[permissions] Filter tabs + registered actions according to permissions (twentyhq#12657)

ijreilly · charlesBochet · web-flow · commit da5ae341096f · 2025-06-18T15:12:58.000Z
Note and task tabs in side panel should only show if user has reading permission on them. "Go to companies", "Go to workflows", etc. in command menu should only show is user has reading permission on related objects. <img width="507" alt="Capture d’écran 2025-06-17 à 11 09 50" src="https://github.com/user-attachments/assets/3a2a4c25-0b9b-4ee6-b18f-b019b8a56d47" /> <img width="505" alt="Capture d’écran 2025-06-17 à 11 09 56" src="https://github.com/user-attachments/assets/8a219955-cc8e-4dbf-a4f9-a50e1aaa4b59" /> **How to test** Assign a user with a custom role that has **no** read permissions on notes/tasks/workflows/companies/opportunities/people (no need to test them all but at least one between note and tasks; workflows; one between companies/opportunities/people). Check that you don't see the related tab / action. --------- Co-authored-by: Charles Bochet <charles@twenty.com>
diff --git a/packages/twenty-front/src/modules/action-menu/actions/record-actions/constants/DefaultRecordActionsConfig.tsx b/packages/twenty-front/src/modules/action-menu/actions/record-actions/constants/DefaultRecordActionsConfig.tsx
@@ -410,7 +410,13 @@ export const DEFAULT_RECORD_ACTIONS_CONFIG: Record<
     Icon: IconSettingsAutomation,
     accent: 'default',
     isPinned: false,
-    shouldBeRegistered: ({ objectMetadataItem, viewType, isWorkflowEnabled }) =>
+    shouldBeRegistered: ({
+      objectMetadataItem,
+      viewType,
+      isWorkflowEnabled,
+      getTargetObjectReadPermission,
+    }) =>
+      getTargetObjectReadPermission(CoreObjectNameSingular.Workflow) === true &&
       (objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Workflow ||
         viewType === ActionViewType.SHOW_PAGE) &&
       isWorkflowEnabled,
@@ -443,9 +449,14 @@ export const DEFAULT_RECORD_ACTIONS_CONFIG: Record<
       ActionViewType.INDEX_PAGE_BULK_SELECTION,
       ActionViewType.SHOW_PAGE,
     ],
-    shouldBeRegistered: ({ objectMetadataItem, viewType }) =>
-      objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Person ||
-      viewType === ActionViewType.SHOW_PAGE,
+    shouldBeRegistered: ({
+      objectMetadataItem,
+      viewType,
+      getTargetObjectReadPermission,
+    }) =>
+      getTargetObjectReadPermission(CoreObjectNameSingular.Person) === true &&
+      (objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Person ||
+        viewType === ActionViewType.SHOW_PAGE),
     component: (
       <ActionLink
         to={AppPath.RecordIndexPage}
@@ -469,9 +480,14 @@ export const DEFAULT_RECORD_ACTIONS_CONFIG: Record<
       ActionViewType.INDEX_PAGE_BULK_SELECTION,
       ActionViewType.SHOW_PAGE,
     ],
-    shouldBeRegistered: ({ objectMetadataItem, viewType }) =>
-      objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Company ||
-      viewType === ActionViewType.SHOW_PAGE,
+    shouldBeRegistered: ({
+      objectMetadataItem,
+      viewType,
+      getTargetObjectReadPermission,
+    }) =>
+      getTargetObjectReadPermission(CoreObjectNameSingular.Company) === true &&
+      (objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Company ||
+        viewType === ActionViewType.SHOW_PAGE),
     component: (
       <ActionLink
         to={AppPath.RecordIndexPage}
@@ -495,9 +511,16 @@ export const DEFAULT_RECORD_ACTIONS_CONFIG: Record<
       ActionViewType.INDEX_PAGE_BULK_SELECTION,
       ActionViewType.SHOW_PAGE,
     ],
-    shouldBeRegistered: ({ objectMetadataItem, viewType }) =>
-      objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Opportunity ||
-      viewType === ActionViewType.SHOW_PAGE,
+    shouldBeRegistered: ({
+      objectMetadataItem,
+      viewType,
+      getTargetObjectReadPermission,
+    }) =>
+      getTargetObjectReadPermission(CoreObjectNameSingular.Opportunity) ===
+        true &&
+      (objectMetadataItem?.nameSingular !==
+        CoreObjectNameSingular.Opportunity ||
+        viewType === ActionViewType.SHOW_PAGE),
     component: (
       <ActionLink
         to={AppPath.RecordIndexPage}
@@ -547,9 +570,14 @@ export const DEFAULT_RECORD_ACTIONS_CONFIG: Record<
       ActionViewType.INDEX_PAGE_BULK_SELECTION,
       ActionViewType.SHOW_PAGE,
     ],
-    shouldBeRegistered: ({ objectMetadataItem, viewType }) =>
-      objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Task ||
-      viewType === ActionViewType.SHOW_PAGE,
+    shouldBeRegistered: ({
+      objectMetadataItem,
+      viewType,
+      getTargetObjectReadPermission,
+    }) =>
+      getTargetObjectReadPermission(CoreObjectNameSingular.Task) === true &&
+      (objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Task ||
+        viewType === ActionViewType.SHOW_PAGE),
     component: (
       <ActionLink
         to={AppPath.RecordIndexPage}
@@ -573,9 +601,14 @@ export const DEFAULT_RECORD_ACTIONS_CONFIG: Record<
       ActionViewType.INDEX_PAGE_BULK_SELECTION,
       ActionViewType.SHOW_PAGE,
     ],
-    shouldBeRegistered: ({ objectMetadataItem, viewType }) =>
-      objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Note ||
-      viewType === ActionViewType.SHOW_PAGE,
+    shouldBeRegistered: ({
+      objectMetadataItem,
+      viewType,
+      getTargetObjectReadPermission,
+    }) =>
+      getTargetObjectReadPermission(CoreObjectNameSingular.Note) === true &&
+      (objectMetadataItem?.nameSingular !== CoreObjectNameSingular.Note ||
+        viewType === ActionViewType.SHOW_PAGE),
     component: (
       <ActionLink
         to={AppPath.RecordIndexPage}
diff --git a/packages/twenty-front/src/modules/action-menu/actions/types/ShouldBeRegisteredFunctionParams.ts b/packages/twenty-front/src/modules/action-menu/actions/types/ShouldBeRegisteredFunctionParams.ts
@@ -20,4 +20,7 @@ export type ShouldBeRegisteredFunctionParams = {
   numberOfSelectedRecords?: number;
   workflowWithCurrentVersion?: WorkflowWithCurrentVersion;
   viewType?: ActionViewType;
+  getTargetObjectReadPermission: (
+    objectMetadataItemNameSingular: string,
+  ) => boolean;
 };
diff --git a/packages/twenty-front/src/modules/action-menu/actions/utils/getActionConfig.ts b/packages/twenty-front/src/modules/action-menu/actions/utils/getActionConfig.ts
@@ -7,20 +7,25 @@ import { CoreObjectNameSingular } from '@/object-metadata/types/CoreObjectNameSi
 import { ObjectMetadataItem } from '@/object-metadata/types/ObjectMetadataItem';
 import { isDefined } from 'twenty-shared/utils';
 
