admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e4f06a7c97698997bb3cdda96292f5df56d1fe67
twenty/packages/twenty-server/src/modules/workspace-member/query-hooks/workspace-member-pre-query-hook.service.ts
Marie e4f06a7c97 [permissions] Add permission gates on workspaceMember (#10447) 
- Adding permission gates on workspaceMember to only allow user with
admin permissions OR users attempting to update or delete themself to
perform write operations on workspaceMember object
- Reverting some changes to treat workflow objects as regular metadata
objects (any user can interact with them)
- (fix) Block updates on soft deleted records
2025-02-24 16:59:28 +01:00

80 lines
2.3 KiB
TypeScript
Raw Blame History

import { Injectable } from '@nestjs/common';
import { isDefined } from 'twenty-shared';
import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
import { SettingsPermissions } from 'src/engine/metadata-modules/permissions/constants/settings-permissions.constants';
import {
PermissionsException,
PermissionsExceptionCode,
PermissionsExceptionMessage,
} from 'src/engine/metadata-modules/permissions/permissions.exception';
import { PermissionsService } from 'src/engine/metadata-modules/permissions/permissions.service';
import { ApiKeyWorkspaceEntity } from 'src/modules/api-key/standard-objects/api-key.workspace-entity';
@Injectable()
export class WorkspaceMemberPreQueryHookService {
constructor(
private readonly permissionsService: PermissionsService,
private readonly featureFlagService: FeatureFlagService,
) {}
async validateWorkspaceMemberUpdatePermissionOrThrow({
userWorkspaceId,
workspaceMemberId,
targettedWorkspaceMemberId,
workspaceId,
apiKey,
}: {
userWorkspaceId?: string;
workspaceMemberId?: string;
targettedWorkspaceMemberId?: string;
workspaceId: string;
apiKey?: ApiKeyWorkspaceEntity | null;
}) {
const featureFlagsMap =
await this.featureFlagService.getWorkspaceFeatureFlagsMap(workspaceId);
const isPermissionsEnabled =
featureFlagsMap[FeatureFlagKey.IsPermissionsEnabled];
if (!isPermissionsEnabled) {
return;
}
if (isDefined(apiKey)) {
return;
}
if (!userWorkspaceId) {
throw new PermissionsException(
PermissionsExceptionMessage.USER_WORKSPACE_NOT_FOUND,
PermissionsExceptionCode.USER_WORKSPACE_NOT_FOUND,
);
}
if (
isDefined(targettedWorkspaceMemberId) &&
workspaceMemberId === targettedWorkspaceMemberId
) {
return;
}
if (
await this.permissionsService.userHasWorkspaceSettingPermission({
userWorkspaceId,
workspaceId,
_setting: SettingsPermissions.WORKSPACE_MEMBERS,
})
) {
return;
}
throw new PermissionsException(
PermissionsExceptionMessage.PERMISSION_DENIED,
PermissionsExceptionCode.PERMISSION_DENIED,
);
}
}
Reference in New Issue View Git Blame Copy Permalink