mirror of https://github.com/twentyhq/twenty.git synced 2026-06-12 18:08:58 -04:00

Go to file

Charles Bochet ee6fcdbec2 fix(front): show readable targets in morph relation picker (#21513 )

## Problem

The **morph relation picker is broken** when the user does not have read
permission on *every* object a morph relation can point to.

A morph (polymorphic) relation can target several objects. The
single-record picker passed **all** of those target objects to the
`search` query via `includedObjectNameSingulars`. The backend runs the
per-object searches inside a single `Promise.all`, so if **one** target
object is forbidden, the whole search rejects and the picker shows **"No
records found"** — even for the target objects the user *can* read.

This makes the morph relation picker unusable in any workspace where a
role restricts read access to one of the morph targets (e.g. the demo
workspace's `Object-restricted` role, which denies reading `Rocket` —
the picker for a Pet's polymorphic owner then shows nothing, hiding the
readable `Survey result` records too).

## Fix

Filter the searched target objects down to the ones the current user is
allowed to read before querying, in
`useSingleRecordPickerPerformSearch`. This mirrors what the
multiple-record picker (`useMultipleRecordPickerPerformSearch`) already
does via `filteredSearchableObjectMetadataItems`.

For a normal (single-target) relation this is a no-op; for a morph
relation the picker now lists records from every target the user can
read and silently skips the forbidden ones.

## Test

Added `useSingleRecordPickerPerformSearch.test.tsx`:
- excludes morph target objects the user cannot read from the search
- keeps all targets when the user can read all of them

## Verification

Reproduced locally on a Pet's "Polymorphic Owner" morph relation
(targets `Rocket` + `Survey result`) with `Rocket` read denied:
- **Before:** picker shows "No records found".
- **After:** picker lists the readable `Survey result` records and omits
the `Rocket` ones.

<!-- This is an auto-generated description by cubic. -->
<a
href="https://cubic.dev/pr/twentyhq/twenty/pull/21513?utm_source=github"
target="_blank" rel="noopener noreferrer"
data-no-image-dialog="true"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img
alt="Review in cubic"
src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a>
<!-- End of auto-generated description by cubic. -->

2026-06-12 23:28:50 +02:00

.cursor

chore(website): rename twenty-website-new → twenty-website (#20745 )

2026-05-19 23:42:09 +02:00

.github

fix(ci): bump claude-code-action to v1.0.146 (CVE-2026-47751) (#21499 )

2026-06-12 18:07:57 +02:00

.vscode

chore(website): rename twenty-website-new → twenty-website (#20745 )

2026-05-19 23:42:09 +02:00

.yarn

fix(metadata): nestjs-query batched relation queries truncate results across parents (#21455 )

2026-06-11 16:39:14 +02:00

packages

fix(front): show readable targets in morph relation picker (#21513 )

2026-06-12 23:28:50 +02:00

.dockerignore

Scaffold light twenty app dev container (#18734 )

2026-03-18 20:10:54 +01:00

.gitattributes

Consolidate Prettier config and improve consistency (#15191 )

2025-10-18 12:24:35 +02:00

.gitignore

Add last contact twenty app (#21464 )

2026-06-12 13:42:18 +00:00

.mcp.json

Fix AI chat re-renders and refactored code (#18585 )

2026-03-21 12:52:21 +00:00

.nvmrc

fix(docker): bump Node 24.16.0 (OpenSSL fix), strip unused cruft, dedupe node-forge (#21322 )

2026-06-08 18:03:21 +02:00

.oxfmtrc.jsonc

lint: migrate prettier to oxfmt (#20783 )

2026-05-22 00:21:33 +02:00

.yarnrc.yml

fix(deps): bump esbuild to 0.28.1 to fix GHSA-g7r4-m6w7-qqqr (#21515 )

2026-06-12 23:26:22 +02:00

CLAUDE.md

chore(website): rename twenty-website-new → twenty-website (#20745 )

2026-05-19 23:42:09 +02:00

DESIGN.md

feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127 )

2026-06-02 10:32:54 +00:00

jest.preset.js

Move tools/eslint-rules to packages/twenty-eslint-rules (#17203 )

2026-01-17 07:37:17 +01:00

LICENSE

feat(sso): allow to use OIDC and SAML (#7246 )

2024-10-21 20:07:08 +02:00

nx.json

Migrate twenty UI (#21407 )

2026-06-11 11:02:28 +02:00

package.json

fix(deps): bump esbuild to 0.28.1 to fix GHSA-g7r4-m6w7-qqqr (#21515 )

2026-06-12 23:26:22 +02:00

PRODUCT.md

feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127 )

2026-06-02 10:32:54 +00:00

README.md

fix: add missing space in README heading (#21271 )

2026-06-06 10:41:16 +02:00

tsconfig.base.json

Revert "[hacktoberfest] feat: add fireflies" (#15589 )

2025-11-04 12:25:23 +01:00

yarn.config.cjs

[ENHC] Create Yarn constraints to validate node version (#10542 )

2025-02-27 15:18:07 +01:00

yarn.lock

fix(deps): bump esbuild to 0.28.1 to fix GHSA-g7r4-m6w7-qqqr (#21515 )

2026-06-12 23:26:22 +02:00

README.md

The #1 Open-Source CRM

Website · Documentation · Roadmap · Discord · Figma

Why Twenty

Twenty gives technical teams the building blocks for a custom CRM that meets complex business needs and quickly adapts as the business evolves. Twenty is the CRM you build, ship, and version like the rest of your stack.

Learn more about why we built Twenty

Installation

Cloud

The fastest way to get started. Sign up at twenty.com and spin up a workspace in under a minute, with no infrastructure to manage and always up to date.

Build an app

Scaffold a new app with the Twenty CLI:

npx create-twenty-app my-app

Define objects, fields, and views as code:

import { defineObject, FieldType } from 'twenty-sdk/define';

export default defineObject({
  nameSingular: 'deal',
  namePlural: 'deals',
  labelSingular: 'Deal',
  labelPlural: 'Deals',
  fields: [
    { name: 'name', label: 'Name', type: FieldType.TEXT },
    { name: 'amount', label: 'Amount', type: FieldType.CURRENCY },
    { name: 'closeDate', label: 'Close Date', type: FieldType.DATE_TIME },
  ],
});

Then ship it to your workspace:

npx twenty app:publish --private

See the app development guide for objects, views, agents, and logic functions.

Self-hosting

Run Twenty on your own infrastructure with Docker Compose, or contribute locally via the local setup guide.

Everything you need

Twenty gives you the building blocks of a modern CRM (objects, views, workflows, and agents) and lets you extend them as code. Here's a tour of what's in the box.

Want to go deeper? Read the User Guide for product walkthroughs, or the Documentation for developer reference.

Learn more about apps in doc	Learn more about version control in doc
Learn more about primitives in doc	Learn more about layouts in doc
Learn more about AI in doc	Learn more about CRM features in doc