graphql mutations are locked by user type.

2018-07-10 22:13:53 -07:00
parent e0ba9395ef
commit 9189c820d7
5 changed files with 26 additions and 11 deletions
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -8,6 +8,7 @@
    [buddy.auth :refer [throw-unauthorized]]
    [auto-ap.db.invoices :as invoices]
    [auto-ap.utils :refer [by]]
+    [auto-ap.graphql.utils :refer [assert-admin can-see-company? assert-can-see-company]]
    [auto-ap.db.vendors :as vendors]
    [auto-ap.db.companies :as companies]
    [auto-ap.db.users :as users]
@@ -282,7 +283,6 @@
                            :resolve :mutation/edit-expense-accounts}}})


-
 (defn snake->kebab [s]
  (str/replace s #"_" "-"))

@@ -337,9 +337,6 @@
        :start (:start args 0)
        :end (+ (:start args 0) (count invoices))}] extra-context)))

-(defn assert-admin [id]
-  (when-not (= "admin" (:role id))
-    (throw-unauthorized)))

 (defn get-all-invoices [context args value]
  (assert-admin (:id context))
@@ -426,9 +423,7 @@
      (map company-cache (:companies value))
      (map companies/get-by-id (:companies value)))))

-(defn can-see-company? [identity company]
-  (or (= "admin" (:role identity))
-      ((set (:companies identity)) (:id company))))
+

 (defn get-company [context args value]
  (->graphql
@@ -443,7 +438,7 @@
     users)))

 (defn get-user [context args value]
-  (assert-admin)
+  (assert-admin (:id context))

  (let [
        users (users/get-all)
@@ -458,6 +453,8 @@
   (vendors/get-all)))

 (defn print-checks [context args value]
+  
+  (assert-can-see-company (:id context) (:company_id args))
  (->graphql
   (rchecks/print-checks (map (fn [i] {:invoice-id (:invoice_id i)
                                      :amount (:amount i)})
--- a/src/clj/auto_ap/graphql/checks.clj
+++ b/src/clj/auto_ap/graphql/checks.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.graphql.checks
-  (:require [auto-ap.graphql.utils :refer [->graphql <-graphql]]
+  (:require [auto-ap.graphql.utils :refer [->graphql <-graphql assert-can-see-company]]

            [com.walmartlabs.lacinia :refer [execute]]
            [com.walmartlabs.lacinia.executor :as executor]
@@ -44,6 +44,7 @@

 (defn add-handwritten-check [context args value]
  (let [invoice (invoices/get-by-id (:invoice_id args))
+        _ (assert-can-see-company  (:id context) (:company-id invoice))
        check (checks/insert! {:s3-uuid nil
                               :s3-key nil 
                               :s3-url nil
--- a/src/clj/auto_ap/graphql/invoices.clj
+++ b/src/clj/auto_ap/graphql/invoices.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.graphql.invoices
-  (:require [auto-ap.graphql.utils :refer [->graphql]]
+  (:require [auto-ap.graphql.utils :refer [->graphql assert-can-see-company]]
            [auto-ap.db.invoices :as invoices]
            [auto-ap.db.vendors :as vendors]
            [auto-ap.db.companies :as companies]
@@ -13,6 +13,7 @@

 (defn add-invoice [context {{:keys [total invoice_number company_id vendor_id vendor_name date] :as in} :invoice} value]
  (let [vendor (-create-or-get-vendor vendor_id vendor_name)
+        _ (assert-can-see-company (:id context) company_id)
        company (companies/get-by-id company_id)

        [invoice] (invoices/insert-multi! [{:invoice-number invoice_number
@@ -37,6 +38,7 @@
   (invoices-expense-accounts/get-for-invoice (:id value))))

 (defn edit-expense-accounts [context args value]
+  (assert-can-see-company (:id context) (:company-id (invoices/get-by-id (:invoice_id args))))
  (invoices-expense-accounts/replace-for-invoice (:invoice_id args) (map (fn [{:keys [id expense_account_id amount location]}]
                                                                           {
                                                                            :expense-account-id expense_account_id
--- a/src/clj/auto_ap/graphql/users.clj
+++ b/src/clj/auto_ap/graphql/users.clj
@@ -1,8 +1,9 @@
 (ns auto-ap.graphql.users
  (:require [auto-ap.db.users :as users]
-            [auto-ap.graphql.utils :refer [->graphql]])) 
+            [auto-ap.graphql.utils :refer [->graphql assert-admin]])) 

 (defn edit-user [context args value]
+  (assert-admin (:id context))
  (users/update! (:edit_user args))
  (->graphql
   (users/get-by-id (:id (:edit_user args)))))
--- a/src/clj/auto_ap/graphql/utils.clj
+++ b/src/clj/auto_ap/graphql/utils.clj
@@ -1,5 +1,6 @@
 (ns auto-ap.graphql.utils
  (:require [clojure.string :as str]
+            [buddy.auth :refer [throw-unauthorized]]
            [clojure.walk :as walk]))


@@ -38,3 +39,16 @@
        :else
        node))
    m))
+
+
+(defn assert-admin [id]
+  (when-not (= "admin" (:role id))
+    (throw-unauthorized)))
+
+(defn can-see-company? [identity company]
+  (or (= "admin" (:role identity))
+      ((set (:companies identity)) (:id company))))
+
+(defn assert-can-see-company [identity company]
+  (when-not (can-see-company? identity company)
+    (throw-unauthorized)))