-export const getActionConfig = (
-  objectMetadataItem?: ObjectMetadataItem,
-): Record<string, ActionConfig> => {
+export const getActionConfig = ({
+  objectMetadataItem,
+}: {
+  objectMetadataItem?: ObjectMetadataItem;
+}): Record<string, ActionConfig> => {
   if (!isDefined(objectMetadataItem)) {
     return {};
   }
 
   switch (objectMetadataItem.nameSingular) {
-    case CoreObjectNameSingular.Workflow:
+    case CoreObjectNameSingular.Workflow: {
       return WORKFLOW_ACTIONS_CONFIG;
-    case CoreObjectNameSingular.WorkflowVersion:
+    }
+    case CoreObjectNameSingular.WorkflowVersion: {
       return WORKFLOW_VERSIONS_ACTIONS_CONFIG;
-    case CoreObjectNameSingular.WorkflowRun:
+    }
+    case CoreObjectNameSingular.WorkflowRun: {
       return WORKFLOW_RUNS_ACTIONS_CONFIG;
+    }
     default:
       return DEFAULT_RECORD_ACTIONS_CONFIG;
   }
diff --git a/packages/twenty-front/src/modules/action-menu/hooks/useRegisteredActions.ts b/packages/twenty-front/src/modules/action-menu/hooks/useRegisteredActions.ts
@@ -26,7 +26,9 @@ export const useRegisteredActions = (
     contextStoreTargetedRecordsRule,
   );
 
