def wrapper(instance, info, **kwargs):
if info.context.user.is_staff and not kwargs.get('user_id'):
raise PermissionDenied()
elif info.context.user.is_student and kwargs.get('user_id'):
raise PermissionDenied()
elif info.context.user.is_student:
kwargs['user_id'] = info.context.user.id
return method(instance, info, **kwargs)
def resolve_order_exists(info, checkout_token):
user = info.context.user
if user is not None and user.is_authenticated:
return models.Order.objects.filter(
checkout_token=checkout_token).exists()
else:
raise PermissionDenied()
def perform_mutation(cls, _root, info, **data):
if not cls.check_permissions(info.context.user):
raise PermissionDenied()
node_id = data.get("id")
instance = cls.get_node_or_error(info, node_id, Address)
if instance:
cls.clean_instance(info, instance)
db_id = instance.id
# Return the first user that the address is assigned to. There is M2M
# relation between users and addresses, but in most cases address is
# related to only one user.
user = instance.user_addresses.first()
instance.delete()
instance.id = db_id
# Refresh the user instance to clear the default addresses. If the
# deleted address was used as default, it would stay cached in the
# user instance and the invalid ID returned in the response might cause
# an error.
user.refresh_from_db()
response = cls.success_response(instance)
response.user = user
return response
def clean_instance(cls, info, instance):
# Method check_permissions cannot be used for permission check, because
# it doesn't have the address instance.
if not can_edit_address(
info.context.user, instance, check_user_permission=False):
raise PermissionDenied()
return super().clean_instance(info, instance)
def mutate(cls, root, info, **data):
"""Perform model mutation.
Depending on the input data, `mutate` either creates a new instance or
updates an existing one. If `id` arugment is present, it is assumed
that this is an "update" mutation. Otherwise, a new instance is
created based on the model associated with this mutation.
"""
if not cls.user_is_allowed(info.context.user, data):
raise PermissionDenied()
id = data.get('id')
input = data.get('input')
# Initialize the errors list.
errors = []
# Initialize model instance based on presence of `id` attribute.
if id:
model_type = registry.get_type_for_model(cls._meta.model)
instance = get_node(info, id, only_type=model_type)
else:
instance = cls._meta.model()
cleaned_input = cls.clean_input(info, instance, input, errors)
instance = cls.construct_instance(instance, cleaned_input)
cls.clean_instance(instance, errors)
if errors:
return cls(errors=errors)
cls.save(info, instance, cleaned_input)
cls._save_m2m(info, instance, cleaned_input)
return cls.success_response(instance)
def mutate(cls, root, info, **data):
if not cls.user_is_allowed(info.context.user, data):
raise PermissionDenied()
errors = []
node_id = data.get('id')
instance = cls.get_node_or_error(info, node_id, errors, 'id', Address)
if instance:
cls.clean_instance(info, instance, errors)
if errors:
return cls(errors=errors)
db_id = instance.id
# Return the first user that the address is assigned to. There is M2M
# relation between users and addresses, but in most cases address is
# related to only one user.
user = instance.user_addresses.first()
instance.delete()
instance.id = db_id
response = cls.success_response(instance)
