Fix permission checking in schemas (performance/rule names)

aleksis/core/schema/__init__.py

 from django.apps import apps
 from django.contrib.messages import get_messages
+from django.core.exceptions import PermissionDenied
+from django.db.models import Q
 
 import graphene
+from guardian.shortcuts import get_objects_for_user
 from haystack.inputs import AutoQuery
 from haystack.query import SearchQuerySet
 from haystack.utils.loading import UnifiedIndex
@@ -11,7 +14,6 @@ from ..util.apps import AppConfig
 from ..util.core_helpers import get_allowed_object_ids, get_app_module, get_app_packages, has_person
 from .celery_progress import (
     CeleryProgressFetchedMutation,
-    CeleryProgressMetaType,
     CeleryProgressType,
 )
 from .custom_menu import CustomMenuType
@@ -51,21 +53,28 @@ class Query(graphene.ObjectType):
 
     custom_menu_by_name = graphene.Field(CustomMenuType, name=graphene.String())
 
-    global_permissions_by_name = graphene.List(GlobalPermissionType, permissions=graphene.List(graphene.String))
+    global_permissions_by_name = graphene.List(
+        GlobalPermissionType, permissions=graphene.List(graphene.String)
+    )
 
     def resolve_notifications(root, info, **kwargs):
-        return NotificationType.get_queryset(
-            Notification.objects.all().order_by("-created"),
-            info,
+        return Notification.objects.filter(
+            Q(
+                pk__in=get_objects_for_user(
+                    info.context.user, "core.view_person", Person.objects.all()
+                )
+            )
+            | Q(recipient=info.context.user.person)
         )
 
     def resolve_persons(root, info, **kwargs):
-        return PersonType.get_queryset(Person.objects.all(), info).all()
+        return get_objects_for_user(info.context.user, "core.view_person", Person.objects.all())
 
     def resolve_person_by_id(root, info, id):  # noqa
-        return PersonType.get_queryset(
-            Person.objects.filter(pk=id), info, "core.view_person_rule"
-        ).first()
+        person = Person.objects.get(pk=id)
+        if not info.context.user.has_perm("core.view_person_rule", person):
+            raise PermissionDenied()
+        return person
 
     def resolve_who_am_i(root, info, **kwargs):
         if has_person(info.context.user):
@@ -83,12 +92,9 @@ class Query(graphene.ObjectType):
         return [app for app in apps.get_app_configs() if isinstance(app, AppConfig)]
 
     def resolve_celery_progress_by_task_id(root, info, task_id, **kwargs):
-        task = CeleryProgressMetaType.get_queryset(
-            TaskUserAssignment.objects.filter(task_result__task_id=task_id),
-            info,
-        ).first()
+        task = TaskUserAssignment.objects.get(task_result__task_id=task_id)
 
-        if not task:
+        if not info.context.user.has_perm("core.view_progress_rule", task):
             raise PermissionDenied()
         progress = task.get_progress_with_meta()
         return progress
@@ -118,8 +124,10 @@ class Query(graphene.ObjectType):
         return CustomMenu.get_default(name)
 
     def resolve_global_permissions_by_name(root, info, permissions, **kwargs):
-        return [{"name": permission_name, "result": info.context.user.has_perm(permission_name)} for permission_name in
-                permissions]
+        return [
+            {"name": permission_name, "result": info.context.user.has_perm(permission_name)}
+            for permission_name in permissions
+        ]
 
 
 class Mutation(graphene.ObjectType):

aleksis/core/schema/celery_progress.py

@@ -2,9 +2,9 @@ from django.contrib.messages.constants import DEFAULT_TAGS
 
 import graphene
 from graphene import ObjectType
+from graphene_django import DjangoObjectType
 
 from ..models import TaskUserAssignment
-from .base import RulesObjectType
 
 
 class CeleryProgressMessage(ObjectType):
@@ -28,7 +28,7 @@ class CeleryProgressAdditionalButtonType(ObjectType):
     icon = graphene.String()
 
 
-class CeleryProgressMetaType(RulesObjectType):
+class CeleryProgressMetaType(DjangoObjectType):
     additional_button = graphene.Field(CeleryProgressAdditionalButtonType, required=False)
     task_id = graphene.String(required=True)
 

aleksis/core/schema/group.py

+from graphene_django import DjangoObjectType
+
 from ..models import Group
-from .base import RulesObjectType
 
 
-class GroupType(RulesObjectType):
+class GroupType(DjangoObjectType):
     class Meta:
         model = Group
-
-    @classmethod
-    def get_queryset(cls, queryset, info, perm="core.view_groups_rule"):
-        return super().get_queryset(queryset, info, perm)

aleksis/core/schema/notification.py

+from django.core.exceptions import PermissionDenied
+
 import graphene
+from graphene_django import DjangoObjectType
 
 from ..models import Notification
-from .base import RulesObjectType
 
 
-class NotificationType(RulesObjectType):
+class NotificationType(DjangoObjectType):
     class Meta:
         model = Notification
 
-    @classmethod
-    def get_queryset(cls, queryset, info, perm="core.view_notifications_rule"):
-        return super().get_queryset(queryset, info, perm)
-
 
 class MarkNotificationReadMutation(graphene.Mutation):
     class Arguments:

aleksis/core/schema/person.py

 from typing import Union
 
+from django.core.exceptions import PermissionDenied
 from django.utils import timezone
 
 import graphene
+from graphene_django import DjangoObjectType
 from graphene_django.forms.mutation import DjangoModelFormMutation
 
 from ..forms import PersonForm
 from ..models import DummyPerson, Person
-from .base import RulesObjectType
 
 
 class FieldFileType(graphene.ObjectType):
@@ -24,7 +25,7 @@ class PersonPreferencesType(graphene.ObjectType):
         return parent["theme__design"]
 
 
-class PersonType(RulesObjectType):
+class PersonType(DjangoObjectType):
     class Meta:
         model = Person
 
@@ -58,10 +59,6 @@ class PersonType(RulesObjectType):
     def resolve_notifications(root: Person, info, **kwargs):
         return root.notifications.filter(send_at__lte=timezone.now()).order_by("read", "-created")
 
-    @classmethod
-    def get_queryset(cls, queryset, info, perm="core.view_persons_rule"):
-        return super().get_queryset(queryset, info, perm)
-
 
 class PersonMutation(DjangoModelFormMutation):
     person = graphene.Field(PersonType)
@@ -71,10 +68,10 @@ class PersonMutation(DjangoModelFormMutation):
 
     @classmethod
     def perform_mutate(cls, form, info):
-        if form.initial:
-            if not info.context.user.has_perm("core.create_person.rule"):
+        if not form.initial:
+            if not info.context.user.has_perm("core.create_person_rule"):
                 raise PermissionDenied()
         else:
-            if not info.context.user.has_perm("core.edit_person.rule", form.instance):
+            if not info.context.user.has_perm("core.edit_person_rule", form.instance):
                 raise PermissionDenied()
         return super().perform_mutate(form, info)