-  const recordActionConfig = getActionConfig(objectMetadataItem);
+  const recordActionConfig = getActionConfig({
+    objectMetadataItem,
+  });
 
   const recordAgnosticActionConfig = RECORD_AGNOSTIC_ACTIONS_CONFIG;
 
diff --git a/packages/twenty-front/src/modules/action-menu/hooks/useShouldActionBeRegisteredParams.ts b/packages/twenty-front/src/modules/action-menu/hooks/useShouldActionBeRegisteredParams.ts
@@ -1,6 +1,7 @@
 import { ShouldBeRegisteredFunctionParams } from '@/action-menu/actions/types/ShouldBeRegisteredFunctionParams';
 import { getActionViewType } from '@/action-menu/actions/utils/getActionViewType';
 import { ActionMenuContext } from '@/action-menu/contexts/ActionMenuContext';
+import { objectPermissionsFamilySelector } from '@/auth/states/objectPermissionsFamilySelector';
 import { contextStoreCurrentViewTypeComponentState } from '@/context-store/states/contextStoreCurrentViewTypeComponentState';
 import { contextStoreNumberOfSelectedRecordsComponentState } from '@/context-store/states/contextStoreNumberOfSelectedRecordsComponentState';
 import { contextStoreTargetedRecordsRuleComponentState } from '@/context-store/states/contextStoreTargetedRecordsRuleComponentState';
@@ -14,7 +15,7 @@ import { isSoftDeleteFilterActiveComponentState } from '@/object-record/record-t
 import { useRecoilComponentValueV2 } from '@/ui/utilities/state/component-state/hooks/useRecoilComponentValueV2';
 import { useIsFeatureEnabled } from '@/workspace/hooks/useIsFeatureEnabled';
 import { useContext } from 'react';
-import { useRecoilValue } from 'recoil';
+import { useRecoilCallback, useRecoilValue } from 'recoil';
 import { FeatureFlagKey } from '~/generated-metadata/graphql';
 
 export const useShouldActionBeRegisteredParams = ({
@@ -77,6 +78,20 @@ export const useShouldActionBeRegisteredParams = ({
     contextStoreTargetedRecordsRule,
   );
 
+  const getObjectReadPermission = useRecoilCallback(
+    ({ snapshot }) =>
+      (objectMetadataNameSingular: string) => {
+        return snapshot
+          .getLoadable(
+            objectPermissionsFamilySelector({
+              objectNameSingular: objectMetadataNameSingular,
+            }),
+          )
+          .getValue().canRead;
+      },
+    [],
+  );
+
   return {
     objectMetadataItem,
     isFavorite,
@@ -89,5 +104,6 @@ export const useShouldActionBeRegisteredParams = ({
     isWorkflowEnabled,
     numberOfSelectedRecords,
     viewType: viewType ?? undefined,
+    getTargetObjectReadPermission: getObjectReadPermission,
   };
 };
diff --git a/packages/twenty-front/src/modules/auth/states/objectPermissionsFamilySelector.ts b/packages/twenty-front/src/modules/auth/states/objectPermissionsFamilySelector.ts
@@ -0,0 +1,37 @@
+import { currentUserWorkspaceState } from '@/auth/states/currentUserWorkspaceState';
+import { objectMetadataItemsState } from '@/object-metadata/states/objectMetadataItemsState';
+import { selectorFamily } from 'recoil';
+
+export const objectPermissionsFamilySelector = selectorFamily<
+  {
+    canRead: boolean;
+  },
+  { objectNameSingular: string }
+>({
+  key: 'objectPermissionsFamilySelector',
+  get:
+    ({ objectNameSingular }) =>
+    ({ get }) => {
+      const currentUserWorkspace = get(currentUserWorkspaceState);
+      const objectMetadataItems = get(objectMetadataItemsState);
+
+      const objectMetadataItem = objectMetadataItems.find(
+        (item) => item.nameSingular === objectNameSingular,
+      );
+
+      if (!objectMetadataItem) {
+        return {
+          canRead: false,
+          canUpdate: false,
+        };
+      }
+
+      const objectPermissions = currentUserWorkspace?.objectPermissions?.find(
+        (permission) => permission.objectMetadataId === objectMetadataItem.id,
+      );
+
+      return {
+        canRead: objectPermissions?.canReadObjectRecords ?? false,
+      };
+    },
+});
diff --git a/packages/twenty-front/src/modules/command-menu/components/__stories__/CommandMenu.stories.tsx b/packages/twenty-front/src/modules/command-menu/components/__stories__/CommandMenu.stories.tsx
@@ -10,11 +10,14 @@ import { SnackBarDecorator } from '~/testing/decorators/SnackBarDecorator';
 import { graphqlMocks } from '~/testing/graphqlMocks';
 import {
   mockCurrentWorkspace,
+  mockedLimitedPermissionsUserData,
+  mockedUserData,
   mockedWorkspaceMemberData,
 } from '~/testing/mock-data/users';
 import { sleep } from '~/utils/sleep';
 
