Skip to content

[permission] Override query builders db-executing methods #11714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 39 commits into from
Apr 24, 2025
Merged

[permission] Override query builders db-executing methods #11714

merged 39 commits into from
Apr 24, 2025

Conversation

ijreilly
Copy link
Collaborator

@ijreilly ijreilly commented Apr 24, 2025
edited
Loading

ijreilly added 30 commits April 7, 2025 11:02
@ijreilly
wip
53e6fb9
@ijreilly
working version
7add8cc
@ijreilly
refactor workspaceDatasourceFactory
9c87265
@ijreilly
greptile comments
d6d3ab5
@ijreilly
recompute object permissions after role update
076da2e
@ijreilly
fix linter
a9c9792
@ijreilly
Add shouldBypassPermissionChecks for twentyOrmGlobalManager
0052622
@ijreilly
improvements
e96f627
@ijreilly
Merge branch 'main' of github.com:twentyhq/twenty into perm--orm
0a69d0a
@ijreilly
Compute object record permissions taking into account ObjectPermission
015ea62
@ijreilly
fix test on findDuplicates
87c76e6
@ijreilly
add featureFlagMap to datasource
73cc82e
@ijreilly
fixes
1f28c39
@ijreilly
some improvements
0689041
@ijreilly
Merge branch 'perm--orm' of github.com:twentyhq/twenty into perm--orm…
8fc9b54 
…-twenty-global-orm-manager
@ijreilly
fix
355e1cd
@ijreilly
Merge branch 'main' of github.com:twentyhq/twenty into perm--orm-twen…
d6f0269 
…ty-global-orm-manager
@ijreilly
bypass permission checks if apiKey
3af8d2e
@ijreilly
recompute after object creation + organize flushing
debc96f
@ijreilly
handle apiKey
5ed8837
@ijreilly
add a first test for permissions V2
5d8613b
@ijreilly
fix resolver
31b631f
@ijreilly
handle rest api
5f369e8
@ijreilly
Merge branch 'main' of github.com:twentyhq/twenty into perm--orm-twen…
9de5fec 
…ty-global-orm-manager
@ijreilly
add integration test with api key
f079c53
@ijreilly
Merge branch 'main' of github.com:twentyhq/twenty into perm--orm-twen…
42a8052 
…ty-global-orm-manager
@ijreilly
adress greptile comments
40cdce2
@ijreilly
Merge branch 'main' of github.com:twentyhq/twenty into perm--orm-twen…
c8d00bf 
…ty-global-orm-manager
@ijreilly
commiting block-inherited-methods.util to keep a trace
4cb9fb2
@ijreilly
custom query builders
0c9c571
ijreilly
ijreilly commented Apr 24, 2025
View reviewed changes
packages/twenty-server/src/engine/twenty-orm/repository/workspace-query-builder.ts

import { WorkspaceSelectQueryBuilder } from 'src/engine/twenty-orm/repository/workspace-select-query-builder';

export class WorkspaceQueryBuilder<
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we actually don't need this: we use a SelectQueryBuilder in the initial createQueryBuilder method in workspace.repository

@ijreilly ijreilly marked this pull request as ready for review April 24, 2025 11:57
greptile-apps[bot]
greptile-apps bot reviewed Apr 24, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Summary

This PR implements a comprehensive permission system overhaul for database operations in the Twenty server, replacing the single WorkspaceQueryBuilder with specialized query builders for different operations.

  • Added new specialized query builders (WorkspaceInsertQueryBuilder, WorkspaceDeleteQueryBuilder, WorkspaceSoftDeleteQueryBuilder) with proper permission validation
  • Implemented permission checks in execute() methods across all query builders using validateQueryIsPermittedOrThrow
  • Added support for permissions V2 feature flag with backward compatibility
  • Added extensive integration tests covering permission scenarios for guest roles, admin roles, and API keys
  • Note: PR description appears to be incorrect as it references mobile display improvements but changes are about permission handling

17 file(s) reviewed, 14 comment(s)
Edit PR Review Bot Settings | Greptile

.../suites/object-records-permissions/delete-one-object-records-permissions.integration-spec.ts
Comment on lines +88 to +96
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);

expect(response.body.data).toStrictEqual({ deletePerson: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: ensure feature flag is disabled even if test fails by using try/finally

...suites/object-records-permissions/destroy-one-object-records-permissions.integration-spec.ts
});

it('should throw a permission error when user does not have permission (guest role)', async () => {
const personId = randomUUID();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: personId is redefined here but never used in the test - the recordId in the operation could use the outer personId

...suites/object-records-permissions/update-many-object-records-permissions.integration-spec.ts
Comment on lines +44 to +46
id: {
in: [randomUUID(), randomUUID()],
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Using random UUIDs in the filter when testing permission denial could mask actual permission issues. Consider using the same personId1/personId2 that were created to ensure the test is checking permissions and not just failing because records don't exist.

Suggested change
id: {
in: [randomUUID(), randomUUID()],
},
id: {
in: [personId1, personId2],
},

...suites/object-records-permissions/update-many-object-records-permissions.integration-spec.ts
Comment on lines +90 to +108
beforeAll(async () => {
const enablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
true,
);

await makeGraphqlAPIRequest(enablePermissionsQuery);
});

afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);

await makeGraphqlAPIRequest(disablePermissionsQuery);
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: Feature flag state changes in beforeAll/afterAll could affect other test suites running in parallel. Consider using a unique workspace ID for these tests.

...uites/object-records-permissions/restore-many-object-records-permissions.integration-spec.ts
Comment on lines +143 to +151
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);

expect(response.body.data).toStrictEqual({ restorePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: Ensure feature flag is properly reset even if tests fail by using try/finally

Suggested change
afterAll(async () => {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
expect(response.body.data).toStrictEqual({ restorePeople: null });
expect(response.body.errors).toBeDefined();
expect(response.body.errors[0].message).toBe(
PermissionsExceptionMessage.PERMISSION_DENIED,
);
expect(response.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN);
});
await makeGraphqlAPIRequest(disablePermissionsQuery);
});
afterAll(async () => {
try {
const disablePermissionsQuery = updateFeatureFlagFactory(
SEED_APPLE_WORKSPACE_ID,
'IsPermissionsV2Enabled',
false,
);
await makeGraphqlAPIRequest(disablePermissionsQuery);
} catch (error) {
console.error('Failed to reset permissions feature flag:', error);
throw error;
}
});

Weiko
Weiko reviewed Apr 24, 2025
View reviewed changes
Weiko
Weiko approved these changes Apr 24, 2025
View reviewed changes
Copy link
Member

@Weiko Weiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👏

@ijreilly ijreilly merged commit e750ef2 into main Apr 24, 2025
36 checks passed
@ijreilly ijreilly deleted the perm--query-builders branch April 24, 2025 16:20
ehconitin pushed a commit that referenced this pull request Apr 24, 2025
@ijreilly @ehconitin
[permission] Override query builders db-executing methods (#11714)
d52f1ca 
closes twentyhq/core-team-issues#843
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@Weiko Weiko Weiko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Override all db-calling methods on query builders
2 participants
@ijreilly @Weiko