graphql mutations are locked by user type.
This commit is contained in:
BC
@@ -8,6 +8,7 @@
|
|||||||
[buddy.auth :refer [throw-unauthorized]]
|
[buddy.auth :refer [throw-unauthorized]]
|
||||||
[auto-ap.db.invoices :as invoices]
|
[auto-ap.db.invoices :as invoices]
|
||||||
[auto-ap.utils :refer [by]]
|
[auto-ap.utils :refer [by]]
|
||||||
|
[auto-ap.graphql.utils :refer [assert-admin can-see-company? assert-can-see-company]]
|
||||||
[auto-ap.db.vendors :as vendors]
|
[auto-ap.db.vendors :as vendors]
|
||||||
[auto-ap.db.companies :as companies]
|
[auto-ap.db.companies :as companies]
|
||||||
[auto-ap.db.users :as users]
|
[auto-ap.db.users :as users]
|
||||||
@@ -282,7 +283,6 @@
|
|||||||
:resolve :mutation/edit-expense-accounts}}})
|
:resolve :mutation/edit-expense-accounts}}})
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
(defn snake->kebab [s]
|
(defn snake->kebab [s]
|
||||||
(str/replace s #"_" "-"))
|
(str/replace s #"_" "-"))
|
||||||
|
|
||||||
@@ -337,9 +337,6 @@
|
|||||||
:start (:start args 0)
|
:start (:start args 0)
|
||||||
:end (+ (:start args 0) (count invoices))}] extra-context)))
|
:end (+ (:start args 0) (count invoices))}] extra-context)))
|
||||||
|
|
||||||
(defn assert-admin [id]
|
|
||||||
(when-not (= "admin" (:role id))
|
|
||||||
(throw-unauthorized)))
|
|
||||||
|
|
||||||
(defn get-all-invoices [context args value]
|
(defn get-all-invoices [context args value]
|
||||||
(assert-admin (:id context))
|
(assert-admin (:id context))
|
||||||
@@ -426,9 +423,7 @@
|
|||||||
(map company-cache (:companies value))
|
(map company-cache (:companies value))
|
||||||
(map companies/get-by-id (:companies value)))))
|
(map companies/get-by-id (:companies value)))))
|
||||||
|
|
||||||
(defn can-see-company? [identity company]
|
|
||||||
(or (= "admin" (:role identity))
|
|
||||||
((set (:companies identity)) (:id company))))
|
|
||||||
|
|
||||||
(defn get-company [context args value]
|
(defn get-company [context args value]
|
||||||
(->graphql
|
(->graphql
|
||||||
@@ -443,7 +438,7 @@
|
|||||||
users)))
|
users)))
|
||||||
|
|
||||||
(defn get-user [context args value]
|
(defn get-user [context args value]
|
||||||
(assert-admin)
|
(assert-admin (:id context))
|
||||||
|
|
||||||
(let [
|
(let [
|
||||||
users (users/get-all)
|
users (users/get-all)
|
||||||
@@ -458,6 +453,8 @@
|
|||||||
(vendors/get-all)))
|
(vendors/get-all)))
|
||||||
|
|
||||||
(defn print-checks [context args value]
|
(defn print-checks [context args value]
|
||||||
|
|
||||||
|
(assert-can-see-company (:id context) (:company_id args))
|
||||||
(->graphql
|
(->graphql
|
||||||
(rchecks/print-checks (map (fn [i] {:invoice-id (:invoice_id i)
|
(rchecks/print-checks (map (fn [i] {:invoice-id (:invoice_id i)
|
||||||
:amount (:amount i)})
|
:amount (:amount i)})
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
(ns auto-ap.graphql.checks
|
(ns auto-ap.graphql.checks
|
||||||
(:require [auto-ap.graphql.utils :refer [->graphql <-graphql]]
|
(:require [auto-ap.graphql.utils :refer [->graphql <-graphql assert-can-see-company]]
|
||||||
|
|
||||||
[com.walmartlabs.lacinia :refer [execute]]
|
[com.walmartlabs.lacinia :refer [execute]]
|
||||||
[com.walmartlabs.lacinia.executor :as executor]
|
[com.walmartlabs.lacinia.executor :as executor]
|
||||||
@@ -44,6 +44,7 @@
|
|||||||
|
|
||||||
(defn add-handwritten-check [context args value]
|
(defn add-handwritten-check [context args value]
|
||||||
(let [invoice (invoices/get-by-id (:invoice_id args))
|
(let [invoice (invoices/get-by-id (:invoice_id args))
|
||||||
|
_ (assert-can-see-company (:id context) (:company-id invoice))
|
||||||
check (checks/insert! {:s3-uuid nil