 import { ActionMenuComponentInstanceContext } from '@/action-menu/states/contexts/ActionMenuComponentInstanceContext';
+import { currentUserWorkspaceState } from '@/auth/states/currentUserWorkspaceState';
 import { CommandMenuRouter } from '@/command-menu/components/CommandMenuRouter';
 import { COMMAND_MENU_COMPONENT_INSTANCE_ID } from '@/command-menu/constants/CommandMenuComponentInstanceId';
 import { commandMenuNavigationStackState } from '@/command-menu/states/commandMenuNavigationStackState';
@@ -72,6 +75,9 @@ const meta: Meta<typeof CommandMenu> = {
     I18nFrontDecorator,
     (Story) => {
       const setCurrentWorkspace = useSetRecoilState(currentWorkspaceState);
+      const setCurrentUserWorkspace = useSetRecoilState(
+        currentUserWorkspaceState,
+      );
       const setCurrentWorkspaceMember = useSetRecoilState(
         currentWorkspaceMemberState,
       );
@@ -84,6 +90,8 @@ const meta: Meta<typeof CommandMenu> = {
 
       setCurrentWorkspace(mockCurrentWorkspace);
       setCurrentWorkspaceMember(mockedWorkspaceMemberData);
+      setCurrentUserWorkspace(mockedUserData.currentUserWorkspace);
+
       setIsCommandMenuOpened(true);
       setCommandMenuNavigationStack([
         {
@@ -122,6 +130,29 @@ export const DefaultWithoutSearch: Story = {
   },
 };
 
+export const LimitedPermissions: Story = {
+  play: async () => {
+    const canvas = within(document.body);
+    await expect(canvas.findByText('Go to Opportunities')).rejects.toThrow();
+    await expect(canvas.findByText('Go to Tasks')).rejects.toThrow();
+    expect(await canvas.findByText('Go to People')).toBeVisible();
+    expect(await canvas.findByText('Go to Settings')).toBeVisible();
+    expect(await canvas.findByText('Go to Notes')).toBeVisible();
+  },
+  decorators: [
+    (Story) => {
+      const setCurrentUserWorkspace = useSetRecoilState(
+        currentUserWorkspaceState,
+      );
+      setCurrentUserWorkspace(
+        mockedLimitedPermissionsUserData.currentUserWorkspace,
+      );
+
+      return <Story />;
+    },
+  ],
+};
+
 export const MatchingNavigate: Story = {
   play: async () => {
     const canvas = within(document.body);
diff --git a/packages/twenty-front/src/modules/object-record/record-show/constants/BaseRecordLayout.ts b/packages/twenty-front/src/modules/object-record/record-show/constants/BaseRecordLayout.ts
@@ -44,27 +44,31 @@ export const BASE_RECORD_LAYOUT: RecordLayout = {
       Icon: IconCheckbox,
       position: 300,
       cards: [{ type: CardType.TaskCard }],
+      targetObjectNameSingular: CoreObjectNameSingular.Task,
       hide: {
         ifMobile: false,
         ifDesktop: false,
         ifInRightDrawer: false,
         ifFeaturesDisabled: [],
         ifRequiredObjectsInactive: [CoreObjectNameSingular.Task],
         ifRelationsMissing: ['taskTargets'],
+        ifNoReadPermission: true,
       },
     },
     notes: {
       title: 'Notes',
       Icon: IconNotes,
       position: 400,
       cards: [{ type: CardType.NoteCard }],
+      targetObjectNameSingular: CoreObjectNameSingular.Note,
       hide: {
         ifMobile: false,
         ifDesktop: false,
         ifInRightDrawer: false,
         ifFeaturesDisabled: [],
         ifRequiredObjectsInactive: [CoreObjectNameSingular.Note],
         ifRelationsMissing: ['noteTargets'],
+        ifNoReadPermission: true,
       },
     },
     files: {
diff --git a/packages/twenty-front/src/modules/object-record/record-show/hooks/useRecordShowContainerTabs.ts b/packages/twenty-front/src/modules/object-record/record-show/hooks/useRecordShowContainerTabs.ts
diff --git a/packages/twenty-front/src/modules/ui/layout/tab-list/types/RecordLayoutTab.ts b/packages/twenty-front/src/modules/ui/layout/tab-list/types/RecordLayoutTab.ts
diff --git a/packages/twenty-front/src/modules/ui/layout/tab-list/types/TabVisibilityConfig.ts b/packages/twenty-front/src/modules/ui/layout/tab-list/types/TabVisibilityConfig.ts
diff --git a/packages/twenty-front/src/testing/mock-data/users.ts b/packages/twenty-front/src/testing/mock-data/users.ts
