[permissions] Add permission gates on workspace-invitations #10394
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Summary
This PR adds permission gates to workspace invitation endpoints and their corresponding integration tests, ensuring proper access control for invitation management.
- Added
SettingsPermissionsGuardwithWORKSPACE_USERSfeature flag toworkspace-invitation.resolver.tsto restrict invitation operations - Added comprehensive integration tests in
workspace-invitation.integration-spec.tsverifying permission denials for send/resend/find/delete operations - Added
makeMetadataAPIRequestWithMemberRoleutility in/test/integration/metadata/suites/utilsfor consistent member role testing - Added integration tests for API key and webhook permissions in
api-key-webhooks.integration-spec.ts - Added data model permission tests in
data-model.integration-spec.tsfor field/object metadata operations
7 file(s) reviewed, 8 comment(s)
Edit PR Review Bot Settings | Greptile
| gqlFields: ` | ||
| id | ||
| `, |
There was a problem hiding this comment.
style: Inconsistent indentation in gqlFields template literal compared to other similar queries
| afterAll(async () => { | ||
| await deleteFieldMetadata(testFieldId); | ||
| await deleteOneObjectMetadataItem(listingObjectId); | ||
| }); |
There was a problem hiding this comment.
style: Consider wrapping cleanup operations in try/catch to ensure cleanup runs even if one operation fails
|
|
||
| await makeGraphqlAPIRequest(disablePermissionsQuery); | ||
| }); | ||
| describe('generateApiKeyToken', () => { |
There was a problem hiding this comment.
logic: Test suite only covers generateApiKeyToken - missing test cases for webhook-related permissions that are mentioned in PR title
| describe('generateApiKeyToken', () => { | ||
| it('should throw a permission error when user does not have permission (member role)', async () => { | ||
| const queryData = { | ||
| query: ` | ||
| mutation generateApiKeyToken { | ||
| generateApiKeyToken(apiKeyId: "test-api-key-id", expiresAt: "2025-01-01T00:00:00Z") { | ||
| token | ||
| } | ||
| } | ||
| `, | ||
| }; | ||
|
|
||
| await client | ||
| .post('/graphql') | ||
| .set('Authorization', `Bearer ${MEMBER_ACCESS_TOKEN}`) | ||
| .send(queryData) | ||
| .expect(200) | ||
| .expect((res) => { | ||
| expect(res.body.data).toBeNull(); | ||
| expect(res.body.errors).toBeDefined(); | ||
| expect(res.body.errors[0].message).toBe( | ||
| PermissionsExceptionMessage.PERMISSION_DENIED, | ||
| ); | ||
| expect(res.body.errors[0].extensions.code).toBe(ErrorCode.FORBIDDEN); | ||
| }); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
logic: Missing positive test case to verify admin role can successfully generate API key token
...er/test/integration/metadata/suites/utils/make-metadata-api-request-with-member-role.util.ts
Show resolved
Hide resolved
...est/integration/graphql/suites/settings-permissions/workspace-invitation.integration-spec.ts
Show resolved
Hide resolved
...er/test/integration/metadata/suites/utils/make-metadata-api-request-with-member-role.util.ts
Show resolved
Hide resolved
...est/integration/graphql/suites/settings-permissions/workspace-invitation.integration-spec.ts
Show resolved
Hide resolved
Adding permission gates on all workspace-invitations endpoints: sendInvitation, resendInvitation, deleteWorkspaceInvitation, findWorkspaceInvitations (the latter being from my understanding only used to list the invitations to then re-send them or detee them).