erxes · batmnkh2344 · Sep 25, 2025 · Sep 29, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/backend/core-api/src/apollo/apolloServer.ts b/backend/core-api/src/apollo/apolloServer.ts
@@ -3,15 +3,15 @@ import { expressMiddleware } from '@apollo/server/express4';
 import { ApolloServerPluginDrainHttpServer } from '@apollo/server/plugin/drainHttpServer';
 import { buildSubgraphSchema } from '@apollo/subgraph';
 import * as dotenv from 'dotenv';
+import { IMainContext } from 'erxes-api-shared/core-types';
 import {
-  generateApolloContext,
   apolloCommonTypes,
-  wrapApolloMutations,
+  generateApolloContext,
+  wrapApolloResolvers,
 } from 'erxes-api-shared/utils';
 import { gql } from 'graphql-tag';
 import { generateModels } from '../connectionResolvers';
 import resolvers from './resolvers';
-import { IMainContext } from 'erxes-api-shared/core-types';
 
 import * as typeDefDetails from './schema/schema';
 // load environment variables
@@ -42,10 +42,7 @@ export const initApolloServer = async (app, httpServer) => {
     schema: buildSubgraphSchema([
       {
         typeDefs: await typeDefs(),
-        resolvers: {
-          ...resolvers,
-          Mutation: wrapApolloMutations(resolvers?.Mutation || {}, ['login']),
-        },
+        resolvers: wrapApolloResolvers(resolvers),
       },
     ]),
     plugins: [ApolloServerPluginDrainHttpServer({ httpServer })],

diff --git a/backend/core-api/src/apollo/resolvers/mutations.ts b/backend/core-api/src/apollo/resolvers/mutations.ts
@@ -18,6 +18,7 @@ import { relationsMutations } from '@/relations/graphql/mutations';
 import { segmentMutations } from '@/segments/graphql/resolvers/mutations';
 import { tagMutations } from '@/tags/graphql/mutations';
 import { notificationMutations } from '~/modules/notifications/graphql/resolver/mutations';
+import { roleMutations } from '~/modules/permissions/graphql/resolvers/mutations/role';
 
 export const mutations = {
   ...contactMutations,
@@ -40,4 +41,5 @@ export const mutations = {
   ...automationMutations,
   ...notificationMutations,
   ...internalNoteMutations,
+  ...roleMutations,
 };
diff --git a/backend/core-api/src/apollo/resolvers/queries.ts b/backend/core-api/src/apollo/resolvers/queries.ts
@@ -20,6 +20,7 @@ import { segmentQueries } from '@/segments/graphql/resolvers';
 import { tagQueries } from '@/tags/graphql/queries';
 
 import { notificationQueries } from '@/notifications/graphql/resolver/queries';
+import { roleQueries } from '@/permissions/graphql/resolvers/queries/role';
 
 export const queries = {
   ...contactQueries,
@@ -43,4 +44,5 @@ export const queries = {
   ...logQueries,
   ...notificationQueries,
   ...internalNoteQueries,
+  ...roleQueries,
 };
diff --git a/backend/core-api/src/apollo/resolvers/resolvers.ts b/backend/core-api/src/apollo/resolvers/resolvers.ts
@@ -3,13 +3,14 @@ import contactResolvers from '@/contacts/graphql/resolvers/customResolvers';
 import documentResolvers from '@/documents/graphql/customResolvers';
 import internalNoteResolvers from '@/internalNote/graphql/customResolvers';
 import logResolvers from '@/logs/graphql/resolvers/customResolvers';
+import notificationResolvers from '@/notifications/graphql/customResolvers';
 import brandResolvers from '@/organization/brand/graphql/customResolver/brand';
 import structureResolvers from '@/organization/structure/graphql/resolvers/customResolvers';
 import userResolvers from '@/organization/team-member/graphql/customResolver';
+import permissionResolvers from '@/permissions/graphql/resolvers/customResolver';
 import productResolvers from '@/products/graphql/resolvers/customResolvers';
 import segmentResolvers from '@/segments/graphql/resolvers/customResolvers';
 import tagResolvers from '@/tags/graphql/customResolvers';
-import notificationResolvers from '@/notifications/graphql/customResolvers';
 
 export const customResolvers = {
   ...contactResolvers,
@@ -24,4 +25,5 @@ export const customResolvers = {
   ...notificationResolvers,
   ...documentResolvers,
   ...internalNoteResolvers,
+  ...permissionResolvers,
 };
diff --git a/backend/core-api/src/apollo/schema/schema.ts b/backend/core-api/src/apollo/schema/schema.ts
@@ -142,15 +142,21 @@ import {
 } from '@/logs/graphql/schema';
 
