Add two checks to prevent security issues with GraphQL mutations/queries

65c332a7 · Jonathan Weth · d3f96f32 · 65c332a7 · 65c332a7
Verified Commit 65c332a7 authored 1 month ago by Jonathan Weth
--- a/aleksis/core/checks.py
+++ b/aleksis/core/checks.py
+from collections.abc import Iterable
 from typing import Optional

 import django.apps
-from django.core.checks import Tags, Warning, register  # noqa
+from django.core.checks import Error, Tags, Warning, register  # noqa

 from .mixins import ExtensibleModel, GlobalPermissionModel, PureDjangoModel
+from .schema.base import BaseBatchCreateMutation, BaseBatchDeleteMutation, BaseBatchPatchMutation
 from .util.apps import AppConfig


@@ -71,3 +73,28 @@ def check_app_models_base_class(
                )

    return results
+
+
+@register(Tags.security)
+def check_all_mutations_with_permissions(
+    app_configs: Optional[django.apps.registry.Apps] = None, **kwargs
+) -> list:
+    results = []
+    for base_class in [BaseBatchCreateMutation, BaseBatchPatchMutation, BaseBatchDeleteMutation]:
+        for subclass in base_class.__subclasses__():
+            if (
+                not isinstance(subclass._meta.permissions, Iterable)
+                or not subclass._meta.permissions
+            ):
+                results.append(
+                    Error(
+                        f"Mutation {subclass.__name__} doesn't set required permission",
+                        hint=(
+                            "Ensure that the mutation is protected by setting the "
+                            "permissions attribute in the mutation's Meta class."
+                        ),
+                        obj=subclass,
+                        id="aleksis.core.E001",
+                    )
+                )
+    return results
--- a/aleksis/core/schema/__init__.py
+++ b/aleksis/core/schema/__init__.py
@@ -4,6 +4,7 @@ from django.db.models import Q

 import graphene
 import graphene_django_optimizer
+from graphene.types.resolver import dict_or_attr_resolver, set_default_resolver
 from guardian.shortcuts import get_objects_for_user
 from haystack.inputs import AutoQuery
 from haystack.query import SearchQuerySet
@@ -81,6 +82,17 @@ from .two_factor import TwoFactorType
 from .user import UserType


+def custom_default_resolver(attname, default_value, root, info, **args):
+    """Custom default resolver to ensure resolvers are set for all queries."""
+    if info.parent_type.name == "GlobalQuery":
+        raise NotImplementedError(f"No own resolver defined for {attname}")
+
+    return dict_or_attr_resolver(attname, default_value, root, info, **args)
+
+
+set_default_resolver(custom_default_resolver)
+
+
 class Query(graphene.ObjectType):
    ping = graphene.String(payload=graphene.String())