From 78d7c888cb963caeac185a0c882e19df605664a7 Mon Sep 17 00:00:00 2001
From: Hangzhi Yu <hangzhi@protonmail.com>
Date: Wed, 2 Oct 2024 23:45:07 +0200
Subject: [PATCH] Add permission checks to queryset filtering in types

---
 aleksis/apps/maka/schema/effort.py    | 23 +++++++++++++++++++++++
 aleksis/apps/maka/schema/grade.py     | 16 ++++++++++++++++
 aleksis/apps/maka/schema/grade_set.py | 12 +++++++++++-
 3 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/aleksis/apps/maka/schema/effort.py b/aleksis/apps/maka/schema/effort.py
index 842c675..73ce9fa 100644
--- a/aleksis/apps/maka/schema/effort.py
+++ b/aleksis/apps/maka/schema/effort.py
@@ -1,5 +1,10 @@
+from django.core.exceptions import PermissionDenied
+from django.db.models import Q
+
 from graphene_django.types import DjangoObjectType
+from guardian.shortcuts import get_objects_for_user
 
+from aleksis.core.models import Group
 from aleksis.core.schema.base import (
     BaseBatchCreateMutation,
     BaseBatchDeleteMutation,
@@ -7,6 +12,7 @@ from aleksis.core.schema.base import (
     DjangoFilterMixin,
     PermissionsTypeMixin,
 )
+from aleksis.core.util.core_helpers import get_site_preferences, has_person
 
 from ..models import Effort as EffortModel
 from ..models import EffortType as EffortTypeModel
@@ -29,6 +35,12 @@ class EffortTypeType(
             "name": ["icontains", "exact"],
         }
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_efforttypes_rule"):
+            return queryset
+        raise PermissionDenied()
+
 
 class EffortTypeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
     class Meta:
@@ -70,6 +82,17 @@ class EffortType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin
             "name": ["icontains", "exact"],
         }
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_effort"):
+            return queryset
+        elif has_person(info.context.user):
+            groups = get_objects_for_user(info.context.user, "core.view_efforts_group", Group).union(info.context.user.person.owner_of.all())
+            if get_site_preferences()["maka__view_own_efforts"]:
+                groups = groups.union(info.context.user.person.member_of.all())
+            return queryset.filter(group__in=groups.values_list("id", flat=True))
+        raise PermissionDenied()
+
 
 class EffortBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
     class Meta:
diff --git a/aleksis/apps/maka/schema/grade.py b/aleksis/apps/maka/schema/grade.py
index f5ca164..cc8b410 100644
--- a/aleksis/apps/maka/schema/grade.py
+++ b/aleksis/apps/maka/schema/grade.py
@@ -1,5 +1,9 @@
+from django.core.exceptions import PermissionDenied
+
 from graphene_django.types import DjangoObjectType
+from guardian.shortcuts import get_objects_for_user
 
+from aleksis.core.models import Group
 from aleksis.core.schema.base import (
     BaseBatchCreateMutation,
     BaseBatchDeleteMutation,
@@ -7,6 +11,7 @@ from aleksis.core.schema.base import (
     DjangoFilterMixin,
     PermissionsTypeMixin,
 )
+from aleksis.core.util.core_helpers import get_site_preferences, has_person
 
 from ..models import Grade
 from .shared_secret import (
@@ -26,6 +31,17 @@ class GradeType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin,
             "name__lel": ["icontains", "exact"],
         }
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_grade"):
+            return queryset
+        elif has_person(info.context.user):
+            groups = get_objects_for_user(info.context.user, "core.view_grades_group", Group).union(info.context.user.person.owner_of.all())
+            if get_site_preferences()["maka__view_own_grades"]:
+                groups = groups.union(info.context.user.person.member_of.all())
+            return queryset.filter(effort__group__in=groups.values_list("id", flat=True))
+        raise PermissionDenied()
+
 
 class GradeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
     class Meta:
diff --git a/aleksis/apps/maka/schema/grade_set.py b/aleksis/apps/maka/schema/grade_set.py
index fadd0fc..6240c42 100644
--- a/aleksis/apps/maka/schema/grade_set.py
+++ b/aleksis/apps/maka/schema/grade_set.py
@@ -1,3 +1,5 @@
+from django.core.exceptions import PermissionDenied
+
 from graphene_django.types import DjangoObjectType
 
 from aleksis.core.schema.base import (
@@ -28,6 +30,12 @@ class GradeSetType(
             "name": ["icontains", "exact"],
         }
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        if info.context.user.has_perm("maka.view_gradesets_rule"):
+            return queryset
+        raise PermissionDenied()
+
 
 class GradeSetBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
     class Meta:
@@ -64,7 +72,9 @@ class GradeChoiceType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType)
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return queryset.order_by("order")
+        if info.context.user.has_perm("maka.view_gradechoices_rule"):
+            return queryset.order_by("order")
+        raise PermissionDenied()
 
 
 class GradeChoiceBatchCreateMutation(BaseBatchCreateMutation):
-- 
GitLab