reimplemented security

2019-01-16 21:30:39 -08:00
parent 24b82802a8
commit 583752d740
27 changed files with 52 additions and 61 deletions
--- a/src/clj/auto_ap/graphql/checks.clj
+++ b/src/clj/auto_ap/graphql/checks.clj
@@ -316,7 +316,7 @@
  (let [invoice (d-invoices/get-by-id (:invoice_id args))
        bank-account-id (:bank_account_id args)
        bank-account (d-bank-accounts/get-by-id bank-account-id)
-        _ (assert-can-see-company  (:id context) (:company-id invoice))
+        _ (assert-can-see-company  (:id context) (:invoice/client invoice))
        base-payment (base-payment [invoice] (:invoice/vendor invoice)
                                   (:invoice/client invoice)
                                   bank-account :payment-type/check 0 {(:invoice_id args) (:amount args)})]
--- a/src/clj/auto_ap/graphql/transactions.clj
+++ b/src/clj/auto_ap/graphql/transactions.clj
@@ -8,10 +8,11 @@
            [auto-ap.time :refer [parse normal-date]]))

 (defn get-transaction-page [context args value]
+  (println "TRANSACTION PAGE")
  (let [args (assoc args :id (:id context))
        transactions (map
                  ->graphql
-                  (d-transactions/get-graphql (<-graphql args)))
+                  (d-transactions/get-graphql (doto (<-graphql args) println)))
        transactions-count (d-transactions/count-graphql (<-graphql args))]
    [{:transactions transactions
       :total transactions-count
--- a/src/clj/auto_ap/graphql/utils.clj
+++ b/src/clj/auto_ap/graphql/utils.clj
@@ -8,7 +8,9 @@
  (str/replace s #"_" "-"))

 (defn kebab [x]
-  (keyword (snake->kebab (name x))))
+  (if (qualified-keyword? x)
+    (keyword (snake->kebab (namespace x)) (snake->kebab (name x)) )
+    (keyword (snake->kebab (name x)))))

 (defn kebab->snake [s]
  (str/replace s #"-" "_"))
@@ -42,27 +44,27 @@


 (defn assert-admin [id]
-  (when-not (= "admin" (:role id))
+  (when-not (= "admin" (:user/role id))
    (throw-unauthorized)))

 (defn can-see-company? [identity company]
-  (or (= "admin" (:role identity))
+  (or (= "admin" (:user/role identity))
      ((set (map :db/id (:user/clients identity))) (:db/id company))
      ((set (map :db/id (:user/clients identity))) company)))

 (defn assert-can-see-company [identity company]
  (when-not (can-see-company? identity company)
+    (println "IDENTITY " identity " can not see company " company)
    (throw-unauthorized)))

-;; TODO - the namespaces here are missing because jwt.
 (defn limited-clients [id]
-  (println id)
  (cond
-    (= (:role id) "none")
+    (or 
+    (= (:user/role id) "none"))
    []

-    (= (:role id) "admin")
+    (= (:user/role id) "admin")
    nil

-    (= (:role id) "user")
-    (:clients id [])))
+    (= (:user/role id) "user")
+    (:user/clients id [])))