notid/integreat
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

reimplemented security

Browse Source
This commit is contained in:
Bryce Covert
2019-01-16 21:30:39 -08:00
parent 24b82802a8
commit 583752d740
27 changed files with 52 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
resources/signatures/BellaSaratoga.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
resources/signatures/BrownChickenBrownCow.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
resources/signatures/MamaLus.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
resources/signatures/Moscini.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
resources/signatures/Orale.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
resources/signatures/Robertos.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
resources/signatures/Sorelle.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
resources/signatures/WarmElements.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
resources/signatures/WillowGlen.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

1
src/clj/auto_ap/datomic.clj
View File

@@ -762,3 +762,4 @@
(count (clojure.pprint/pprint (query-payments)))) (count (clojure.pprint/pprint (query-payments))))

4
src/clj/auto_ap/datomic/checks.clj
View File

@@ -1,6 +1,7 @@
(ns auto-ap.datomic.checks (ns auto-ap.datomic.checks
(:require [datomic.api :as d] (:require [datomic.api :as d]
[auto-ap.datomic :refer [uri]] [auto-ap.datomic :refer [uri]]
[auto-ap.graphql.utils :refer [limited-clients]]
[clojure.set :refer [rename-keys]] [clojure.set :refer [rename-keys]]
[clj-time.coerce :as c])) [clj-time.coerce :as c]))
@@ -32,6 +33,9 @@
:where ['[?e :payment/client]]} :where ['[?e :payment/client]]}
:args [(d/db (d/connect uri))]} :args [(d/db (d/connect uri))]}
(limited-clients (:id args)) (add-arg '[?xx ...] (set (map :db/id (limited-clients (:id args))))
'[?e :payment/client ?xx])
(:client-id args) (add-arg '?client-id (:client-id args) (:client-id args) (add-arg '?client-id (:client-id args)
'[?e :payment/client ?client-id]) '[?e :payment/client ?client-id])
(:original-id args) (add-arg '?original-id (cond-> (:original-id args) (string? (:original-id args)) Long/parseLong ) (:original-id args) (add-arg '?original-id (cond-> (:original-id args) (string? (:original-id args)) Long/parseLong )

2
src/clj/auto_ap/datomic/invoices.clj
View File

@@ -35,7 +35,7 @@
:where ['[?e :invoice/invoice-number]]} :where ['[?e :invoice/invoice-number]]}
:args [(d/db (d/connect uri))]} :args [(d/db (d/connect uri))]}
(limited-clients (:id args)) (add-arg '[?xx ...] (set (map :id (limited-clients (:id args)))) (limited-clients (:id args)) (add-arg '[?xx ...] (set (map :db/id (limited-clients (:id args))))
'[?e :invoice/client ?xx]) '[?e :invoice/client ?xx])
(:client-id args) (add-arg '?client-id (:client-id args) (:client-id args) (add-arg '?client-id (:client-id args)
'[?e :invoice/client ?client-id]) '[?e :invoice/client ?client-id])

3
src/clj/auto_ap/datomic/transactions.clj
View File

@@ -1,6 +1,7 @@
(ns auto-ap.datomic.transactions (ns auto-ap.datomic.transactions
(:require [datomic.api :as d] (:require [datomic.api :as d]
[auto-ap.datomic :refer [uri]] [auto-ap.datomic :refer [uri]]
[auto-ap.graphql.utils :refer [limited-clients]]
[clj-time.coerce :as c])) [clj-time.coerce :as c]))
(defn add-arg [query name value where & rest] (defn add-arg [query name value where & rest]
@@ -19,6 +20,8 @@
:where ['[?e :transaction/id]]} :where ['[?e :transaction/id]]}
:args [(d/db (d/connect uri))]} :args [(d/db (d/connect uri))]}
(limited-clients (:id args)) (add-arg '[?xx ...] (set (map :db/id (limited-clients (:id args))))
'[?e :transaction/client ?xx])
(:client-id args) (add-arg '?client-id (:client-id args) (:client-id args) (add-arg '?client-id (:client-id args)
'[?e :transaction/client ?client-id]) '[?e :transaction/client ?client-id])
(:original-id args) (add-arg '?original-id (cond-> (:original-id args) (string? (:original-id args)) Long/parseLong ) (:original-id args) (add-arg '?original-id (cond-> (:original-id args) (string? (:original-id args)) Long/parseLong )

2
src/clj/auto_ap/db/checks.clj
View File

@@ -1,5 +1,5 @@
(ns auto-ap.db.checks (ns auto-ap.db.checks
(:require [auto-ap.db.utils :refer [clj->db db->clj get-conn execute! limited-companies] :as u] (:require [auto-ap.db.utils :refer [clj->db db->clj get-conn execute!] :as u]
[auto-ap.entities.companies :as entity] [auto-ap.entities.companies :as entity]
[clojure.edn :as edn] [clojure.edn :as edn]
[clojure.java.jdbc :as j] [clojure.java.jdbc :as j]

