def wrapper(instance, info, **kwargs): if info.context.user.is_staff and not kwargs.get('user_id'): raise PermissionDenied() elif info.context.user.is_student and kwargs.get('user_id'): raise PermissionDenied() elif info.context.user.is_student: kwargs['user_id'] = info.context.user.id return method(instance, info, **kwargs)
def resolve_order_exists(info, checkout_token): user = info.context.user if user is not None and user.is_authenticated: return models.Order.objects.filter( checkout_token=checkout_token).exists() else: raise PermissionDenied()
def perform_mutation(cls, _root, info, **data): if not cls.check_permissions(info.context.user): raise PermissionDenied() node_id = data.get("id") instance = cls.get_node_or_error(info, node_id, Address) if instance: cls.clean_instance(info, instance) db_id = instance.id # Return the first user that the address is assigned to. There is M2M # relation between users and addresses, but in most cases address is # related to only one user. user = instance.user_addresses.first() instance.delete() instance.id = db_id # Refresh the user instance to clear the default addresses. If the # deleted address was used as default, it would stay cached in the # user instance and the invalid ID returned in the response might cause # an error. user.refresh_from_db() response = cls.success_response(instance) response.user = user return response
def clean_instance(cls, info, instance): # Method check_permissions cannot be used for permission check, because # it doesn't have the address instance. if not can_edit_address( info.context.user, instance, check_user_permission=False): raise PermissionDenied() return super().clean_instance(info, instance)
def mutate(cls, root, info, **data): """Perform model mutation. Depending on the input data, `mutate` either creates a new instance or updates an existing one. If `id` arugment is present, it is assumed that this is an "update" mutation. Otherwise, a new instance is created based on the model associated with this mutation. """ if not cls.user_is_allowed(info.context.user, data): raise PermissionDenied() id = data.get('id') input = data.get('input') # Initialize the errors list. errors = [] # Initialize model instance based on presence of `id` attribute. if id: model_type = registry.get_type_for_model(cls._meta.model) instance = get_node(info, id, only_type=model_type) else: instance = cls._meta.model() cleaned_input = cls.clean_input(info, instance, input, errors) instance = cls.construct_instance(instance, cleaned_input) cls.clean_instance(instance, errors) if errors: return cls(errors=errors) cls.save(info, instance, cleaned_input) cls._save_m2m(info, instance, cleaned_input) return cls.success_response(instance)
def mutate(cls, root, info, **data): if not cls.user_is_allowed(info.context.user, data): raise PermissionDenied() errors = [] node_id = data.get('id') instance = cls.get_node_or_error(info, node_id, errors, 'id', Address) if instance: cls.clean_instance(info, instance, errors) if errors: return cls(errors=errors) db_id = instance.id # Return the first user that the address is assigned to. There is M2M # relation between users and addresses, but in most cases address is # related to only one user. user = instance.user_addresses.first() instance.delete() instance.id = db_id response = cls.success_response(instance) # Refresh the user instance to clear the default addresses. If the # deleted address was used as default, it would stay cached in the # user instance and the invalid ID returned in the response migt cause # an error. user.refresh_from_db() response.user = user return response
def private_user_permissions(_info, user_pk: int) -> List[BasePermissionEnum]: user = account_models.User.objects.filter(pk=user_pk).first() if not user: raise PermissionDenied() if user.is_staff: return [AccountPermissions.MANAGE_STAFF] return [AccountPermissions.MANAGE_USERS]
def mutate(cls, root, info, **data): try: permissions = cls.get_permissions(info, **data) except ValidationError as e: return cls.handle_errors(e) if not cls.check_permissions(info.context, permissions): raise PermissionDenied() return super().mutate(root, info, **data)
def resolve_webhooks(info): service_account = info.context.service_account if service_account: return models.Webhook.objects.filter(service_account=service_account) user = info.context.user if not user.has_perm("webhook.manage_webhooks"): raise PermissionDenied() return models.Webhook.objects.all()
def mutate(cls, root, info, **data): if not cls.check_permissions(info.context.user): raise PermissionDenied() count, errors = cls.perform_mutation(root, info, **data) if errors: errors = validation_error_to_error_type(errors) return cls(errors=errors, count=count)
def resolve_sample_payload(info, event_name): service_account = info.context.service_account required_permission = WebhookEventType.PERMISSIONS.get(event_name) if service_account and service_account.has_perm(required_permission): return payloads.generate_sample_payload(event_name) if info.context.user.has_perm(required_permission): return payloads.generate_sample_payload(event_name) raise PermissionDenied()
def mutate(cls, root, info, **data): if not cls.check_permissions(info.context, **data): raise PermissionDenied() try: return cls.perform_mutation(root, info, **data) except ValidationError as e: return cls.handle_errors(e)
def resolve_webhook(info, webhook_id): service_account = info.context.service_account if service_account: _, webhook_id = graphene.Node.from_global_id(webhook_id) return service_account.webhooks.filter(id=webhook_id).first() user = info.context.user if user.has_perm("webhook.manage_webhooks"): return graphene.Node.get_node_from_global_id(info, webhook_id, Webhook) raise PermissionDenied()
def resolve_sample_payload(info, event_name): app = info.context.app required_permission = WebhookEventType.PERMISSIONS.get(event_name) if required_permission: if app and app.has_perm(required_permission): return payloads.generate_sample_payload(event_name) if info.context.user.has_perm(required_permission): return payloads.generate_sample_payload(event_name) raise PermissionDenied()
