mirror of https://github.com/twentyhq/twenty.git synced 2026-06-11 17:37:18 -04:00

Go to file

Félix Malfait ce2d77be2a feat(server): in-app server-level admin management (#19785 ) (#21321 )

## Closes #19785

In-app management of **server-level admin rights**
(`canAccessFullAdminPanel`, `canImpersonate`) so self-hosters no longer
need raw SQL + a Redis flush + restart to grant access.

> **Draft** — feature complete; `/code-review` + `/security-review` run
and addressed.

### Background
`AdminPanelGuard` / `ServerLevelImpersonateGuard` read
`request.user.{canAccessFullAdminPanel,canImpersonate}`, hydrated each
request from `CoreEntityCacheService.get('user', …)` (local 30-min +
Redis no-TTL). The cache was only invalidated on soft-delete, so a raw
`UPDATE core."user"` never took effect. The **first** signup auto-gets
both flags; every subsequent admin previously needed raw SQL.

### UX
- **Admin Panel → General → Administrators**: a read-only overview of
every user with server-level access; each row links to that user's admin
page.
- **Find anyone** via the user search (Recent Users) — available to full
admins and impersonators — then open their **admin user page**.
- On the user page, an **"Administrator access"** card (gated on
`canAccessFullAdminPanel`) has two toggles — *Full admin panel access*
and *Impersonation* — that work for **any** user (a user with no access
shows both off). Mirrors how **Impersonate** already works (find user →
user page → act). Each change opens a confirm dialog with a **2FA code**
field; the last full admin's toggle is disabled.

### Backend / security
- **Cache fix** — invalidate the user entity cache on committed user
updates (not just soft-delete) so privilege changes propagate (~100 ms,
cluster-wide) with no restart.
- `getServerAdmins` query + `updateServerAdminAccess` mutation (any
`targetUserId`), gated on `canAccessFullAdminPanel`.
- `NoImpersonationGuard` on both — an impersonated full-admin session
can't be used to escalate an impersonator.
- Fresh **2FA TOTP step-up** (enrolled+verified method **and** a fresh
code; genuine 2FA errors surface; dev-skip on trusted `NODE_ENV`).
- **Last-admin lockout** in a transaction with a pessimistic row lock
(no TOCTOU).
- **Email-to-all-admins + affected user** (rendered once per locale),
structured log, audit event-log emit.
- **Authorization**: the read-only `userLookupAdminPanel` +
`adminPanelRecentUsers` lookups now accept `canAccessFullAdminPanel OR
canImpersonate` (new `AdminPanelOrImpersonateGuard`), so a full admin
without impersonate can still find users to manage.
Workspace/impersonation queries stay impersonate-gated.

### Reviews
- `/code-review` (max effort): 3 security findings
(impersonation-escalation sink, lockout TOCTOU, step-up accepting
PENDING 2FA) — **all fixed**. `/simplify`: applied. `/security-review`:
**no high/medium vulnerabilities**.

### Follow-ups (not in this PR)
- Unit tests for `AdminPanelServerAdminService` + a frontend test.
- Point the self-host troubleshooting docs at the new UI.
- OTP retry UX: `ConfirmationModal` closes on confirm, so a wrong code
needs a reopen (kept to reuse the existing modal; no new pattern).

### Notes for reviewers
- `generated-admin/graphql.ts` entries were hand-added to match codegen
output (admin codegen needs a running server); re-run `nx
graphql:generate twenty-front --configuration=admin` to confirm parity.
- First-admin bootstrap (first signup) is unchanged.

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>

2026-06-10 06:50:25 +02:00

.cursor

chore(website): rename twenty-website-new → twenty-website (#20745 )

2026-05-19 23:42:09 +02:00

.github

Rename twenty-ui to twenty-ui-deprecated and twenty-new-ui to twenty-ui to prepare package release (#21315 )

2026-06-08 18:12:28 +02:00

.vscode

chore(website): rename twenty-website-new → twenty-website (#20745 )

2026-05-19 23:42:09 +02:00

.yarn

Refactor dependency graph for SDK, client-sdk and create-app (#18963 )

2026-03-26 10:56:52 +00:00

packages

feat(server): in-app server-level admin management (#19785 ) (#21321 )

