GZY-437: Restrict task visibility to employee’s own projects in ERP (#117)

* feat: enforce consistent project visibility rules across roles

- This change enforces a consistent project-visibility rule across the system, ensuring that both
Managers and Employees follow the same assigned-projects restriction.

- The previous behavior allowed Managers to see all projects by default, which conflicted with the
intended access-control model and caused inconsistencies in how visibility rules were applied
across different endpoints.

- To maintain coherence with the platform's permission model and avoid privilege gaps between
roles, the assigned-projects rule was formally applied to Employees as well.

- Backend services that return projects or project-related tasks were updated to ensure permission
checks are applied uniformly, preventing accidental exposure of unassigned projects.

- A migration was added to guarantee that roles have the correct permission associations, avoiding
environments where outdated role-permission links could break the new visibility logic.

- Minor frontend adjustments were made to fix the employee filter in the project-management
dashboard, since incorrect parameter mapping caused the API to receive invalid filter values and
could misapply visibility rules.

* revert: changes in TenantAwareCrudService

This change was reverted because it was outside the scope of the current task.

* chore: revert task service changes

- Reverts changes in task service because it are out of scope for this PR.

* fix: handle null organizationSprintId in task filtering

- Updated the task service to treat 'null' as a valid case for setting
  organizationSprintId to null in the filter options.

Author: vestefano

apps/gauzy/src/app/pages/dashboard/project-management/project-management-details/project-management-details.component.ts

@@ -23,10 +23,10 @@ import { MyTaskDialogComponent } from '../../../tasks/components/my-task-dialog/
 
 @UntilDestroy({ checkProperties: true })
 @Component({
-    selector: 'gauzy-project-management-details',
-    templateUrl: './project-management-details.component.html',
-    styleUrls: ['./project-management-details.component.scss'],
-    standalone: false
+	selector: 'gauzy-project-management-details',
+	templateUrl: './project-management-details.component.html',
+	styleUrls: ['./project-management-details.component.scss'],
+	standalone: false
 })
 export class ProjectManagementDetailsComponent extends PaginationFilterBaseComponent implements OnInit, OnDestroy {
 	private _smartTableSource: ServerDataSource;
@@ -109,7 +109,7 @@ export class ProjectManagementDetailsComponent extends PaginationFilterBaseCompo
 			where: {
 				organizationId,
 				tenantId,
-				...(this.selectedEmployeeId ? { employeeId: this.selectedEmployeeId } : {}),
+				...(this.selectedEmployeeId ? { members: { id: this.selectedEmployeeId } } : {}),
 				...(this.selectedProjectId ? { projectId: this.selectedProjectId } : {}),
 				...(this.filters.where ? this.filters.where : {})
 			}
@@ -237,5 +237,7 @@ export class ProjectManagementDetailsComponent extends PaginationFilterBaseCompo
 		this._router.navigate(['/pages/tasks/me']);
 	}
 
-	ngOnDestroy(): void {}
+	ngOnDestroy(): void {
+		// No cleanup needed - subscriptions are handled by async pipe
+	}
 }

packages/core/src/lib/database/migrations/1763105402336-MigrateRolePermissions.ts

@@ -0,0 +1,31 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+import * as chalk from 'chalk';
+import { DatabaseTypeEnum } from '@gauzy/config';
+import { RolePermissionUtils } from '../../role-permission/utils';
+
+export class MigrateRolePermissions1763105402336 implements MigrationInterface {
+	name = 'MigrateRolePermissions1763105402336';
+
+	public async up(queryRunner: QueryRunner): Promise<void> {
+		console.log(chalk.yellow(`${this.constructor.name} start running!`));
+
+		switch (queryRunner.connection.options.type) {
+			case DatabaseTypeEnum.sqlite:
+			case DatabaseTypeEnum.betterSqlite3:
+			case DatabaseTypeEnum.postgres:
+			case DatabaseTypeEnum.mysql:
+				try {
+					await RolePermissionUtils.migrateRolePermissions(queryRunner);
+				} catch (error) {
+					console.log(chalk.red(`Error while migrating missing role permisions: ${error}`));
+				}
+				break;
+			default:
+				throw Error(`Unsupported database: ${queryRunner.connection.options.type}`);
+		}
+	}
+
+	public async down(queryRunner: QueryRunner): Promise<void> {
+		// This migration cannot be reverted - permission changes are data-dependent
+	}
+}

packages/core/src/lib/organization-project/organization-project.service.ts

@@ -16,7 +16,8 @@ import {
 	IPagination,
 	RolesEnum,
 	EntitySubscriptionTypeEnum,
-	ITimeLog
+	ITimeLog,
+	PermissionsEnum
 } from '@gauzy/contracts';
 import { getConfig } from '@gauzy/config';
 import { CustomEmbeddedFieldConfig } from '@gauzy/common';
@@ -445,6 +446,37 @@ export class OrganizationProjectService extends TenantAwareCrudService<Organizat
 			query.andWhere(`project_team.id = :organizationTeamId`, { organizationTeamId });
 		}
 
