Fix protection for batch mutations

d3f96f32 · Jonathan Weth · 86d2201b · d3f96f32
Verified Commit d3f96f32 authored 2 months ago by Jonathan Weth
--- a/aleksis/core/schema/base.py
+++ b/aleksis/core/schema/base.py
@@ -111,7 +111,8 @@ class PermissionBatchCreateMixin:

    @classmethod
    def after_create_obj(cls, root, info, data, obj, input):  # noqa
-        if isinstance(cls._meta.permissions, Iterable) and not info.context.user.has_perms(
+        super().after_create_obj(root, info, data, obj, input)
+        if not isinstance(cls._meta.permissions, Iterable) or not info.context.user.has_perms(
            cls._meta.permissions, obj
        ):
            raise PermissionDenied()
@@ -129,7 +130,8 @@ class PermissionBatchPatchMixin:

    @classmethod
    def after_update_obj(cls, root, info, input, obj, full_input):  # noqa
-        if isinstance(cls._meta.permissions, Iterable) and not info.context.user.has_perms(
+        super().after_update_obj(root, info, input, obj, full_input)
+        if not isinstance(cls._meta.permissions, Iterable) or not info.context.user.has_perms(
            cls._meta.permissions, obj
        ):
            raise PermissionDenied()
@@ -147,10 +149,12 @@ class PermissionBatchDeleteMixin:

    @classmethod
    def before_save(cls, root, info, ids, qs_to_delete):  # noqa
-        if isinstance(cls._meta.permissions, Iterable):
-            for obj in qs_to_delete:
-                if not info.context.user.has_perms(cls._meta.permissions, obj):
-                    raise PermissionDenied()
+        super().before_save(root, info, ids, qs_to_delete)
+        if not isinstance(cls._meta.permissions, Iterable):
+            raise PermissionDenied()
+        for obj in qs_to_delete:
+            if not info.context.user.has_perms(cls._meta.permissions, obj):
+                raise PermissionDenied()


 class PermissionPatchMixin:
@@ -264,10 +268,12 @@ class ModelValidationMixin:

    @classmethod
    def after_update_obj(cls, root, info, data, obj, full_input):
+        super().after_update_obj(root, info, data, obj, full_input)
        obj.full_clean()

    @classmethod
    def before_create_obj(cls, info, data, obj):
+        super().before_create_obj(info, data, obj)
        obj.full_clean()