2
src/clj/auto_ap/db/invoices.clj
View File

@@ -1,5 +1,5 @@
(ns auto-ap.db.invoices (ns auto-ap.db.invoices
(:require [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query limited-companies] :as utils] (:require [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query] :as utils]
[auto-ap.parse :as parse] [auto-ap.parse :as parse]
[auto-ap.db.companies :as companies] [auto-ap.db.companies :as companies]
[auto-ap.db.invoices-checks :as invoices-checks] [auto-ap.db.invoices-checks :as invoices-checks]

2
src/clj/auto_ap/db/transactions.clj
View File

@@ -4,7 +4,7 @@
[honeysql.helpers :as helpers] [honeysql.helpers :as helpers]
[honeysql-postgres.format :as postgres-format] [honeysql-postgres.format :as postgres-format]
[honeysql-postgres.helpers :as postgres-helpers] [honeysql-postgres.helpers :as postgres-helpers]
[auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query limited-companies] :as utils])) [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query] :as utils]))
(def base-query (sql/build :select :* (def base-query (sql/build :select :*
:from :transactions)) :from :transactions))

11
src/clj/auto_ap/db/utils.clj
View File

@@ -68,14 +68,3 @@
(let [formatted (sql/format q)] (let [formatted (sql/format q)]
(println "Executing query " q " SQL: " formatted) (println "Executing query " q " SQL: " formatted)
(j/execute! (get-conn) formatted))) (j/execute! (get-conn) formatted)))
(defn limited-companies [id]
(cond
(= (:role id) "none")
[]
(= (:role id) "admin")
nil
(= (:role id) "user")
(:companies id [])))

14
src/clj/auto_ap/graphql.clj
View File

@@ -402,21 +402,7 @@
:limit Integer/MAX_VALUE)))) :limit Integer/MAX_VALUE))))
(defn get-company [context args value] (defn get-company [context args value]
(println "user " (:id context))
(->graphql (->graphql
(filter #(can-see-company? (:id context) %) (filter #(can-see-company? (:id context) %)
(d-clients/get-all)))) (d-clients/get-all))))

2
src/clj/auto_ap/graphql/checks.clj
View File

@@ -316,7 +316,7 @@
(let [invoice (d-invoices/get-by-id (:invoice_id args)) (let [invoice (d-invoices/get-by-id (:invoice_id args))
bank-account-id (:bank_account_id args) bank-account-id (:bank_account_id args)
bank-account (d-bank-accounts/get-by-id bank-account-id) bank-account (d-bank-accounts/get-by-id bank-account-id)
_ (assert-can-see-company (:id context) (:company-id invoice)) _ (assert-can-see-company (:id context) (:invoice/client invoice))
base-payment (base-payment [invoice] (:invoice/vendor invoice) base-payment (base-payment [invoice] (:invoice/vendor invoice)
(:invoice/client invoice) (:invoice/client invoice)
bank-account :payment-type/check 0 {(:invoice_id args) (:amount args)})] bank-account :payment-type/check 0 {(:invoice_id args) (:amount args)})]

3
src/clj/auto_ap/graphql/transactions.clj
View File

@@ -8,10 +8,11 @@
[auto-ap.time :refer [parse normal-date]])) [auto-ap.time :refer [parse normal-date]]))
(defn get-transaction-page [context args value] (defn get-transaction-page [context args value]
(println "TRANSACTION PAGE")
(let [args (assoc args :id (:id context)) (let [args (assoc args :id (:id context))
transactions (map transactions (map
->graphql ->graphql
(d-transactions/get-graphql (<-graphql args))) (d-transactions/get-graphql (doto (<-graphql args) println)))
transactions-count (d-transactions/count-graphql (<-graphql args))] transactions-count (d-transactions/count-graphql (<-graphql args))]
[{:transactions transactions [{:transactions transactions
:total transactions-count :total transactions-count

20
src/clj/auto_ap/graphql/utils.clj
View File

@@ -8,7 +8,9 @@
(str/replace s #"_" "-")) (str/replace s #"_" "-"))
(defn kebab [x] (defn kebab [x]
(keyword (snake->kebab (name x)))) (if (qualified-keyword? x)
(keyword (snake->kebab (namespace x)) (snake->kebab (name x)) )
(keyword (snake->kebab (name x)))))
(defn kebab->snake [s] (defn kebab->snake [s]
(str/replace s #"-" "_")) (str/replace s #"-" "_"))
@@ -42,27 +44,27 @@
(defn assert-admin [id] (defn assert-admin [id]
(when-not (= "admin" (:role id)) (when-not (= "admin" (:user/role id))
(throw-unauthorized))) (throw-unauthorized)))
(defn can-see-company? [identity company] (defn can-see-company? [identity company]
(or (= "admin" (:role identity)) (or (= "admin" (:user/role identity))
((set (map :db/id (:user/clients identity))) (:db/id company)) ((set (map :db/id (:user/clients identity))) (:db/id company))
((set (map :db/id (:user/clients identity))) company))) ((set (map :db/id (:user/clients identity))) company)))
(defn assert-can-see-company [identity company] (defn assert-can-see-company [identity company]
(when-not (can-see-company? identity company) (when-not (can-see-company? identity company)
(println "IDENTITY " identity " can not see company " company)
(throw-unauthorized))) (throw-unauthorized)))
;; TODO - the namespaces here are missing because jwt.
(defn limited-clients [id] (defn limited-clients [id]
(println id)
(cond (cond
(= (:role id) "none") (or
(= (:user/role id) "none"))
[] []
(= (:role id) "admin") (= (:user/role id) "admin")
nil nil
(= (:role id) "user") (= (:user/role id) "user")
(:clients id []))) (:user/clients id [])))

