Adapt rest api to field permissions (#13314)

Closes https://github.com/twentyhq/core-team-issues/issues/1217

We should only query and return the fields that are readable when using
the rest api.
This is behind a feature flag.

packages/twenty-server/test/integration/graphql/utils/update-feature-flag-factory.util.ts

@@ -0,0 +1,26 @@
+import gql from 'graphql-tag';
+
+export const updateFeatureFlagFactory = (
+  workspaceId: string,
+  featureFlag: string,
+  value: boolean,
+) => ({
+  query: gql`
+    mutation UpdateWorkspaceFeatureFlag(
+      $workspaceId: String!
+      $featureFlag: String!
+      $value: Boolean!
+    ) {
+      updateWorkspaceFeatureFlag(
+        workspaceId: $workspaceId
+        featureFlag: $featureFlag
+        value: $value
+      )
+    }
+  `,
+  variables: {
+    workspaceId,
+    featureFlag,
+    value,
+  },
+});

packages/twenty-server/test/integration/graphql/utils/upsert-field-permissions-operation-factory.util.ts

@@ -0,0 +1,39 @@
+import gql from 'graphql-tag';
+
+export const createUpsertFieldPermissionsOperation = (
+  roleId: string,
+  fieldPermissions: Array<{
+    objectMetadataId: string;
+    fieldMetadataId: string;
+    canReadFieldValue?: boolean | null;
+    canUpdateFieldValue?: boolean | null;
+  }>,
+  selectedFields: string[] = [
+    'id',
+    'roleId',
+    'objectMetadataId',
+    'fieldMetadataId',
+    'canReadFieldValue',
+    'canUpdateFieldValue',
+  ],
+) => ({
+  query: gql`
+      mutation UpsertFieldPermissions(
+        $roleId: String!
+        $fieldPermissions: [FieldPermissionInput!]!
+      ) {
+        upsertFieldPermissions(
+          upsertFieldPermissionsInput: {
+            roleId: $roleId
+            fieldPermissions: $fieldPermissions
+          }
+        ) {
+          ${selectedFields.join('\n')}
+        }
+      }
+    `,
+  variables: {
+    roleId,
+    fieldPermissions,
+  },
+});

packages/twenty-server/test/integration/graphql/utils/upsert-field-permissions.util.ts

@@ -0,0 +1,30 @@
+import { createUpsertFieldPermissionsOperation } from 'test/integration/graphql/utils/upsert-field-permissions-operation-factory.util';
+import { makeMetadataAPIRequest } from 'test/integration/metadata/suites/utils/make-metadata-api-request.util';
+
+export const upsertFieldPermissions = async ({
+  roleId,
+  fieldPermissions,
+  selectedFields,
+}: {
+  roleId: string;
+  fieldPermissions: Array<{
+    objectMetadataId: string;
+    fieldMetadataId: string;
+    canReadFieldValue?: boolean | null;
+    canUpdateFieldValue?: boolean | null;
+  }>;
+  selectedFields?: string[];
+}) => {
+  const operation = createUpsertFieldPermissionsOperation(
+    roleId,
+    fieldPermissions,
+    selectedFields,
+  );
+
+  const response = await makeMetadataAPIRequest(operation);
+
+  return {
+    data: response.body.data,
+    errors: response.body.errors,
+  };
+};

packages/twenty-server/test/integration/rest/suites/field-permissions.integration-spec.ts