 import {
-  mutations as NotificationsMutations,
-  queries as NotificationsQueries,
-  types as NotificationsTypes,
-} from '@/notifications/graphql/schema';
-import{
   mutations as InternalNoteMutations,
   queries as InternalNoteQueries,
   types as InternalNoteTypes,
 } from '@/internalNote/graphql/schemas';
+import {
+  mutations as NotificationsMutations,
+  queries as NotificationsQueries,
+  types as NotificationsTypes,
+} from '@/notifications/graphql/schema';
+
+import {
+  mutations as RoleMutations,
+  queries as RoleQueries,
+  types as RoleTypes,
+} from '@/permissions/graphql/schemas/role';
 
 export const types = `
     enum CacheControlScope {
@@ -192,6 +198,7 @@ export const types = `
     ${LogsTypes}
     ${NotificationsTypes}
     ${InternalNoteTypes}
+    ${RoleTypes}
   `;
 
 export const queries = `
@@ -221,6 +228,7 @@ export const queries = `
     ${LogsQueries}
      ${NotificationsQueries}
     ${InternalNoteQueries}
+    ${RoleQueries}
   `;
 
 export const mutations = `
@@ -249,6 +257,7 @@ export const mutations = `
     ${AutomationsMutations}
     ${NotificationsMutations}
     ${InternalNoteMutations}
+    ${RoleMutations}
   `;
 
 export default { types, queries, mutations };
diff --git a/backend/core-api/src/connectionResolvers.ts b/backend/core-api/src/connectionResolvers.ts
@@ -77,6 +77,7 @@ import {
   IProductDocument,
   IProductsConfigDocument,
   IRelationDocument,
+  IRoleDocument,
   ITagDocument,
   IUomDocument,
   IUserDocument,
@@ -145,6 +146,10 @@ import {
   INotificationDocument,
   notificationSchema,
 } from 'erxes-api-shared/core-modules';
+import {
+  IRoleModel,
+  loadRoleClass,
+} from '~/modules/permissions/db/models/Roles';
 import {
   IAutomationModel,
   loadClass as loadAutomationClass,
@@ -162,6 +167,7 @@ export interface IModels {
   UserMovements: IUserMovemmentModel;
   Configs: IConfigModel;
   Permissions: IPermissionModel;
+  Roles: IRoleModel;
   UsersGroups: IUserGroupModel;
   Tags: ITagModel;
   InternalNotes: IInternalNoteModel;
@@ -244,6 +250,11 @@ export const loadClasses = (
     loadPermissionClass(models),
   );
 
+  models.Roles = db.model<IRoleDocument, IRoleModel>(
+    'roles',
+    loadRoleClass(models),
+  );
+
   models.UsersGroups = db.model<IUserGroupDocument, IUserGroupModel>(
     'user_groups',
     loadUserGroupClass(models),

diff --git a/backend/core-api/src/modules/auth/graphql/resolvers/mutations.ts b/backend/core-api/src/modules/auth/graphql/resolvers/mutations.ts
@@ -1,13 +1,14 @@
+import { WorkOS } from '@workos-inc/node';
 import {
   authCookieOptions,
   getEnv,
   logHandler,
+  markResolvers,
   redis,
   updateSaasOrganization,
 } from 'erxes-api-shared/utils';
-import { IContext } from '~/connectionResolvers';
-import { WorkOS } from '@workos-inc/node';
 import * as jwt from 'jsonwebtoken';
+import { IContext } from '~/connectionResolvers';
 import {
   getCallbackRedirectUrl,
   isValidEmail,
@@ -239,3 +240,7 @@ export const authMutations = {
     return 'success';
   },
 };
+
+markResolvers(authMutations, {
+  skipPermission: true,
+});
diff --git a/backend/core-api/src/modules/auth/graphql/resolvers/queries.ts b/backend/core-api/src/modules/auth/graphql/resolvers/queries.ts
@@ -1,3 +1,4 @@
+import { markResolvers } from 'erxes-api-shared/utils/apollo/wrapperResolvers';
 import { IContext } from '~/connectionResolvers';
 
 export const authQueries = {
@@ -16,3 +17,7 @@ export const authQueries = {
     return result;
   },
 };
+
+markResolvers(authQueries, {
+  skipPermission: true,
+});
diff --git a/backend/core-api/src/modules/organization/team-member/db/models/Users.ts b/backend/core-api/src/modules/organization/team-member/db/models/Users.ts
@@ -25,6 +25,7 @@ import {
 
 import { USER_MOVEMENT_STATUSES } from 'erxes-api-shared/core-modules';
 import { title } from 'process';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
 
 const SALT_WORK_FACTOR = 10;
 
