[permissions] Writing permission does not go without reading permission (#12573)

Closes https://github.com/twentyhq/core-team-issues/issues/868 We should not allow to grant any writing permission (update, soft delete, delete) on an object or at role-level without the reading permission at the same level. This has been implemented in the front-end at role level, and is yet to be done at object level (@Weiko)
2025-06-16 12:04:38 +02:00
parent bee1717d37
commit cdc4badec3
11 changed files with 1009 additions and 30 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/object-permission/tests/object-permission.service.spec.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/object-permission/tests/object-permission.service.spec.ts
@ -4,6 +4,9 @@ import { getRepositoryToken } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';

 import { ObjectMetadataEntity } from 'src/engine/metadata-modules/object-metadata/object-metadata.entity';
+import { UpsertObjectPermissionsInput } from 'src/engine/metadata-modules/object-permission/dtos/upsert-object-permissions.input';
+import { ObjectPermissionEntity } from 'src/engine/metadata-modules/object-permission/object-permission.entity';
+import { ObjectPermissionService } from 'src/engine/metadata-modules/object-permission/object-permission.service';
 import {
  PermissionsException,
  PermissionsExceptionCode,
@ -14,11 +17,6 @@ import { ObjectMetadataItemWithFieldMaps } from 'src/engine/metadata-modules/typ
 import { WorkspacePermissionsCacheService } from 'src/engine/metadata-modules/workspace-permissions-cache/workspace-permissions-cache.service';
 import { WorkspaceCacheStorageService } from 'src/engine/workspace-cache-storage/workspace-cache-storage.service';

-import { ObjectPermissionEntity } from './object-permission.entity';
-import { ObjectPermissionService } from './object-permission.service';
-
-import { UpsertObjectPermissionsInput } from './dtos/upsert-object-permissions.input';
-
 describe('ObjectPermissionService', () => {
  let service: ObjectPermissionService;
  let objectPermissionRepository: jest.Mocked<
@ -89,7 +87,8 @@ describe('ObjectPermissionService', () => {
        id: roleId,
        workspaceId,
        isEditable: true,
-      } as RoleEntity);
+        objectPermissions: [],
+      } as unknown as RoleEntity);
    });

    it('should throw PermissionsException when trying to add object permission on system object', async () => {
--- a/packages/twenty-server/src/engine/metadata-modules/object-permission/object-permission.service.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/object-permission/object-permission.service.ts
@ -4,7 +4,10 @@ import { isDefined } from 'twenty-shared/utils';
 import { In, Repository } from 'typeorm';

 import { ObjectMetadataEntity } from 'src/engine/metadata-modules/object-metadata/object-metadata.entity';
-import { UpsertObjectPermissionsInput } from 'src/engine/metadata-modules/object-permission/dtos/upsert-object-permissions.input';
+import {
+  ObjectPermissionInput,
+  UpsertObjectPermissionsInput,
+} from 'src/engine/metadata-modules/object-permission/dtos/upsert-object-permissions.input';
 import { ObjectPermissionEntity } from 'src/engine/metadata-modules/object-permission/object-permission.entity';
 import {
  PermissionsException,
@ -35,11 +38,20 @@ export class ObjectPermissionService {
    input: UpsertObjectPermissionsInput;
  }): Promise<ObjectPermissionEntity[]> {
    try {
-      await this.validateRoleIsEditableOrThrow({
+      const role = await this.getRoleOrThrow({
        roleId: input.roleId,
        workspaceId,
      });

+      await this.validateRoleIsEditableOrThrow({
+        role,
+      });
+
+      await this.validateObjectPermissionsReadAndWriteConsistencyOrThrow({
+        objectPermissions: input.objectPermissions,
+        roleWithObjectPermissions: role,
+      });
+
      const { byId: objectMetadataMapsById } =
        await this.workspaceCacheStorageService.getObjectMetadataMapsOrThrow(
          workspaceId,
@ -117,6 +129,58 @@ export class ObjectPermissionService {
    }
  }

+  private async validateObjectPermissionsReadAndWriteConsistencyOrThrow({
+    objectPermissions: newObjectPermissions,
+    roleWithObjectPermissions,
+  }: {
+    objectPermissions: ObjectPermissionInput[];
+    roleWithObjectPermissions: RoleEntity;
+  }) {
+    const existingObjectPermissions =
+      roleWithObjectPermissions.objectPermissions;
+
+    for (const newObjectPermission of newObjectPermissions) {
+      const existingObjectRecordPermission = existingObjectPermissions.find(
+        (objectPermission) =>
+          objectPermission.objectMetadataId ===
+          newObjectPermission.objectMetadataId,
+      );
+
+      const hasReadPermissionAfterUpdate =
+        newObjectPermission.canReadObjectRecords ??
+        existingObjectRecordPermission?.canReadObjectRecords ??
+        roleWithObjectPermissions.canReadAllObjectRecords;
+
+      if (hasReadPermissionAfterUpdate === false) {
+        const hasUpdatePermissionAfterUpdate =
+          newObjectPermission.canUpdateObjectRecords ??
+          existingObjectRecordPermission?.canUpdateObjectRecords ??
+          roleWithObjectPermissions.canUpdateAllObjectRecords;
+
+        const hasSoftDeletePermissionAfterUpdate =
+          newObjectPermission.canSoftDeleteObjectRecords ??
+          existingObjectRecordPermission?.canSoftDeleteObjectRecords ??
+          roleWithObjectPermissions.canSoftDeleteAllObjectRecords;
+
+        const hasDestroyPermissionAfterUpdate =
+          newObjectPermission.canDestroyObjectRecords ??
+          existingObjectRecordPermission?.canDestroyObjectRecords ??
+          roleWithObjectPermissions.canDestroyAllObjectRecords;
+
+        if (
+          hasUpdatePermissionAfterUpdate ||
+          hasSoftDeletePermissionAfterUpdate ||
+          hasDestroyPermissionAfterUpdate
+        ) {
+          throw new PermissionsException(
+            PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
+            PermissionsExceptionCode.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
+          );
+        }
+      }
+    }
+  }
+
  private async handleForeignKeyError({
    error,
    roleId,
@ -159,7 +223,7 @@ export class ObjectPermissionService {
    }
  }

-  private async validateRoleIsEditableOrThrow({
+  private async getRoleOrThrow({
    roleId,
    workspaceId,
  }: {
@ -171,9 +235,21 @@ export class ObjectPermissionService {
        id: roleId,
        workspaceId,
      },
+      relations: ['objectPermissions'],
    });

-    if (!role?.isEditable) {
+    if (!isDefined(role)) {
+      throw new PermissionsException(
+        PermissionsExceptionMessage.ROLE_NOT_FOUND,
+        PermissionsExceptionCode.ROLE_NOT_FOUND,
+      );
+    }
+
+    return role;
+  }
+
+  private async validateRoleIsEditableOrThrow({ role }: { role: RoleEntity }) {
+    if (!role.isEditable) {
      throw new PermissionsException(
        PermissionsExceptionMessage.ROLE_NOT_EDITABLE,
        PermissionsExceptionCode.ROLE_NOT_EDITABLE,