Add permission checks to queryset filtering in types

78d7c888 · Hangzhi Yu · e93567be · 78d7c888 · 78d7c888 · 78d7c888
Commit 78d7c888 authored 6 months ago by Hangzhi Yu
--- a/aleksis/apps/maka/schema/effort.py
+++ b/aleksis/apps/maka/schema/effort.py
+from django.core.exceptions import PermissionDenied
+from django.db.models import Q
+
 from graphene_django.types import DjangoObjectType
+from guardian.shortcuts import get_objects_for_user

+from aleksis.core.models import Group
 from aleksis.core.schema.base import (
    BaseBatchCreateMutation,
    BaseBatchDeleteMutation,
@@ -7,6 +12,7 @@ from aleksis.core.schema.base import (
    DjangoFilterMixin,
    PermissionsTypeMixin,
 )
+from aleksis.core.util.core_helpers import get_site_preferences, has_person

 from ..models import Effort as EffortModel
 from ..models import EffortType as EffortTypeModel
@@ -29,6 +35,12 @@ class EffortTypeType(
            "name": ["icontains", "exact"],
        }

+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_efforttypes_rule"):
+            return queryset
+        raise PermissionDenied()
+

 class EffortTypeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
    class Meta:
@@ -70,6 +82,17 @@ class EffortType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin
            "name": ["icontains", "exact"],
        }

+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_effort"):
+            return queryset
+        elif has_person(info.context.user):
+            groups = get_objects_for_user(info.context.user, "core.view_efforts_group", Group).union(info.context.user.person.owner_of.all())
+            if get_site_preferences()["maka__view_own_efforts"]:
+                groups = groups.union(info.context.user.person.member_of.all())
+            return queryset.filter(group__in=groups.values_list("id", flat=True))
+        raise PermissionDenied()
+

 class EffortBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
    class Meta:

--- a/aleksis/apps/maka/schema/grade.py
+++ b/aleksis/apps/maka/schema/grade.py
+from django.core.exceptions import PermissionDenied
+
 from graphene_django.types import DjangoObjectType
+from guardian.shortcuts import get_objects_for_user

+from aleksis.core.models import Group
 from aleksis.core.schema.base import (
    BaseBatchCreateMutation,
    BaseBatchDeleteMutation,
@@ -7,6 +11,7 @@ from aleksis.core.schema.base import (
    DjangoFilterMixin,
    PermissionsTypeMixin,
 )
+from aleksis.core.util.core_helpers import get_site_preferences, has_person

 from ..models import Grade
 from .shared_secret import (
@@ -26,6 +31,17 @@ class GradeType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin,
            "name__lel": ["icontains", "exact"],
        }

+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_grade"):
+            return queryset
+        elif has_person(info.context.user):
+            groups = get_objects_for_user(info.context.user, "core.view_grades_group", Group).union(info.context.user.person.owner_of.all())
+            if get_site_preferences()["maka__view_own_grades"]:
+                groups = groups.union(info.context.user.person.member_of.all())
+            return queryset.filter(effort__group__in=groups.values_list("id", flat=True))
+        raise PermissionDenied()
+

 class GradeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
    class Meta:

--- a/aleksis/apps/maka/schema/grade_set.py
+++ b/aleksis/apps/maka/schema/grade_set.py
+from django.core.exceptions import PermissionDenied
+
 from graphene_django.types import DjangoObjectType

 from aleksis.core.schema.base import (
@@ -28,6 +30,12 @@ class GradeSetType(
            "name": ["icontains", "exact"],
        }

+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_gradesets_rule"):
+            return queryset
+        raise PermissionDenied()
+

 class GradeSetBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
    class Meta:
@@ -64,7 +72,9 @@ class GradeChoiceType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType)

    @classmethod
    def get_queryset(cls, queryset, info):
-        return queryset.order_by("order")
+        if info.context.user.has_perm("maka.view_gradechoices_rule"):
+            return queryset.order_by("order")
+        raise PermissionDenied()


 class GradeChoiceBatchCreateMutation(BaseBatchCreateMutation):