@@ -234,7 +235,7 @@ export const loadUserClass = (models: IModels, subdomain: string) => {
         this.checkPassword(password);
       }
 
-      return models.Users.create({
+      const user = await models.Users.create({
         isOwner,
         username,
         email,
@@ -246,6 +247,13 @@ export const loadUserClass = (models: IModels, subdomain: string) => {
         password: notUsePassword ? '' : await this.generatePassword(password),
         code: await this.generateUserCode(),
       });
+
+      models.Roles.create({
-      models.Roles.create({
+      await models.Roles.create({
-      models.Roles.create({
+      await models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
-      models.Roles.create({
-        userId: user._id,
-        role: PERMISSION_ROLES.MEMBER,
-      });
+      await models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
-      models.Roles.create({
-        userId: user._id,
-        role: PERMISSION_ROLES.MEMBER,
-      });
+      const role = isOwner
+        ? PERMISSION_ROLES.OWNER
+        : PERMISSION_ROLES.MEMBER;
+
+      models.Roles.create({
+        userId: user._id,
+        role,
+      });
-      models.Roles.create({
-        userId: user._id,
-        role: PERMISSION_ROLES.MEMBER,
-      });
+      await models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
-      models.Roles.create({
-        userId: user._id,
-        role: PERMISSION_ROLES.MEMBER,
-      });
+      const role = isOwner
+        ? PERMISSION_ROLES.OWNER
+        : PERMISSION_ROLES.MEMBER;
+
+      models.Roles.create({
+        userId: user._id,
+        role,
+      });
+
+      return user;
     }
 
     /**
@@ -329,7 +337,7 @@ export const loadUserClass = (models: IModels, subdomain: string) => {
 
       this.checkPassword(password);
 
-      await models.Users.create({
+      const user = await models.Users.create({
         email,
         groupIds: [groupId],
         isActive: true,
@@ -341,6 +349,11 @@ export const loadUserClass = (models: IModels, subdomain: string) => {
         brandIds,
       });
 
+      models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
-      models.Roles.create({
-        userId: user._id,
-        role: PERMISSION_ROLES.MEMBER,
-      });
+      await models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
-      models.Roles.create({
-        userId: user._id,
-        role: PERMISSION_ROLES.MEMBER,
-      });
+      await models.Roles.create({
+        userId: user._id,
+        role: PERMISSION_ROLES.MEMBER,
+      });
+
       return token;
     }
 
@@ -795,7 +808,7 @@ export const loadUserClass = (models: IModels, subdomain: string) => {
         }
       }
 
-      if (user.isOwner && !user.lastSeenAt) {
+      if (!user.lastSeenAt) {
         const pluginNames = await getPlugins();
 
         for (const pluginName of pluginNames) {

diff --git a/...d/core-api/src/modules/organization/team-member/graphql/customResolver/customResolvers.ts b/...d/core-api/src/modules/organization/team-member/graphql/customResolver/customResolvers.ts
@@ -1,6 +1,6 @@
+import { getUserActionsMap, USER_ROLES } from 'erxes-api-shared/core-modules';
 import { IUserDocument } from 'erxes-api-shared/core-types';
 import { IContext } from '~/connectionResolvers';
-import { getUserActionsMap, USER_ROLES } from 'erxes-api-shared/core-modules';
 
 export default {
   __resolveReference: async ({ _id }, { models }: IContext) => {
@@ -21,6 +21,12 @@ export default {
     return 'Verified';
   },
 
+  async role(user: IUserDocument, _args: undefined, { models }: IContext) {
+    const { role } = await models.Roles.getRole(user._id);
+
+    return role;
+  },
+
   //   async currentOrganization(_user, _args, { subdomain, models }: IContext) {
   //     const organization = await getOrganizationDetail({ subdomain, models });
 

diff --git a/backend/core-api/src/modules/organization/team-member/graphql/mutations.ts b/backend/core-api/src/modules/organization/team-member/graphql/mutations.ts
@@ -1,17 +1,19 @@
-import { IContext } from '~/connectionResolvers';
 import {
-  IUser,
   IDetail,
-  ILink,
   IEmailSignature,
+  ILink,
+  IUser,
+  Resolver,
 } from 'erxes-api-shared/core-types';
+import { IContext } from '~/connectionResolvers';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
 
 export interface IUsersEdit extends IUser {
   channelIds?: string[];
   _id: string;
 }
 