+		const userEmployeeId = RequestContext.currentUser().employeeId;
+		if (
+			employeeId !== userEmployeeId &&
+			RequestContext.hasPermission(PermissionsEnum.VIEW_ASSIGNED_PROJECTS_ONLY)
+		) {
+			query.andWhere((qb: SelectQueryBuilder<OrganizationProject>) => {
+				const subQuery = qb.subQuery();
+				subQuery
+					.select(p('"project"."id" AS "id"'))
+					.from('organization_project', 'project')
+					.innerJoin('project.members', 'project_members');
+
+				subQuery
+					.where(p('"project_members"."employeeId" = :userEmployeeId'), { userEmployeeId })
+					.andWhere(p('"project"."tenantId" = :tenantId'), { tenantId })
+					.andWhere(p('"project"."organizationId" = :organizationId'), { organizationId });
+
+				if (isNotEmpty(organizationContactId)) {
+					subQuery.andWhere(p('"project"."organizationContactId" = :organizationContactId'), {
+						organizationContactId
+					});
+				}
+
+				if (isNotEmpty(organizationTeamId)) {
+					subQuery.andWhere(p('"project_team"."id" = :organizationTeamId'), { organizationTeamId });
+				}
+
+				return p(`"${query.alias}"."id" IN `) + subQuery.distinct(true).getQuery();
+			});
+		}
+
 		// Get the results
 		return query.getMany();
 	}
@@ -461,6 +493,15 @@ export class OrganizationProjectService extends TenantAwareCrudService<Organizat
 			options.where.organizationContactId = IsNull();
 		}
 
+		const userEmployeeId = RequestContext.currentUser().employeeId;
+		if (isNotEmpty(userEmployeeId) && RequestContext.hasPermission(PermissionsEnum.VIEW_ASSIGNED_PROJECTS_ONLY)) {
+			options.where.members = {
+				employee: {
+					id: userEmployeeId
+				}
+			};
+		}
+
 		// Call the parent class's findAll method with the modified options
 		return super.findAll(options);
 	}
@@ -527,6 +568,17 @@ export class OrganizationProjectService extends TenantAwareCrudService<Organizat
 			}
 		}
 
+		if (RequestContext.hasPermission(PermissionsEnum.VIEW_ASSIGNED_PROJECTS_ONLY)) {
+			const employeeAssignedProjects = await this.typeOrmOrganizationProjectEmployeeRepository.find({
+				where: {
+					employeeId: RequestContext.currentUser().employeeId,
+					organizationId: options.where.organizationId
+				}
+			});
+
+			options.where.id = In(employeeAssignedProjects.map((employee) => employee.organizationProjectId));
+		}
+
 		// Call the parent class's paginate method with the modified options
 		return super.paginate(options);
 	}