# Refresh the user instance to clear the default addresses. If the
# deleted address was used as default, it would stay cached in the
# user instance and the invalid ID returned in the response migt cause
# an error.
user.refresh_from_db()
response.user = user
return response
def private_user_permissions(_info, user_pk: int) -> List[BasePermissionEnum]:
user = account_models.User.objects.filter(pk=user_pk).first()
if not user:
raise PermissionDenied()
if user.is_staff:
return [AccountPermissions.MANAGE_STAFF]
return [AccountPermissions.MANAGE_USERS]
def mutate(cls, root, info, **data):
try:
permissions = cls.get_permissions(info, **data)
except ValidationError as e:
return cls.handle_errors(e)
if not cls.check_permissions(info.context, permissions):
raise PermissionDenied()
return super().mutate(root, info, **data)
def resolve_webhooks(info):
service_account = info.context.service_account
if service_account:
return models.Webhook.objects.filter(service_account=service_account)
user = info.context.user
if not user.has_perm("webhook.manage_webhooks"):
raise PermissionDenied()
return models.Webhook.objects.all()
def mutate(cls, root, info, **data):
if not cls.check_permissions(info.context.user):
raise PermissionDenied()
count, errors = cls.perform_mutation(root, info, **data)
if errors:
errors = validation_error_to_error_type(errors)
return cls(errors=errors, count=count)
def resolve_sample_payload(info, event_name):
service_account = info.context.service_account
required_permission = WebhookEventType.PERMISSIONS.get(event_name)
if service_account and service_account.has_perm(required_permission):
return payloads.generate_sample_payload(event_name)
if info.context.user.has_perm(required_permission):
return payloads.generate_sample_payload(event_name)
raise PermissionDenied()
def mutate(cls, root, info, **data):
if not cls.check_permissions(info.context, **data):
raise PermissionDenied()
try:
return cls.perform_mutation(root, info, **data)
except ValidationError as e:
return cls.handle_errors(e)
def resolve_webhook(info, webhook_id):
service_account = info.context.service_account
if service_account:
_, webhook_id = graphene.Node.from_global_id(webhook_id)
return service_account.webhooks.filter(id=webhook_id).first()
user = info.context.user
if user.has_perm("webhook.manage_webhooks"):
return graphene.Node.get_node_from_global_id(info, webhook_id, Webhook)
raise PermissionDenied()
def resolve_sample_payload(info, event_name):
app = info.context.app
required_permission = WebhookEventType.PERMISSIONS.get(event_name)
if required_permission:
if app and app.has_perm(required_permission):
return payloads.generate_sample_payload(event_name)
if info.context.user.has_perm(required_permission):
return payloads.generate_sample_payload(event_name)
raise PermissionDenied()
def resolve_webhook(info, webhook_id):
app = info.context.app
if app:
_, webhook_id = graphene.Node.from_global_id(webhook_id)
return app.webhooks.filter(id=webhook_id).first()
user = info.context.user
if user.has_perm(WebhookPermissions.MANAGE_WEBHOOKS):
return graphene.Node.get_node_from_global_id(info, webhook_id, Webhook)
raise PermissionDenied()
def mutate(cls, root, info, **data):
if not cls.check_permissions(info.context):
raise PermissionDenied()
count, errors = cls.perform_mutation(root, info, **data)
if errors:
return cls.handle_errors(errors, count=count)
return cls(errors=errors, count=count)
def resolve_address(info, id):
user = info.context.user
app = info.context.app
_model, address_pk = graphene.Node.from_global_id(id)
if app and app.has_perm(AccountPermissions.MANAGE_USERS):
return models.Address.objects.filter(pk=address_pk).first()
if user and not user.is_anonymous:
return user.addresses.filter(id=address_pk).first()
return PermissionDenied()
def resolve_user(root: models.CustomerEvent, info):
user = info.context.user
if (
user == root.user
or user.has_perm("account.manage_users")
or user.has_perm("account.manage_staff")
):
return root.user
raise PermissionDenied()
def resolve_webhooks(info, **_kwargs):
app = info.context.app
if app:
qs = models.Webhook.objects.filter(app=app)
else:
user = info.context.user
if not user.has_perm(WebhookPermissions.MANAGE_WEBHOOKS):
raise PermissionDenied()
qs = models.Webhook.objects.all()
return qs
def resolve_webhooks(info, **_kwargs):
service_account = info.context.service_account
if service_account:
qs = models.Webhook.objects.filter(service_account=service_account)
else:
user = info.context.user
if not user.has_perm(WebhookPermissions.MANAGE_WEBHOOKS):
raise PermissionDenied()
qs = models.Webhook.objects.all()
return qs
def mutate(cls, root, info, **data):
"""Perform a mutation that deletes a model instance."""
