diff --git a/aleksis/core/urls.py b/aleksis/core/urls.py
index c441d2ab8430d26faf539dbcbf4d69b5824196d5..726d8f06581171c7670e54d59fc088ea21e5bfe7 100644
--- a/aleksis/core/urls.py
+++ b/aleksis/core/urls.py
@@ -10,7 +10,6 @@ import calendarweek.django
import debug_toolbar
from ckeditor_uploader import views as ckeditor_uploader_views
from django_js_reverse.views import urls_js
-from graphene_django.views import GraphQLView
from health_check.urls import urlpatterns as health_urls
from oauth2_provider.views import ConnectDiscoveryInfoView
from rules.contrib.views import permission_required
@@ -144,7 +143,7 @@ urlpatterns = [
name="oauth2_provider:authorize",
),
path("oauth/", include("oauth2_provider.urls", namespace="oauth2_provider")),
- path("graphql/", csrf_exempt(GraphQLView.as_view(graphiql=True)), name="graphql"),
+ path("graphql/", csrf_exempt(views.PrivateGraphQLView.as_view(graphiql=True)), name="graphql"),
path("__i18n__/", include("django.conf.urls.i18n")),
path(
"ckeditor/upload/",
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index 01350da6482743593964dfa52f3e44ae695e1e20..c33d561afcbb393ca38d735898f2b4a7e83d1e4b 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -46,6 +46,7 @@ from django_filters.views import FilterView
from django_tables2 import RequestConfig, SingleTableMixin, SingleTableView
from dynamic_preferences.forms import preference_form_builder
from guardian.shortcuts import GroupObjectPermission, UserObjectPermission, get_objects_for_user
+from graphene_django.views import GraphQLView
from haystack.generic_views import SearchView
from haystack.inputs import AutoQuery
from haystack.query import SearchQuerySet
@@ -1615,3 +1616,7 @@ class ICalFeedCreateView(PermissionRequiredMixin, AdvancedCreateView):
obj.person = self.request.user.person
obj.save()
return super().form_valid(form)
+
+
+class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
+ """GraphQL view that requires a valid user session."""