packages/core/src/lib/role-permission/default-role-permissions.ts

@@ -500,6 +500,7 @@ export const DEFAULT_ROLE_PERMISSIONS = [
 			PermissionsEnum.PROJECT_MODULE_READ,
 			PermissionsEnum.PROJECT_MODULE_UPDATE,
 			PermissionsEnum.PROJECT_MODULE_DELETE,
+			PermissionsEnum.VIEW_ASSIGNED_PROJECTS_ONLY,
 			/** Dashboard */
 			PermissionsEnum.DASHBOARD_CREATE,
 			PermissionsEnum.DASHBOARD_READ,
@@ -569,7 +570,83 @@ export const DEFAULT_ROLE_PERMISSIONS = [
 	},
 	{
 		role: RolesEnum.MANAGER,
-		defaultEnabledPermissions: [PermissionsEnum.VIEW_ASSIGNED_PROJECTS_ONLY]
+		defaultEnabledPermissions: [
+			/** Dashboards */
+			PermissionsEnum.TEAM_DASHBOARD,
+			PermissionsEnum.PROJECT_MANAGEMENT_DASHBOARD,
+			PermissionsEnum.TIME_TRACKING_DASHBOARD,
+			PermissionsEnum.DASHBOARD_READ,
+			/** Employee Selection */
+			PermissionsEnum.SELECT_EMPLOYEE,
+			PermissionsEnum.CHANGE_SELECTED_EMPLOYEE,
+			PermissionsEnum.CHANGE_SELECTED_ORGANIZATION,
+			PermissionsEnum.ORG_EMPLOYEES_VIEW,
+			/** Tasks */
+			PermissionsEnum.ORG_TASK_ADD,
+			PermissionsEnum.ORG_TASK_VIEW,
+			PermissionsEnum.ORG_TASK_EDIT,
+			PermissionsEnum.ORG_TASK_DELETE,
+			PermissionsEnum.ORG_TASK_SETTING,
+			PermissionsEnum.ORG_TEAM_EDIT_ACTIVE_TASK,
+			/** Time Off */
+			PermissionsEnum.TIME_OFF_ADD,
+			PermissionsEnum.TIME_OFF_VIEW,
+			PermissionsEnum.TIME_OFF_EDIT,
+			PermissionsEnum.TIME_OFF_DELETE,
+			/** Approvals */
+			PermissionsEnum.APPROVAL_POLICY_VIEW,
+			PermissionsEnum.REQUEST_APPROVAL_EDIT,
+			PermissionsEnum.REQUEST_APPROVAL_VIEW,
+			/** Projects */
+			PermissionsEnum.ACCESS_PRIVATE_PROJECTS,
+			PermissionsEnum.ORG_PROJECT_VIEW,
+			PermissionsEnum.ORG_PROJECT_EDIT,
+			PermissionsEnum.VIEW_ASSIGNED_PROJECTS_ONLY,
+			/** Timesheet */
+			PermissionsEnum.TIMESHEET_EDIT_TIME,
+			PermissionsEnum.CAN_APPROVE_TIMESHEET,
+			/** Invoices */
+			PermissionsEnum.INVOICES_VIEW,
+			PermissionsEnum.INVOICES_EDIT,
+			/** Tags */
+			PermissionsEnum.ORG_TAGS_ADD,
+			PermissionsEnum.ORG_TAGS_VIEW,
+			PermissionsEnum.ORG_TAGS_EDIT,
+			PermissionsEnum.ORG_TAGS_DELETE,
+			/** Sprints */
+			PermissionsEnum.ORG_SPRINT_ADD,
+			PermissionsEnum.ORG_SPRINT_EDIT,
+			PermissionsEnum.ORG_SPRINT_VIEW,
+			PermissionsEnum.ORG_SPRINT_DELETE,
+			/** Contacts */
+			PermissionsEnum.ORG_CONTACT_VIEW,
+			/** Daily Plans */
+			PermissionsEnum.DAILY_PLAN_CREATE,
+			PermissionsEnum.DAILY_PLAN_READ,
+			PermissionsEnum.DAILY_PLAN_UPDATE,
+			PermissionsEnum.DAILY_PLAN_DELETE,
+			/** Project Modules */
+			PermissionsEnum.PROJECT_MODULE_CREATE,
+			PermissionsEnum.PROJECT_MODULE_READ,
+			PermissionsEnum.PROJECT_MODULE_UPDATE,
+			PermissionsEnum.PROJECT_MODULE_DELETE,
+			/** Teams */
+			PermissionsEnum.ORG_TEAM_ADD,
+			PermissionsEnum.ORG_TEAM_VIEW,
+			PermissionsEnum.ORG_TEAM_EDIT,
+			PermissionsEnum.ORG_TEAM_JOIN_REQUEST_VIEW,
+			PermissionsEnum.ORG_TEAM_JOIN_REQUEST_EDIT,
+			/** Other */
+			PermissionsEnum.EVENT_TYPES_VIEW,
+			PermissionsEnum.TIME_TRACKER,
+			PermissionsEnum.MEDIA_GALLERY_VIEW,
+			PermissionsEnum.EQUIPMENT_APPROVE_REQUEST,
+			/** Time Management */
+			PermissionsEnum.ALLOW_DELETE_TIME,
+			PermissionsEnum.ALLOW_MODIFY_TIME,
+			PermissionsEnum.ALLOW_MANUAL_TIME,
+			PermissionsEnum.DELETE_SCREENSHOTS
+		]
 	},
 	{
 		role: RolesEnum.VIEWER,