithApiKey(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.createWorkflow).toBeDefined();
expect(response.body.data.createWorkflow.id).toBe(workflowId);
expect(response.body.data.createWorkflow.name).toBe(
'Test Workflow API Key',
);
// Clean up - delete the created workflow
const destroyWorkflowOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: `
id
`,
recordId: response.body.data.createWorkflow.id,
});
await makeGraphqlAPIRequest(destroyWorkflowOperation);
});
});
});
describe('updateOne workflow', () => {
describe('permissions V2 disabled', () => {
const workflowId = randomUUID();
beforeAll(async () => {
const createWorkflowOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Original Workflow Name',
},
});
await makeGraphqlAPIRequest(createWorkflowOperation);
});
afterAll(async () => {
const destroyWorkflowOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: `
id
`,
recordId: workflowId,
});
await makeGraphqlAPIRequest(destroyWorkflowOperation);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = updateOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
recordId: workflowId,
data: {
name: 'Updated Workflow Name Guest',
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ updateWorkflow: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(
ErrorCode.FORBIDDEN,
);
});
it('should update a workflow when user has permission (admin role)', async () => {
const graphqlOperation = updateOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
recordId: workflowId,
data: {
name: 'Updated Workflow Name Admin',
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.updateWorkflow).toBeDefined();
expect(response.body.data.updateWorkflow.id).toBe(workflowId);
expect(response.body.data.updateWorkflow.name).toBe(
'Updated Workflow Name Admin',
);
});
});
describe('permissions V2 enabled', () => {
const workflowId = randomUUID();
beforeAll(async () => {
const createWorkflowOperation = createOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
data: {
id: workflowId,
name: 'Original Workflow V2',
},
});
await makeGraphqlAPIRequest(createWorkflowOperation);
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IS_PERMISSIONS_V2_ENABLED',
true,
);
await makeGraphqlAPIRequest(enablePermissionsQuery);
});
afterAll(async () => {
const destroyWorkflowOperation = destroyOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: `
id
`,
recordId: workflowId,
});
await makeGraphqlAPIRequest(destroyWorkflowOperation);
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IS_PERMISSIONS_V2_ENABLED',
false,
);
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
it('should throw a permission error when user does not have permission (guest role)', async () => {
const graphqlOperation = updateOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
recordId: workflowId,
data: {
name: 'Updated Workflow V2 Guest',
},
});
const response =
await makeGraphqlAPIRequestWithGuestRole(graphqlOperation);
expect(response.body.data).toStrictEqual({ updateWorkflow: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(
ErrorCode.FORBIDDEN,
);
});
it('should update a workflow when user has permission (admin role)', async () => {
const graphqlOperation = updateOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
recordId: workflowId,
data: {
name: 'Updated Workflow V2 Admin',
},
});
const response = await makeGraphqlAPIRequest(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.updateWorkflow).toBeDefined();
expect(response.body.data.updateWorkflow.id).toBe(workflowId);
expect(response.body.data.updateWorkflow.name).toBe(
'Updated Workflow V2 Admin',
);
});
it('should update a workflow when executed by api key', async () => {
const graphqlOperation = updateOneOperationFactory({
objectMetadataSingularName: 'workflow',
gqlFields: WORKFLOW_GQL_FIELDS,
recordId: workflowId,
data: {
name: 'Updated Workflow API Key',
},
});
const response =
await makeGraphqlAPIRequestWithApiKey(graphqlOperation);
expect(response.body.data).toBeDefined();
expect(response.body.data.updateWorkflow).toBeDefined();
expect(response.body.data.updateWorkflow.id).toBe(workflowId);
expect(response.body.data.updateWorkflow.name).toBe(
'Updated Workflow API Key',
);
});
});
});
});
Reference in New Issue View Git Blame Copy Permalink