2026-06-10 06:50:25 +02:00

.dockerignore

Scaffold light twenty app dev container (#18734 )

2026-03-18 20:10:54 +01:00

.gitattributes

Consolidate Prettier config and improve consistency (#15191 )

2025-10-18 12:24:35 +02:00

.gitignore

feat(ci): integrate Argos visual regression via vitest screenshots (#21210 )

2026-06-04 08:46:37 +02:00

.mcp.json

Fix AI chat re-renders and refactored code (#18585 )

2026-03-21 12:52:21 +00:00

.nvmrc

fix(docker): bump Node 24.16.0 (OpenSSL fix), strip unused cruft, dedupe node-forge (#21322 )

2026-06-08 18:03:21 +02:00

.oxfmtrc.jsonc

lint: migrate prettier to oxfmt (#20783 )

2026-05-22 00:21:33 +02:00

.yarnrc.yml

i18n - translations (#20801 )

2026-05-21 13:35:35 +02:00

CLAUDE.md

chore(website): rename twenty-website-new → twenty-website (#20745 )

2026-05-19 23:42:09 +02:00

DESIGN.md

feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127 )

2026-06-02 10:32:54 +00:00

jest.preset.js

Move tools/eslint-rules to packages/twenty-eslint-rules (#17203 )

2026-01-17 07:37:17 +01:00

LICENSE

feat(sso): allow to use OIDC and SAML (#7246 )

2024-10-21 20:07:08 +02:00

nx.json

chore: remove Chromatic dependencies and configuration (#21221 )

2026-06-04 13:15:23 +00:00

package.json

chore(deps): upgrade tar to v7, evict vulnerable tar@6.2.1 (CVE-2026-24842) (#21341 )

2026-06-08 20:48:44 +02:00

PRODUCT.md

feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127 )

2026-06-02 10:32:54 +00:00

README.md

fix: add missing space in README heading (#21271 )

2026-06-06 10:41:16 +02:00

tsconfig.base.json

Revert "[hacktoberfest] feat: add fireflies" (#15589 )

2025-11-04 12:25:23 +01:00

yarn.config.cjs

[ENHC] Create Yarn constraints to validate node version (#10542 )

2025-02-27 15:18:07 +01:00

yarn.lock

security: clear fast-uri + fast-xml-parser High alerts (lockfile only) (#21379 )

2026-06-09 19:11:29 +02:00

README.md

The #1 Open-Source CRM

Website · Documentation · Roadmap · Discord · Figma

Why Twenty

Twenty gives technical teams the building blocks for a custom CRM that meets complex business needs and quickly adapts as the business evolves. Twenty is the CRM you build, ship, and version like the rest of your stack.

Learn more about why we built Twenty

Installation

Cloud

The fastest way to get started. Sign up at twenty.com and spin up a workspace in under a minute, with no infrastructure to manage and always up to date.

Build an app

Scaffold a new app with the Twenty CLI:

npx create-twenty-app my-app

Define objects, fields, and views as code:

import { defineObject, FieldType } from 'twenty-sdk/define';

export default defineObject({
  nameSingular: 'deal',
  namePlural: 'deals',
  labelSingular: 'Deal',
  labelPlural: 'Deals',
  fields: [
    { name: 'name', label: 'Name', type: FieldType.TEXT },
    { name: 'amount', label: 'Amount', type: FieldType.CURRENCY },
    { name: 'closeDate', label: 'Close Date', type: FieldType.DATE_TIME },
  ],
});

Then ship it to your workspace:

npx twenty app:publish --private

See the app development guide for objects, views, agents, and logic functions.

Self-hosting

Run Twenty on your own infrastructure with Docker Compose, or contribute locally via the local setup guide.

Everything you need

Twenty gives you the building blocks of a modern CRM (objects, views, workflows, and agents) and lets you extend them as code. Here's a tour of what's in the box.

Want to go deeper? Read the User Guide for product walkthroughs, or the Documentation for developer reference.

Learn more about apps in doc	Learn more about version control in doc
Learn more about primitives in doc	Learn more about layouts in doc
Learn more about AI in doc	Learn more about CRM features in doc