5
src/clj/auto_ap/routes/auth.clj
View File

@@ -39,7 +39,10 @@
{:status 301 {:status 301
:headers {"Location" (str "/?jwt=" (jwt/sign {:user (:name profile) :headers {"Location" (str "/?jwt=" (jwt/sign {:user (:name profile)
:exp (time/plus (time/now) (time/days 7)) :exp (time/plus (time/now) (time/days 7))
:user/clients (:user/clients user) :user/clients (map (fn [c]
(dissoc c :client/bank-accounts )
)
(:user/clients user))
:user/role (name (:user/role user)) :user/role (name (:user/role user))
:user/name (:name profile)} :user/name (:name profile)}
(:jwt-secret env) (:jwt-secret env)

2
src/clj/auto_ap/routes/graphql.clj
View File

@@ -11,7 +11,7 @@
(wrap-routes (wrap-routes
(context "/graphql" [] (context "/graphql" []
(GET "/" {:keys [query-params] :as r} (GET "/" {:keys [query-params] :as r}
(when (= "none" (:role (:identity r))) (when (= "none" (:user/role (:identity r)))
(throw-unauthorized)) (throw-unauthorized))
(try (try

1
src/clj/auto_ap/routes/invoices.clj
View File

@@ -165,6 +165,7 @@
(map (parse-or-error :client-id parse-client-id)) (map (parse-or-error :client-id parse-client-id))
(map (parse-or-error :date parse-date))) (map (parse-or-error :date parse-date)))
error-rows (filter :errors rows) error-rows (filter :errors rows)
_ (println "importing raw transactions" rows)
raw-transactions (vec (->> rows raw-transactions (vec (->> rows
(filter #(not (seq (:errors %))) ) (filter #(not (seq (:errors %))) )

34
src/clj/auto_ap/yodlee/import.clj
View File

@@ -68,23 +68,23 @@
(try (try
(when client-id (when client-id
@(->> [(remove-nils #:transaction @(->> [(remove-nils #:transaction
{:post-date (time/parse post-date "YYYY-MM-dd") {:post-date (time/parse post-date "YYYY-MM-dd")
:id (sha-256 (str id)) :id (sha-256 (str id))
:account-id account-id :account-id account-id
:date (coerce/to-date (time/parse date "YYYY-MM-dd")) :date (coerce/to-date (time/parse date "YYYY-MM-dd"))
:amount amount :amount amount
:description-original description-original :description-original description-original
:description-simple description-simple :description-simple description-simple
:type type :type type
:status status :status status
:client client-id :client client-id
:check-number check-number :check-number check-number
:bank-account (transaction->bank-account-id transaction) :bank-account (transaction->bank-account-id transaction)
:payment (when check-id :payment (when check-id
{:db/id check-id {:db/id check-id
:payment/status :payment-status/cleared} :payment/status :payment-status/cleared}
) )
})] })]
(d/transact (d/connect uri)))) (d/transact (d/connect uri))))

3
src/cljs/auto_ap/views/main.cljs
View File

@@ -42,7 +42,7 @@
[:a {:class "navbar-link login" :on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} (:user/name @user)] [:a {:class "navbar-link login" :on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} (:user/name @user)]
[:div {:class "navbar-dropdown"} [:div {:class "navbar-dropdown"}
[:a {:class "navbar-item"} "My profile"] [:a {:class "navbar-item"} "My profile"]
(when (= "admin" (:role @user)) (when (= "admin" (:user/role @user))
[:a {:class "navbar-item" :href (bidi/path-for routes/routes :admin) [:a {:class "navbar-item" :href (bidi/path-for routes/routes :admin)
:on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} "Administration"]) :on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} "Administration"])
[:hr {:class "navbar-divider"}] [:hr {:class "navbar-divider"}]
@@ -55,6 +55,7 @@
(let [company (re-frame/subscribe [::subs/company]) (let [company (re-frame/subscribe [::subs/company])
companies (re-frame/subscribe [::subs/companies]) companies (re-frame/subscribe [::subs/companies])
menu (re-frame/subscribe [::subs/menu])] menu (re-frame/subscribe [::subs/menu])]
[:div [:div
[:nav {:class "navbar has-shadow"} [:nav {:class "navbar has-shadow"}
[:div {:class "container"} [:div {:class "container"}

2
src/cljs/auto_ap/views/pages/transactions.cljs
View File

@@ -206,7 +206,7 @@
[:div [:div
[:h1.title "Transactions"] [:h1.title "Transactions"]
(when (= "admin" (:role user)) (when (= "admin" (:user/role user))
(list (list
(when (:message @notification) (when (:message @notification)