if not cls.user_is_allowed(info.context.user, data):
raise PermissionDenied()
id = data.get('id')
model_type = registry.get_type_for_model(cls._meta.model)
instance = get_node(info, id, only_type=model_type)
instance.delete()
return cls.success_response(instance)
def mutate(cls, root, info, **data):
if not cls.check_permissions(info.context):
raise PermissionDenied()
try:
response = cls.perform_mutation(root, info, **data)
if response.errors is None:
response.errors = []
return response
except ValidationError as e:
return cls.handle_errors(e)
def resolve_private_metadata(root: ModelWithMetadata, info):
item_type = resolve_object_with_metadata_type(root)
if not item_type:
raise NotImplementedError(
f"Model {type(root)} can't be mapped to type with metadata. "
"Make sure that model exists inside MODEL_TO_TYPE_MAP.")
get_required_permission = PRIVATE_META_PERMISSION_MAP[item_type.__name__]
if not get_required_permission:
raise PermissionDenied()
required_permission = get_required_permission(info, root.pk)
if not required_permission:
raise PermissionDenied()
requester = get_user_or_app_from_context(info.context)
if not requester.has_perms(required_permission):
raise PermissionDenied()
return resolve_metadata(root.private_metadata)
def resolve_user(info, id):
requester = info.context.user or info.context.service_account
if requester:
_model, user_pk = graphene.Node.from_global_id(id)
if requester.has_perms(
["account.manage_staff", "account.manage_users"]):
return models.User.objects.filter(pk=user_pk).first()
if requester.has_perm("account.manage_staff"):
return models.User.objects.staff().filter(pk=user_pk).first()
if requester.has_perm("account.manage_users"):
return models.User.objects.customers().filter(pk=user_pk).first()
return PermissionDenied()
def perform_mutation(cls, _root, info, checkout_id):
checkout = cls.get_node_or_error(
info, checkout_id, only_type=Checkout, field="checkout_id"
)
# Raise error if the current user doesn't own the checkout of the given ID.
if checkout.user and checkout.user != info.context.user:
raise PermissionDenied()
checkout.user = None
checkout.save(update_fields=["user", "last_change"])
return CheckoutCustomerDetach(checkout=checkout)
def mutate(cls, root, info, **data):
if not cls.check_permissions(info.context.user):
raise PermissionDenied()
try:
response = cls.perform_mutation(root, info, **data)
if response.errors is None:
response.errors = []
return response
except ValidationError as e:
errors = validation_error_to_error_type(e)
return cls(errors=errors)
def perform_mutation(cls, _root, info, **data):
if not cls.check_permissions(info.context.user):
raise PermissionDenied()
user_id = data.get("id")
instance = cls.get_node_or_error(info, user_id, only_type=User)
cls.clean_instance(info, instance)
db_id = instance.id
# After the instance is deleted, set its ID to the original database's
# ID so that the success response contains ID of the deleted object.
instance.id = db_id
return cls.success_response(instance)
def resolve_questions(self, info, omit_answered_questions=False, **kwargs):
if not omit_answered_questions:
return Question.objects.all()
user = info.context.user
if not user.is_authenticated:
raise PermissionDenied()
answered_questions = user.profile.questions()
return Question.objects.all().difference(answered_questions).order_by(
'pk', )
def resolve_user(info, id):
requester = get_user_or_app_from_context(info.context)
if requester:
_model, user_pk = graphene.Node.from_global_id(id)
if requester.has_perms(
[AccountPermissions.MANAGE_STAFF,
AccountPermissions.MANAGE_USERS]):
return models.User.objects.filter(pk=user_pk).first()
if requester.has_perm(AccountPermissions.MANAGE_STAFF):
return models.User.objects.staff().filter(pk=user_pk).first()
if requester.has_perm(AccountPermissions.MANAGE_USERS):
return models.User.objects.customers().filter(pk=user_pk).first()
return PermissionDenied()
def resolve_user(root: models.CustomerEvent, info):
user = info.context.user
if (
user == root.user
<<<<<<< HEAD
or user.has_perm("account.manage_users")
or user.has_perm("account.manage_staff")
=======
or user.has_perm(AccountPermissions.MANAGE_USERS)
or user.has_perm(AccountPermissions.MANAGE_STAFF)
>>>>>>> 3284a2fd2e71c2bf040adcd5a59f0f98f23d901a
):
return root.user
raise PermissionDenied()