|
check (checks/insert! {:s3-uuid nil
|
||||||
:s3-key nil
|
:s3-key nil
|
||||||
:s3-url nil
|
:s3-url nil
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
(ns auto-ap.graphql.invoices
|
(ns auto-ap.graphql.invoices
|
||||||
(:require [auto-ap.graphql.utils :refer [->graphql]]
|
(:require [auto-ap.graphql.utils :refer [->graphql assert-can-see-company]]
|
||||||
[auto-ap.db.invoices :as invoices]
|
[auto-ap.db.invoices :as invoices]
|
||||||
[auto-ap.db.vendors :as vendors]
|
[auto-ap.db.vendors :as vendors]
|
||||||
[auto-ap.db.companies :as companies]
|
[auto-ap.db.companies :as companies]
|
||||||
@@ -13,6 +13,7 @@
|
|||||||
|
|
||||||
(defn add-invoice [context {{:keys [total invoice_number company_id vendor_id vendor_name date] :as in} :invoice} value]
|
(defn add-invoice [context {{:keys [total invoice_number company_id vendor_id vendor_name date] :as in} :invoice} value]
|
||||||
(let [vendor (-create-or-get-vendor vendor_id vendor_name)
|
(let [vendor (-create-or-get-vendor vendor_id vendor_name)
|
||||||
|
_ (assert-can-see-company (:id context) company_id)
|
||||||
company (companies/get-by-id company_id)
|
company (companies/get-by-id company_id)
|
||||||
|
|
||||||
[invoice] (invoices/insert-multi! [{:invoice-number invoice_number
|
[invoice] (invoices/insert-multi! [{:invoice-number invoice_number
|
||||||
@@ -37,6 +38,7 @@
|
|||||||
(invoices-expense-accounts/get-for-invoice (:id value))))
|
(invoices-expense-accounts/get-for-invoice (:id value))))
|
||||||
|
|
||||||
(defn edit-expense-accounts [context args value]
|
(defn edit-expense-accounts [context args value]
|
||||||
|
(assert-can-see-company (:id context) (:company-id (invoices/get-by-id (:invoice_id args))))
|
||||||
(invoices-expense-accounts/replace-for-invoice (:invoice_id args) (map (fn [{:keys [id expense_account_id amount location]}]
|
(invoices-expense-accounts/replace-for-invoice (:invoice_id args) (map (fn [{:keys [id expense_account_id amount location]}]
|
||||||
{
|
{
|
||||||
:expense-account-id expense_account_id
|
:expense-account-id expense_account_id
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
(ns auto-ap.graphql.users
|
(ns auto-ap.graphql.users
|
||||||
(:require [auto-ap.db.users :as users]
|
(:require [auto-ap.db.users :as users]
|
||||||
[auto-ap.graphql.utils :refer [->graphql]]))
|
[auto-ap.graphql.utils :refer [->graphql assert-admin]]))
|
||||||
|
|
||||||
(defn edit-user [context args value]
|
(defn edit-user [context args value]
|
||||||
|
(assert-admin (:id context))
|
||||||
(users/update! (:edit_user args))
|
(users/update! (:edit_user args))
|
||||||
(->graphql
|
(->graphql
|
||||||
(users/get-by-id (:id (:edit_user args)))))
|
(users/get-by-id (:id (:edit_user args)))))
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
(ns auto-ap.graphql.utils
|
(ns auto-ap.graphql.utils
|
||||||
(:require [clojure.string :as str]
|
(:require [clojure.string :as str]
|
||||||
|
[buddy.auth :refer [throw-unauthorized]]
|
||||||
[clojure.walk :as walk]))
|
[clojure.walk :as walk]))
|
||||||
|
|
||||||
|
|
||||||
@@ -38,3 +39,16 @@
|
|||||||
:else
|
:else
|
||||||
node))
|
node))
|
||||||
m))
|
m))
|
||||||
|
|
||||||
|
|
||||||
|
(defn assert-admin [id]
|
||||||
|
(when-not (= "admin" (:role id))
|
||||||
|
(throw-unauthorized)))
|
||||||
|
|
||||||
|
(defn can-see-company? [identity company]
|
||||||
|
(or (= "admin" (:role identity))
|
||||||
|
((set (:companies identity)) (:id company))))
|
||||||
|
|
||||||
|
(defn assert-can-see-company [identity company]
|
||||||
|
(when-not (can-see-company? identity company)
|
||||||
|
(throw-unauthorized)))
|
||||||
|
|||||||
Reference in New Issue
Block a user