Add tests on granular settings permissions #12403
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Summary
Added comprehensive integration tests for granular settings permissions, focusing on role-based access control and permission management.
- Added tests in
/packages/twenty-server/test/integration/graphql/suites/settings-permissions/granular-settings-permissions.tsto verify data model and workspace operations for custom roles - Implemented test cases for permission inheritance, ensuring
canUpdateAllSettings=falseis properly overridden by specific setting permissions - Added validation for dynamic permission updates, testing the ability to add/remove setting permissions from existing roles
- Included proper test setup/teardown with Permissions V2 feature flag management
- Added test coverage for denied operations, verifying proper error handling when users lack required permissions
1 file(s) reviewed, 2 comment(s)
Edit PR Review Bot Settings | Greptile
Comment on lines
+48
to
+50
| originalMemberRoleId = rolesResponse.body.data.getRoles.find( | ||
| (role: any) => role.label === 'Member', | ||
| ).id; |
There was a problem hiding this comment.
logic: Unsafe type assertion with 'any'. Consider adding type guard or error handling if role is not found.
Suggested change
| originalMemberRoleId = rolesResponse.body.data.getRoles.find( | |
| (role: any) => role.label === 'Member', | |
| ).id; | |
| const memberRole = rolesResponse.body.data.getRoles.find( | |
| (role: any) => role.label === 'Member', | |
| ); | |
| if (!memberRole) throw new Error('Member role not found'); | |
| originalMemberRoleId = memberRole.id; |
Comment on lines
+366
to
+368
| const customRole = response.body.data.getRoles.find( | ||
| (role: any) => role.id === customRoleId, | ||
| ); |
There was a problem hiding this comment.
logic: Add error handling for case where customRole is not found in getRoles response
Suggested change
| const customRole = response.body.data.getRoles.find( | |
| (role: any) => role.id === customRoleId, | |
| ); | |
| const customRole = response.body.data.getRoles.find( | |
| (role: any) => role.id === customRoleId, | |
| ); | |
| if (!customRole) throw new Error('Custom role not found'); |
|
🚀 Preview Environment Ready! Your preview environment is available at: http://bore.pub:17340 This environment will automatically shut down when the PR is closed or after 5 hours. |
Weiko
approved these changes
Jun 2, 2025
abdulrahmancodes
pushed a commit
to abdulrahmancodes/twenty
that referenced
this pull request
Jun 2, 2025
Closes twentyhq/core-team-issues#605 Actually settingsPermissions checks were already implemented, but we had no tests on them. In the ticket we had mentioned _TO DO: in pemissions.service we should stop calling userRoleService.getRolesByUserWorkspaces and call getRoleIdForUserWorkspace instead which relies on the cache._ But actually roleId is not enough for settings permissions because we don't store them in the cache (unlien object records permissions - which I think we had forgotten about when adding that TODO.), so we will still need to make a db call to load the role's settingsPermissions. I think it's better to make just one db call to get the role and settingsPermissions from userWorkspaceId (as currently) than to make one redis call to get roleId for userWorksapce then one db call to get role and its settingsPermissions).
abdulrahmancodes
pushed a commit
to abdulrahmancodes/twenty
that referenced
this pull request
Jun 3, 2025
Closes twentyhq/core-team-issues#605 Actually settingsPermissions checks were already implemented, but we had no tests on them. In the ticket we had mentioned _TO DO: in pemissions.service we should stop calling userRoleService.getRolesByUserWorkspaces and call getRoleIdForUserWorkspace instead which relies on the cache._ But actually roleId is not enough for settings permissions because we don't store them in the cache (unlien object records permissions - which I think we had forgotten about when adding that TODO.), so we will still need to make a db call to load the role's settingsPermissions. I think it's better to make just one db call to get the role and settingsPermissions from userWorkspaceId (as currently) than to make one redis call to get roleId for userWorksapce then one db call to get role and its settingsPermissions).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes twentyhq/core-team-issues#605
Actually settingsPermissions checks were already implemented, but we had no tests on them.
In the ticket we had mentioned
TO DO: in pemissions.service we should stop calling userRoleService.getRolesByUserWorkspaces and call getRoleIdForUserWorkspace instead which relies on the cache.
But actually roleId is not enough for settings permissions because we don't store them in the cache (unlien object records permissions - which I think we had forgotten about when adding that TODO.), so we will still need to make a db call to load the role's settingsPermissions. I think it's better to make just one db call to get the role and settingsPermissions from userWorkspaceId (as currently) than to make one redis call to get roleId for userWorksapce then one db call to get role and its settingsPermissions).