Skip to content

[field-level permissions] Upsert fieldPermission + use fieldPermission to compute permissions #13050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[field-level permissions] Upsert fieldPermission + use fieldPermission to compute permissions #13050

wants to merge 4 commits into from

Conversation

ijreilly
Copy link
Collaborator

@ijreilly ijreilly commented Jul 4, 2025

In this PR

  • introduction of fieldPermission entity
  • addition of upsertFieldPermission in role resolver
  • computing of permissions taking fieldPermission into account. In order to limit what is stored in Redis we only store fields restrictions. For instance for objectMetadata with id XXX with a restriction on field with id YYY we store: "XXX":{"canRead":true,"canUpdate":false,"canSoftDelete":false,"canDestroy":false,"restrictedFields":{"YYY":{"canRead":false,"canUpdate":null}}}

TO DO: write integration tests on upsertFieldPermission once logic is approved

greptile-apps[bot]
greptile-apps bot reviewed Jul 4, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Summary

Major PR introducing granular field-level permissions system with Redis caching optimization.

  • Adds new fieldPermission entity with canReadFieldRecords and canUpdateFieldRecords flags, connected to roles, object metadata, and field metadata
  • Implements Redis caching optimization storing only field restrictions in format XXX:{restrictedFields:{YYY:{canRead:false,canUpdate:null}}}
  • Creates new upsertFieldPermissions mutation in RoleResolver for managing field-level access controls
  • Introduces IS_FIELDS_PERMISSIONS_ENABLED feature flag for controlled rollout
  • Adds migration 1751637682801-addFieldPermission.ts creating field permissions table with appropriate cascading relationships

19 files reviewed, 15 comments
Edit PR Review Bot Settings | Greptile

...er/src/engine/metadata-modules/object-permission/field-permission/field-permission.entity.ts
Comment on lines +18 to +21
@Unique('IDX_FIELD_PERMISSION_FIELD_METADATA_ID_ROLE_ID_UNIQUE', [
'fieldMetadataId',
'roleId',
])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: Consider adding a composite index including objectMetadataId since it's a required field and would likely be queried together with fieldMetadataId and roleId

...er/src/engine/metadata-modules/object-permission/field-permission/field-permission.entity.ts
Comment on lines +67 to +68
@Column({ nullable: false, type: 'uuid' })
workspaceId: string;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: workspaceId relation and cascade behavior not defined - should match pattern from ObjectPermissionEntity

...ges/twenty-server/src/engine/metadata-modules/object-permission/dtos/field-permission.dto.ts
import { Field, ObjectType } from '@nestjs/graphql';

@ObjectType('FieldPermission')
export class FieldPermissionDTO {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: Add JSDoc comment to document the DTO's purpose and usage

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2025
edited
Loading

🚀 Preview Environment Ready!

Your preview environment is available at: http://bore.pub:46776

This environment will automatically shut down when the PR is closed or after 5 hours.

@charlesBochet charlesBochet assigned Weiko and ijreilly and unassigned Weiko Jul 4, 2025
@Weiko Weiko self-requested a review July 4, 2025 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@Weiko Weiko Awaiting requested review from Weiko

At least 1 approving review is required to merge this pull request.

Assignees

@ijreilly ijreilly

Labels
-PR: awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ijreilly @Weiko @charlesBochet