Skip to content
Snippets Groups Projects
Commit 78d7c888 authored by Hangzhi Yu's avatar Hangzhi Yu
Browse files

Add permission checks to queryset filtering in types

parent e93567be
No related branches found
No related tags found
2 merge requests!4Resolve "Add permissions/rules",!2Frontend
Hide whitespace changes
Inline Side-by-side
aleksis/apps/maka/schema/effort.py
+ 23
0
View file @ 78d7c888
from django.core.exceptions import PermissionDenied
from django.db.models import Q
from graphene_django.types import DjangoObjectType from graphene_django.types import DjangoObjectType
from guardian.shortcuts import get_objects_for_user
from aleksis.core.models import Group
from aleksis.core.schema.base import ( from aleksis.core.schema.base import (
BaseBatchCreateMutation, BaseBatchCreateMutation,
BaseBatchDeleteMutation, BaseBatchDeleteMutation,
...@@ -7,6 +12,7 @@ from aleksis.core.schema.base import ( ...@@ -7,6 +12,7 @@ from aleksis.core.schema.base import (
DjangoFilterMixin, DjangoFilterMixin,
PermissionsTypeMixin, PermissionsTypeMixin,
) )
from aleksis.core.util.core_helpers import get_site_preferences, has_person
from ..models import Effort as EffortModel from ..models import Effort as EffortModel
from ..models import EffortType as EffortTypeModel from ..models import EffortType as EffortTypeModel
...@@ -29,6 +35,12 @@ class EffortTypeType( ...@@ -29,6 +35,12 @@ class EffortTypeType(
"name": ["icontains", "exact"], "name": ["icontains", "exact"],
} }
@classmethod
def get_queryset(cls, queryset, info):
if info.context.user.has_perm("maka.view_efforttypes_rule"):
return queryset
raise PermissionDenied()
class EffortTypeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation): class EffortTypeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
class Meta: class Meta:
...@@ -70,6 +82,17 @@ class EffortType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin ...@@ -70,6 +82,17 @@ class EffortType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin
"name": ["icontains", "exact"], "name": ["icontains", "exact"],
} }
@classmethod
def get_queryset(cls, queryset, info):
if info.context.user.has_perm("maka.view_effort"):
return queryset
elif has_person(info.context.user):
groups = get_objects_for_user(info.context.user, "core.view_efforts_group", Group).union(info.context.user.person.owner_of.all())
if get_site_preferences()["maka__view_own_efforts"]:
groups = groups.union(info.context.user.person.member_of.all())
return queryset.filter(group__in=groups.values_list("id", flat=True))
raise PermissionDenied()
class EffortBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation): class EffortBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
class Meta: class Meta:
......
aleksis/apps/maka/schema/grade.py
+ 16
0
View file @ 78d7c888
from django.core.exceptions import PermissionDenied
from graphene_django.types import DjangoObjectType from graphene_django.types import DjangoObjectType
from guardian.shortcuts import get_objects_for_user
from aleksis.core.models import Group
from aleksis.core.schema.base import ( from aleksis.core.schema.base import (
BaseBatchCreateMutation, BaseBatchCreateMutation,
BaseBatchDeleteMutation, BaseBatchDeleteMutation,
...@@ -7,6 +11,7 @@ from aleksis.core.schema.base import ( ...@@ -7,6 +11,7 @@ from aleksis.core.schema.base import (
DjangoFilterMixin, DjangoFilterMixin,
PermissionsTypeMixin, PermissionsTypeMixin,
) )
from aleksis.core.util.core_helpers import get_site_preferences, has_person
from ..models import Grade from ..models import Grade
from .shared_secret import ( from .shared_secret import (
...@@ -26,6 +31,17 @@ class GradeType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin, ...@@ -26,6 +31,17 @@ class GradeType(SharedSecretObjectType, PermissionsTypeMixin, DjangoFilterMixin,
"name__lel": ["icontains", "exact"], "name__lel": ["icontains", "exact"],
} }
@classmethod
def get_queryset(cls, queryset, info):
if info.context.user.has_perm("maka.view_grade"):
return queryset
elif has_person(info.context.user):
groups = get_objects_for_user(info.context.user, "core.view_grades_group", Group).union(info.context.user.person.owner_of.all())
if get_site_preferences()["maka__view_own_grades"]:
groups = groups.union(info.context.user.person.member_of.all())
return queryset.filter(effort__group__in=groups.values_list("id", flat=True))
raise PermissionDenied()
class GradeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation): class GradeBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
class Meta: class Meta:
......
aleksis/apps/maka/schema/grade_set.py
+ 11
1
View file @ 78d7c888
from django.core.exceptions import PermissionDenied
from graphene_django.types import DjangoObjectType from graphene_django.types import DjangoObjectType
from aleksis.core.schema.base import ( from aleksis.core.schema.base import (
...@@ -28,6 +30,12 @@ class GradeSetType( ...@@ -28,6 +30,12 @@ class GradeSetType(
"name": ["icontains", "exact"], "name": ["icontains", "exact"],
} }
@classmethod
def get_queryset(cls, queryset, info):
if info.context.user.has_perm("maka.view_gradesets_rule"):
return queryset
raise PermissionDenied()
class GradeSetBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation): class GradeSetBatchCreateMutation(SharedSecretBatchCreateMixin, BaseBatchCreateMutation):
class Meta: class Meta:
...@@ -64,7 +72,9 @@ class GradeChoiceType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType) ...@@ -64,7 +72,9 @@ class GradeChoiceType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType)
@classmethod @classmethod
def get_queryset(cls, queryset, info): def get_queryset(cls, queryset, info):
return queryset.order_by("order") if info.context.user.has_perm("maka.view_gradechoices_rule"):
return queryset.order_by("order")
raise PermissionDenied()
class GradeChoiceBatchCreateMutation(BaseBatchCreateMutation): class GradeChoiceBatchCreateMutation(BaseBatchCreateMutation):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment