Backport DisablePermissionCheck constant from next (#2129)

See #1877 --------- Co-authored-by: Johannes Obermair <48853629+johnnyomair@users.noreply.github.com> Co-authored-by: Thomas Dax <thomas.dax@vivid-planet.com>
vivid-planet · Jun 4, 2024 · 0597b1e · 0597b1e
1 parent dc7eaec
commit 0597b1e
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 5 deletions.
diff --git a/.changeset/wild-suns-eat.md b/.changeset/wild-suns-eat.md
@@ -0,0 +1,7 @@
+---
+"@comet/cms-api": minor
+---
+
+Add `DisablePermissionCheck` constant for use in `@RequiredPermission` decorator
+
+You can disable authorization for a resolver or operation by adding the decorator `@RequiredPermission(DisablePermissionCheck)`
diff --git a/packages/api/cms-api/src/auth/resolver/auth.resolver.ts b/packages/api/cms-api/src/auth/resolver/auth.resolver.ts
@@ -3,9 +3,9 @@ import { Context, Mutation, Query, Resolver } from "@nestjs/graphql";
 import { IncomingMessage } from "http";
 
 import { SkipBuild } from "../../builds/skip-build.decorator";
+import { DisablePermissionCheck, RequiredPermission } from "../../user-permissions/decorators/required-permission.decorator";
 import { CurrentUser } from "../../user-permissions/dto/current-user";
 import { GetCurrentUser } from "../decorators/get-current-user.decorator";
-import { PublicApi } from "../decorators/public-api.decorator";
 
 interface AuthResolverConfig {
     currentUser?: Type<CurrentUser>; // TODO Remove in future version as it is not used and here for backwards compatibility
@@ -15,7 +15,7 @@ interface AuthResolverConfig {
 
 export function createAuthResolver(config?: AuthResolverConfig): Type<unknown> {
     @Resolver(() => CurrentUser)
-    @PublicApi()
+    @RequiredPermission(DisablePermissionCheck)
     class AuthResolver {
         @Query(() => CurrentUser)
         async currentUser(@GetCurrentUser() user: CurrentUser): Promise<CurrentUser> {

diff --git a/packages/api/cms-api/src/user-permissions/auth/user-permissions.guard.ts b/packages/api/cms-api/src/user-permissions/auth/user-permissions.guard.ts
@@ -3,7 +3,7 @@ import { Reflector } from "@nestjs/core";
 import { GqlContextType, GqlExecutionContext } from "@nestjs/graphql";
 
 import { ContentScopeService } from "../content-scope.service";
-import { RequiredPermissionMetadata } from "../decorators/required-permission.decorator";
+import { DisablePermissionCheck, RequiredPermissionMetadata } from "../decorators/required-permission.decorator";
 import { CurrentUser } from "../dto/current-user";
 import { ACCESS_CONTROL_SERVICE } from "../user-permissions.constants";
 import { AccessControlServiceInterface, SystemUser } from "../user-permissions.types";
@@ -32,6 +32,7 @@ export class UserPermissionsGuard implements CanActivate {
         if (!requiredPermission && this.isResolvingGraphQLField(context)) return true;
         if (!requiredPermission) throw new Error(`RequiredPermission decorator is missing in ${location}`);
         const requiredPermissions = requiredPermission.requiredPermission;
+        if (requiredPermissions.includes(DisablePermissionCheck)) return true;
         if (requiredPermissions.length === 0) throw new Error(`RequiredPermission decorator has empty permissions in ${location}`);
         if (this.isResolvingGraphQLField(context) || requiredPermission.options?.skipScopeCheck) {
             // At least one permission is required

diff --git a/packages/api/cms-api/src/user-permissions/decorators/required-permission.decorator.ts b/packages/api/cms-api/src/user-permissions/decorators/required-permission.decorator.ts
@@ -9,7 +9,12 @@ export type RequiredPermissionMetadata = {
     options: RequiredPermissionOptions | undefined;
 };
 
-export const RequiredPermission = (requiredPermission: string | string[], options?: RequiredPermissionOptions): CustomDecorator<string> => {
+export const DisablePermissionCheck = "disablePermissionCheck";
+
+export const RequiredPermission = (
+    requiredPermission: string | string[] | "disablePermissionCheck",
+    options?: RequiredPermissionOptions,
+): CustomDecorator<string> => {
     return SetMetadata<string, RequiredPermissionMetadata>("requiredPermission", {
         requiredPermission: Array.isArray(requiredPermission) ? requiredPermission : [requiredPermission],
         options,

diff --git a/packages/api/cms-api/src/user-permissions/user-permissions.service.ts b/packages/api/cms-api/src/user-permissions/user-permissions.service.ts
@@ -7,7 +7,7 @@ import { JwtPayload } from "jsonwebtoken";
 import isEqual from "lodash.isequal";
 import getUuid from "uuid-by-string";
 
-import { RequiredPermissionMetadata } from "./decorators/required-permission.decorator";
+import { DisablePermissionCheck, RequiredPermissionMetadata } from "./decorators/required-permission.decorator";
 import { CurrentUser } from "./dto/current-user";
 import { FindUsersArgs } from "./dto/paginated-user-list";
 import { UserContentScopes } from "./entities/user-content-scopes.entity";
@@ -53,6 +53,7 @@ export class UserPermissionsService {
                     ...(await this.discoveryService.controllersWithMetaAtKey<RequiredPermissionMetadata>("requiredPermission")),
                 ]
                     .flatMap((p) => p.meta.requiredPermission)
+                    .filter((p) => p !== DisablePermissionCheck)
                     .sort(),
             ),
         ];