@@ -0,0 +1,174 @@
+import gql from 'graphql-tag';
+import { TEST_PERSON_1_ID } from 'test/integration/constants/test-person-ids.constants';
+import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
+import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
+import { upsertFieldPermissions } from 'test/integration/graphql/utils/upsert-field-permissions.util';
+import { makeMetadataAPIRequest } from 'test/integration/metadata/suites/utils/make-metadata-api-request.util';
+import { makeRestAPIRequest } from 'test/integration/rest/utils/make-rest-api-request.util';
+import { generateRecordName } from 'test/integration/utils/generate-record-name';
+
+import { SEED_APPLE_WORKSPACE_ID } from 'src/engine/workspace-manager/dev-seeder/core/utils/seed-workspaces.util';
+
+describe('Restricted fields', () => {
+  let personCity: string;
+  let adminRoleId: string;
+  let personObjectId: string;
+  let emailsFieldId: string;
+
+  beforeAll(async () => {
+    personCity = generateRecordName(TEST_PERSON_1_ID);
+
+    await makeRestAPIRequest({
+      method: 'post',
+      path: '/people',
+      body: {
+        id: TEST_PERSON_1_ID,
+        city: personCity,
+        emails: {
+          primaryEmail: 'test@test.com',
+        },
+      },
+    });
+
+    // Get object metadata IDs for Person and Company
+    const getObjectMetadataOperation = {
+      query: gql`
+        query {
+          objects(paging: { first: 1000 }) {
+            edges {
+              node {
+                id
+                nameSingular
+              }
+            }
+          }
+        }
+      `,
+    };
+
+    const objectMetadataResponse = await makeMetadataAPIRequest(
+      getObjectMetadataOperation,
+    );
+    const objects = objectMetadataResponse.body.data.objects.edges;
+
+    personObjectId = objects.find(
+      (obj: any) => obj.node.nameSingular === 'person',
+    )?.node.id;
+
+    // Get field metadata ID for email field
+    const getFieldMetadataOperation = {
+      query: gql`
+        query {
+          fields(paging: { first: 1000 }) {
+            edges {
+              node {
+                id
+                name
+                object {
+                  nameSingular
+                }
+              }
+            }
+          }
+        }
+      `,
+    };
+
+    const fieldMetadataResponse = await makeMetadataAPIRequest(
+      getFieldMetadataOperation,
+    );
+    const fields = fieldMetadataResponse.body.data.fields.edges;
+
+    emailsFieldId = fields.find(
+      (field: any) =>
+        field.node.name === 'emails' &&
+        field.node.object.nameSingular === 'person',
+    ).node.id;
+
+    // Get admin role ID
+    const getRolesOperation = {
+      query: gql`
+        query {
+          getRoles {
+            id
+            label
+          }
+        }
+      `,
+    };
+
+    const rolesResponse = await makeMetadataAPIRequest(getRolesOperation);
+
+    adminRoleId = rolesResponse.body.data.getRoles.find(
+      (role: any) => role.label === 'Member',
+    )?.id;
+
+    // Create field permission restricting read access to email field
+    await upsertFieldPermissions({
+      roleId: adminRoleId,
+      fieldPermissions: [
+        {
+          objectMetadataId: personObjectId,
+          fieldMetadataId: emailsFieldId,
+          canReadFieldValue: false,
+          canUpdateFieldValue: null,
+        },
+      ],
+    });
+  });
+
+  describe('With Feature flag enabled', () => {
+    beforeAll(async () => {
+      const enablePermissionsQuery = updateFeatureFlagFactory(
+        SEED_APPLE_WORKSPACE_ID,
+        'IS_FIELDS_PERMISSIONS_ENABLED',
+        true,
+      );
+
+      await makeGraphqlAPIRequest(enablePermissionsQuery);
+    });
+
+    afterAll(async () => {
+      const disablePermissionsQuery = updateFeatureFlagFactory(
+        SEED_APPLE_WORKSPACE_ID,
+        'IS_FIELDS_PERMISSIONS_ENABLED',
+        false,
+      );
+
+      await makeGraphqlAPIRequest(disablePermissionsQuery);
+    });
+    it('should hide fields when user has restricted read permissions', async () => {
+      await makeRestAPIRequest({
+        method: 'get',
+        path: `/people/${TEST_PERSON_1_ID}`,
+        bearer: APPLE_JONY_MEMBER_ACCESS_TOKEN,
+      })
+        .expect(200)
+        .expect((res) => {
+          const person = res.body.data.person;
+
+          expect(person).toBeDefined();
+          expect(person.id).toBeDefined();
+          expect(person.emails).toBeUndefined();
+        });
+    });
+  });
+
+  describe('With feature flag disabled', () => {
+    it('should query all fields despite field permission restriction', async () => {
+      await makeRestAPIRequest({
+        method: 'get',
+        path: `/people/${TEST_PERSON_1_ID}`,
+        bearer: APPLE_JONY_MEMBER_ACCESS_TOKEN,
+      })
+        .expect(200)
+        .expect((res) => {
+          const person = res.body.data.person;
+
+          expect(person).toBeDefined();
+          expect(person.id).toBeDefined();
+          expect(person.emails).toBeDefined();
+        });
+    });
+  });
+});