-export const userMutations = {
+export const userMutations: Record<string, Resolver> = {
   async usersCreateOwner(
     _parent: undefined,
     {
@@ -48,7 +50,12 @@ export const userMutations = {
       },
     };
 
-    await models.Users.createUser(doc);
+    const user = await models.Users.createUser(doc);
+
+    models.Roles.create({
-    models.Roles.create({
+    await models.Roles.create({
-    models.Roles.create({
+    await models.Roles.create({
+      userId: user._id,
+      role: PERMISSION_ROLES.OWNER,
+    });
-    models.Roles.create({
-      userId: user._id,
-      role: PERMISSION_ROLES.OWNER,
-    });
+    await models.Roles.create({
+      userId: user._id,
+      role: PERMISSION_ROLES.OWNER,
+    });
-    const user = await models.Users.createUser(doc);
-
-    models.Roles.create({
-      userId: user._id,
-      role: PERMISSION_ROLES.OWNER,
-    });
+    const user = await models.Users.createUser(doc);
+
+    await models.Roles.findOneAndUpdate(
+      { userId: user._id },
+      { 
+        $set: { role: PERMISSION_ROLES.OWNER },
+        $setOnInsert: { userId: user._id }
+      },
+      { upsert: true },
+    );
-    models.Roles.create({
-      userId: user._id,
-      role: PERMISSION_ROLES.OWNER,
-    });
+    await models.Roles.create({
+      userId: user._id,
+      role: PERMISSION_ROLES.OWNER,
+    });
-    const user = await models.Users.createUser(doc);
-
-    models.Roles.create({
-      userId: user._id,
-      role: PERMISSION_ROLES.OWNER,
-    });
+    const user = await models.Users.createUser(doc);
+
+    await models.Roles.findOneAndUpdate(
+      { userId: user._id },
+      { 
+        $set: { role: PERMISSION_ROLES.OWNER },
+        $setOnInsert: { userId: user._id }
+      },
+      { upsert: true },
+    );
 
     if (subscribeEmail && process.env.NODE_ENV === 'production') {
       await fetch('https://erxes.io/subscribe', {
@@ -138,14 +145,14 @@ export const userMutations = {
       details,
       links,
       employeeId,
-      positionIds
+      positionIds,
     }: {
       username: string;
       email: string;
       details: IDetail;
       links: ILink;
       employeeId: string;
-      positionIds: string[]
+      positionIds: string[];
     },
     { user, models }: IContext,
   ) {
@@ -158,7 +165,7 @@ export const userMutations = {
       },
       links,
       employeeId,
-      positionIds
+      positionIds,
     };
 
     const updatedUser = await models.Users.editProfile(user._id, doc);
@@ -351,3 +358,5 @@ export const userMutations = {
     return;
   },
 };
+
+userMutations.usersCreateOwner.skipPermission = true;
diff --git a/backend/core-api/src/modules/organization/team-member/graphql/schema.ts b/backend/core-api/src/modules/organization/team-member/graphql/schema.ts
@@ -96,6 +96,7 @@ export const types = `
     customFieldsData: JSON
 
     isOwner: Boolean
+    role: String
     permissionActions: JSON
     configs: JSON
     configsConstants: [JSON]

diff --git a/backend/core-api/src/modules/permissions/db/constants.ts b/backend/core-api/src/modules/permissions/db/constants.ts
@@ -0,0 +1,6 @@
+export const PERMISSION_ROLES = {
+  OWNER: 'owner',
+  ADMIN: 'admin',
+  MEMBER: 'member',
+  ALL: ['owner', 'admin', 'member'],
+};
diff --git a/backend/core-api/src/modules/permissions/db/definitions/roles.ts b/backend/core-api/src/modules/permissions/db/definitions/roles.ts
@@ -0,0 +1,20 @@
+import { Schema } from 'mongoose';
+import { PERMISSION_ROLES } from '~/modules/permissions/db/constants';
+
+export const roleSchema = new Schema(
+  {
+    userId: { type: String, label: 'User', index: true, required: true },
+    role: {
+      type: String,
+      enum: PERMISSION_ROLES.ALL,
+      label: 'Role',
+      index: true,
+      required: true,
+    },
+  },
+  {
+    timestamps: true,
+  },
+);
+
+roleSchema.index({ userId: 1, role: 1 }, { unique: true });