Restrict queried columns to graphql-requested fields (#13246)
Fixes https://github.com/twentyhq/core-team-issues/issues/255?issue=twentyhq%7Ccore-team-issues%7C1214. Until then, in the endpoints of our dynamic schema, we were querying all columns and then formatting the result by removing the non-requested fields (fields not mentioned in the graphql Query) from the result. This is not compatible with field-level permissions that we are about to introduce because users would see their request denied if they have restricted rights on any of the fields of the objects they are querying, even if they did not query it in the first place. To prepare for this change, we are restricting the list of queried columns to those made necessary by the graphql query. I only made the changes in the dynamic schema for now. We will potentially need to do updates to other part of the app that use createQueryBuilder directly or not (for instance, when calling repository methods such as .findOne()), but they mostly regard system objects that are not subject to permissions or are executed by entities that bypass permission such as jobs creating People and Companies from their email sync. No changes have been brought to existingRecords related logic in the dynamic schema because @Weiko is currently working on it, so I may need to adapt the new logic after he is done. No feature flag have been added so far as this should not change anything at the moment.
This commit is contained in:
Marie
@ -32,6 +32,10 @@ export class WorkspaceSelectQueryBuilder<
|
||||
this.shouldBypassPermissionChecks = shouldBypassPermissionChecks;
|
||||
}
|
||||
|
||||
getFindOptions() {
|
||||
return this.findOptions;
|
||||
}
|
||||
|
||||
override clone(): this {
|
||||
const clonedQueryBuilder = super.clone();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user