From f4a892d17f970a883631447257e43b3635016a77 Mon Sep 17 00:00:00 2001
From: Dominik George <dominik.george@teckids.org>
Date: Tue, 16 Aug 2022 22:27:12 +0200
Subject: [PATCH] Require login for GraphQL

---
 aleksis/core/urls.py  | 3 +--
 aleksis/core/views.py | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/aleksis/core/urls.py b/aleksis/core/urls.py
index c441d2ab8..726d8f065 100644
--- a/aleksis/core/urls.py
+++ b/aleksis/core/urls.py
@@ -10,7 +10,6 @@ import calendarweek.django
 import debug_toolbar
 from ckeditor_uploader import views as ckeditor_uploader_views
 from django_js_reverse.views import urls_js
-from graphene_django.views import GraphQLView
 from health_check.urls import urlpatterns as health_urls
 from oauth2_provider.views import ConnectDiscoveryInfoView
 from rules.contrib.views import permission_required
@@ -144,7 +143,7 @@ urlpatterns = [
         name="oauth2_provider:authorize",
     ),
     path("oauth/", include("oauth2_provider.urls", namespace="oauth2_provider")),
-    path("graphql/", csrf_exempt(GraphQLView.as_view(graphiql=True)), name="graphql"),
+    path("graphql/", csrf_exempt(views.PrivateGraphQLView.as_view(graphiql=True)), name="graphql"),
     path("__i18n__/", include("django.conf.urls.i18n")),
     path(
         "ckeditor/upload/",
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index 01350da64..c33d561af 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -46,6 +46,7 @@ from django_filters.views import FilterView
 from django_tables2 import RequestConfig, SingleTableMixin, SingleTableView
 from dynamic_preferences.forms import preference_form_builder
 from guardian.shortcuts import GroupObjectPermission, UserObjectPermission, get_objects_for_user
+from graphene_django.views import GraphQLView
 from haystack.generic_views import SearchView
 from haystack.inputs import AutoQuery
 from haystack.query import SearchQuerySet
@@ -1615,3 +1616,7 @@ class ICalFeedCreateView(PermissionRequiredMixin, AdvancedCreateView):
         obj.person = self.request.user.person
         obj.save()
         return super().form_valid(form)
+
+
+class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
+    """GraphQL view that requires a valid user session."""
-- 
GitLab