WIP - field level permission

2025-12-30 05:54:56 +01:00
parent 56c0c3838d
commit d15fc918d1
8 changed files with 357 additions and 18 deletions
--- a/backend/src/object/object.service.ts
+++ b/backend/src/object/object.service.ts
@@ -583,7 +583,10 @@ export class ObjectService {
      throw new NotFoundException('Record not found');
    }
    
-    return record;
+    // Filter fields based on field-level permissions
+    const filteredRecord = await this.authService.filterReadableFields(record, objectDefModel.fields, user);
+    
+    return filteredRecord;
  }

  async createRecord(
@@ -738,4 +741,57 @@ export class ObjectService {
    
    return { success: true };
  }
+
+  async getFieldPermissions(tenantId: string, objectId: string) {
+    const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
+    const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
+    
+    // Get all field permissions for this object's fields
+    const permissions = await knex('role_field_permissions as rfp')
+      .join('field_definitions as fd', 'fd.id', 'rfp.fieldDefinitionId')
+      .where('fd.objectDefinitionId', objectId)
+      .select('rfp.*');
+    
+    return permissions;
+  }
+
+  async updateFieldPermission(
+    tenantId: string,
+    roleId: string,
+    fieldDefinitionId: string,
+    canRead: boolean,
+    canEdit: boolean,
+  ) {
+    const resolvedTenantId = await this.tenantDbService.resolveTenantId(tenantId);
+    const knex = await this.tenantDbService.getTenantKnexById(resolvedTenantId);
+    
+    // Check if permission already exists
+    const existing = await knex('role_field_permissions')
+      .where({ roleId, fieldDefinitionId })
+      .first();
+    
+    if (existing) {
+      // Update existing permission
+      await knex('role_field_permissions')
+        .where({ roleId, fieldDefinitionId })
+        .update({
+          canRead,
+          canEdit,
+          updated_at: knex.fn.now(),
+        });
+    } else {
+      // Create new permission
+      await knex('role_field_permissions').insert({
+        id: knex.raw('(UUID())'),
+        roleId,
+        fieldDefinitionId,
+        canRead,
+        canEdit,
+        created_at: knex.fn.now(),
+        updated_at: knex.fn.now(),
+      });
+    }
+    
+    return { success: true };
+  }
 }