def resolve_webhook(info, webhook_id): app = info.context.app if app: _, webhook_id = graphene.Node.from_global_id(webhook_id) return app.webhooks.filter(id=webhook_id).first() user = info.context.user if user.has_perm(WebhookPermissions.MANAGE_WEBHOOKS): return graphene.Node.get_node_from_global_id(info, webhook_id, Webhook) raise PermissionDenied()
def mutate(cls, root, info, **data): if not cls.check_permissions(info.context): raise PermissionDenied() count, errors = cls.perform_mutation(root, info, **data) if errors: return cls.handle_errors(errors, count=count) return cls(errors=errors, count=count)
def resolve_address(info, id): user = info.context.user app = info.context.app _model, address_pk = graphene.Node.from_global_id(id) if app and app.has_perm(AccountPermissions.MANAGE_USERS): return models.Address.objects.filter(pk=address_pk).first() if user and not user.is_anonymous: return user.addresses.filter(id=address_pk).first() return PermissionDenied()
def resolve_user(root: models.CustomerEvent, info): user = info.context.user if ( user == root.user or user.has_perm("account.manage_users") or user.has_perm("account.manage_staff") ): return root.user raise PermissionDenied()
def resolve_webhooks(info, **_kwargs): app = info.context.app if app: qs = models.Webhook.objects.filter(app=app) else: user = info.context.user if not user.has_perm(WebhookPermissions.MANAGE_WEBHOOKS): raise PermissionDenied() qs = models.Webhook.objects.all() return qs
def resolve_webhooks(info, **_kwargs): service_account = info.context.service_account if service_account: qs = models.Webhook.objects.filter(service_account=service_account) else: user = info.context.user if not user.has_perm(WebhookPermissions.MANAGE_WEBHOOKS): raise PermissionDenied() qs = models.Webhook.objects.all() return qs
def mutate(cls, root, info, **data): """Perform a mutation that deletes a model instance.""" if not cls.user_is_allowed(info.context.user, data): raise PermissionDenied() id = data.get('id') model_type = registry.get_type_for_model(cls._meta.model) instance = get_node(info, id, only_type=model_type) instance.delete() return cls.success_response(instance)
def mutate(cls, root, info, **data): if not cls.check_permissions(info.context): raise PermissionDenied() try: response = cls.perform_mutation(root, info, **data) if response.errors is None: response.errors = [] return response except ValidationError as e: return cls.handle_errors(e)
def resolve_private_metadata(root: ModelWithMetadata, info): item_type = resolve_object_with_metadata_type(root) if not item_type: raise NotImplementedError( f"Model {type(root)} can't be mapped to type with metadata. " "Make sure that model exists inside MODEL_TO_TYPE_MAP.") get_required_permission = PRIVATE_META_PERMISSION_MAP[item_type.__name__] if not get_required_permission: raise PermissionDenied() required_permission = get_required_permission(info, root.pk) if not required_permission: raise PermissionDenied() requester = get_user_or_app_from_context(info.context) if not requester.has_perms(required_permission): raise PermissionDenied() return resolve_metadata(root.private_metadata)
def resolve_user(info, id): requester = info.context.user or info.context.service_account if requester: _model, user_pk = graphene.Node.from_global_id(id) if requester.has_perms( ["account.manage_staff", "account.manage_users"]): return models.User.objects.filter(pk=user_pk).first() if requester.has_perm("account.manage_staff"): return models.User.objects.staff().filter(pk=user_pk).first() if requester.has_perm("account.manage_users"): return models.User.objects.customers().filter(pk=user_pk).first() return PermissionDenied()
def perform_mutation(cls, _root, info, checkout_id): checkout = cls.get_node_or_error( info, checkout_id, only_type=Checkout, field="checkout_id" ) # Raise error if the current user doesn't own the checkout of the given ID. if checkout.user and checkout.user != info.context.user: raise PermissionDenied() checkout.user = None checkout.save(update_fields=["user", "last_change"]) return CheckoutCustomerDetach(checkout=checkout)
def mutate(cls, root, info, **data): if not cls.check_permissions(info.context.user): raise PermissionDenied() try: response = cls.perform_mutation(root, info, **data) if response.errors is None: response.errors = [] return response except ValidationError as e: errors = validation_error_to_error_type(e) return cls(errors=errors)
def perform_mutation(cls, _root, info, **data): if not cls.check_permissions(info.context.user): raise PermissionDenied() user_id = data.get("id") instance = cls.get_node_or_error(info, user_id, only_type=User) cls.clean_instance(info, instance) db_id = instance.id # After the instance is deleted, set its ID to the original database's # ID so that the success response contains ID of the deleted object. instance.id = db_id return cls.success_response(instance)
def resolve_questions(self, info, omit_answered_questions=False, **kwargs): if not omit_answered_questions: return Question.objects.all() user = info.context.user if not user.is_authenticated: raise PermissionDenied() answered_questions = user.profile.questions() return Question.objects.all().difference(answered_questions).order_by( 'pk', )
def resolve_user(info, id): requester = get_user_or_app_from_context(info.context) if requester: _model, user_pk = graphene.Node.from_global_id(id) if requester.has_perms( [AccountPermissions.MANAGE_STAFF, AccountPermissions.MANAGE_USERS]): return models.User.objects.filter(pk=user_pk).first() if requester.has_perm(AccountPermissions.MANAGE_STAFF): return models.User.objects.staff().filter(pk=user_pk).first() if requester.has_perm(AccountPermissions.MANAGE_USERS): return models.User.objects.customers().filter(pk=user_pk).first() return PermissionDenied()
def resolve_user(root: models.CustomerEvent, info): user = info.context.user if ( user == root.user <<<<<<< HEAD or user.has_perm("account.manage_users") or user.has_perm("account.manage_staff") ======= or user.has_perm(AccountPermissions.MANAGE_USERS) or user.has_perm(AccountPermissions.MANAGE_STAFF) >>>>>>> 3284a2fd2e71c2bf040adcd5a59f0f98f23d901a ): return root.user raise PermissionDenied()