feat: refactoring casl permission checks for recursive nested operations (#778)

* feat: nested casl abilities * fix: remove unused packages * Fixes * Fix createMany broken * Fix lint * Fix lint * Fix lint * Fix lint * Fixes * Fix CommentThread * Fix bugs * Fix lint * Fix bugs * Fixed auto routing * Fixed app path --------- Co-authored-by: Charles Bochet <charles@twenty.com> Co-authored-by: Lucas Bordeau <bordeau.lucas@gmail.com>
2023-07-26 01:37:22 +02:00
parent 92b9e987a5
commit 51cfc0d82c
69 changed files with 1192 additions and 883 deletions
--- a/server/src/ability/handlers/workspace.ability-handler.ts
+++ b/server/src/ability/handlers/workspace.ability-handler.ts
@ -1,24 +1,22 @@
 import {
  ExecutionContext,
-  ForbiddenException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
 import { GqlExecutionContext } from '@nestjs/graphql';

-import { subject } from '@casl/ability';
-
 import { IAbilityHandler } from 'src/ability/interfaces/ability-handler.interface';

 import { PrismaService } from 'src/database/prisma.service';
 import { AbilityAction } from 'src/ability/ability.action';
 import { AppAbility } from 'src/ability/ability.factory';
 import { WorkspaceWhereInput } from 'src/core/@generated/workspace/workspace-where.input';
+import { relationAbilityChecker } from 'src/ability/ability.util';
 import { assert } from 'src/utils/assert';
-import { getRequest } from 'src/utils/extract-request';

-class WorksapceArgs {
+class WorkspaceArgs {
  where?: WorkspaceWhereInput;
+  [key: string]: any;
 }

@Injectable()
@ -37,7 +35,23 @@ export class ReadWorkspaceAbilityHandler implements IAbilityHandler {

@Injectable()
 export class CreateWorkspaceAbilityHandler implements IAbilityHandler {
-  handle(ability: AppAbility) {
+  constructor(private readonly prismaService: PrismaService) {}
+
+  async handle(ability: AppAbility, context: ExecutionContext) {
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs();
+
+    const allowed = await relationAbilityChecker(
+      'Workspace',
+      ability,
+      this.prismaService.client,
+      args,
+    );
+
+    if (!allowed) {
+      return false;
+    }
+
    return ability.can(AbilityAction.Create, 'Workspace');
  }
 }
@ -47,15 +61,25 @@ export class UpdateWorkspaceAbilityHandler implements IAbilityHandler {
  constructor(private readonly prismaService: PrismaService) {}

  async handle(ability: AppAbility, context: ExecutionContext) {
-    const request = getRequest(context);
-    assert(request.user.workspace.id, '', ForbiddenException);
-
-    const workspace = await this.prismaService.workspace.findUnique({
-      where: { id: request.user.workspace.id },
+    const gqlContext = GqlExecutionContext.create(context);
+    const args = gqlContext.getArgs<WorkspaceArgs>();
+    const workspace = await this.prismaService.client.workspace.findFirst({
+      where: args.where,
    });
    assert(workspace, '', NotFoundException);

-    return ability.can(AbilityAction.Update, subject('Workspace', workspace));
+    const allowed = await relationAbilityChecker(
+      'Workspace',
+      ability,
+      this.prismaService.client,
+      args,
+    );
+
+    if (!allowed) {
+      return false;
+    }
+
+    return ability.can(AbilityAction.Update, 'Workspace');
  }
 }

@ -65,12 +89,12 @@ export class DeleteWorkspaceAbilityHandler implements IAbilityHandler {

  async handle(ability: AppAbility, context: ExecutionContext) {
    const gqlContext = GqlExecutionContext.create(context);
-    const args = gqlContext.getArgs<WorksapceArgs>();
-    const workspace = await this.prismaService.workspace.findFirst({
+    const args = gqlContext.getArgs<WorkspaceArgs>();
+    const workspace = await this.prismaService.client.workspace.findFirst({
      where: args.where,
    });
    assert(workspace, '', NotFoundException);

-    return ability.can(AbilityAction.Delete, subject('Workspace', workspace));
+    return ability.can(AbilityAction.Delete, 'Workspace');
  }
 }