From b1cbd2c854e0f2c8a02ea03233955f6cae8cd69a Mon Sep 17 00:00:00 2001 From: BC Date: Tue, 10 Jul 2018 22:34:58 -0700 Subject: [PATCH] permissions for rest endpoints. --- src/clj/auto_ap/routes/checks.clj | 33 ++-------------------------- src/clj/auto_ap/routes/companies.clj | 4 +++- src/clj/auto_ap/routes/exports.clj | 13 +++++++---- src/clj/auto_ap/routes/invoices.clj | 31 ++++---------------------- src/clj/auto_ap/routes/reminders.clj | 4 +++- src/clj/auto_ap/routes/vendors.clj | 3 +++ 6 files changed, 24 insertions(+), 64 deletions(-) diff --git a/src/clj/auto_ap/routes/checks.clj b/src/clj/auto_ap/routes/checks.clj index e70de96e..e6688721 100644 --- a/src/clj/auto_ap/routes/checks.clj +++ b/src/clj/auto_ap/routes/checks.clj @@ -2,6 +2,7 @@ (:require [auto-ap.db.companies :as companies] [auto-ap.db.vendors :as vendors] [auto-ap.db.invoices :as invoices] + [auto-ap.graphql.utils :refer [assert-can-see-company]] [auto-ap.utils :refer [by]] [auto-ap.numeric :refer [num->words]] [auto-ap.db.checks :as checks] @@ -230,35 +231,5 @@ (defroutes routes (wrap-routes - (context "/checks" [] - (POST "/" {:keys [edn-params]} - (let [invoices (invoices/get-multi (:invoice-ids edn-params)) - companies (into {} - (map (fn [c] [(:id c) c]) - (companies/get-all))) - vendors (into {} - (map (fn [v] [(:id v) v]) - (vendors/get-all))) - invoices-grouped-by-vendor (group-by :vendor-id invoices) - checks (-> (for [[vendor-id invoices] invoices-grouped-by-vendor] - [invoices (checks/insert! (check-for-invoices invoices vendor-id vendors companies))]) - doall) - invoice-checks (invoices-checks/insert-multi! - (mapcat - (fn [[invoices check]] - (map - (fn [i] - {:invoice-id (:id i) - :check-id (:id check) - :amount (:total i)}) - invoices)) - checks)) ] - - (make-pdfs (map second checks)) - - {:status 200 - :body (pr-str {:url (merge-pdfs (map (comp :s3-key second) checks)) - :checks checks - :invoice-checks invoice-checks}) - :headers {"Content-Type" "application/edn"}}))) + (context "/checks" []) wrap-secure)) diff --git a/src/clj/auto_ap/routes/companies.clj b/src/clj/auto_ap/routes/companies.clj index 866b4130..8a45b089 100644 --- a/src/clj/auto_ap/routes/companies.clj +++ b/src/clj/auto_ap/routes/companies.clj @@ -1,5 +1,6 @@ (ns auto-ap.routes.companies (:require [auto-ap.db.companies :as companies] + [auto-ap.graphql.utils :refer [can-see-company? assert-can-see-company]] [auto-ap.routes.utils :refer [wrap-secure wrap-spec]] [auto-ap.entities.companies :as entity] [compojure.core :refer [GET PUT context defroutes @@ -11,10 +12,11 @@ (context "/companies" [] (GET "/" r {:status 200 - :body (pr-str (companies/get-all)) + :body (pr-str (filter #(can-see-company? (:identity r) (:id %)) (companies/get-all))) :headers {"Content-Type" "application/edn"}}) (wrap-spec (PUT "/:id" {:keys [edn-params] {:keys [id]} :route-params :as r} + (assert-can-see-company (:identity r) id) {:status 200 :body (pr-str (companies/upsert id edn-params)) :headers {"Content-Type" "application/edn"}}) diff --git a/src/clj/auto_ap/routes/exports.clj b/src/clj/auto_ap/routes/exports.clj index c3a97794..eddb017b 100644 --- a/src/clj/auto_ap/routes/exports.clj +++ b/src/clj/auto_ap/routes/exports.clj @@ -9,7 +9,7 @@ [auto-ap.utils :refer [by]] [auto-ap.parse :as parse] [auto-ap.graphql :as graphql] - [auto-ap.graphql.utils :refer [->graphql]] + [auto-ap.graphql.utils :refer [->graphql assert-admin]] [auto-ap.routes.utils :refer [wrap-secure]] [clj-time.coerce :refer [to-date]] [auto-ap.db.invoices-expense-accounts :as expense-accounts] @@ -23,6 +23,7 @@ (wrap-routes (context "/" [] (GET "/invoices/export" {:keys [query-params identity] :as request} + (assert-admin identity) (let [query [[:all_invoices {:company-id (query-params "company")} [:id :total :outstanding-balance :invoice-number :date @@ -34,6 +35,7 @@ invoices (graphql/query identity (venia/graphql-query {:venia/queries (->graphql query)}))] (list (:all-invoices (:data invoices))))) (GET "/checks/export" {:keys [query-params]} + (assert-admin identity) (let [query [[:all_checks {:company-id (query-params "company")} [:id :check-number :amount :memo :date @@ -45,12 +47,15 @@ checks (graphql/query identity (venia/graphql-query {:venia/queries (->graphql query)}))] (list (:all-checks (:data checks))))) - (GET "/companies/export" {:keys [query-params]} + (GET "/companies/export" {:keys [query-params identity]} + (assert-admin identity) (companies/get-all)) - (GET "/vendors/export" {:keys [query-params]} + (GET "/vendors/export" {:keys [query-params identity]} + (assert-admin identity) (vendors/get-all)) - (GET "/transactions/export" {:keys [query-params]} + (GET "/transactions/export" {:keys [query-params identity]} + (assert-admin identity) (let [transactions (transactions/get-graphql {:company (query-params "company")})] (map (fn [i] (-> i diff --git a/src/clj/auto_ap/routes/invoices.clj b/src/clj/auto_ap/routes/invoices.clj index 4877d83c..285c7afd 100644 --- a/src/clj/auto_ap/routes/invoices.clj +++ b/src/clj/auto_ap/routes/invoices.clj @@ -5,6 +5,7 @@ [auto-ap.db.utils :refer [query]] [auto-ap.utils :refer [by]] [auto-ap.parse :as parse] + [auto-ap.graphql.utils :refer [assert-admin]] [auto-ap.routes.utils :refer [wrap-secure]] [clj-time.coerce :refer [to-date]] [auto-ap.db.invoices-expense-accounts :as expense-accounts] @@ -70,32 +71,7 @@ (defroutes routes (wrap-routes (context "/invoices" [] - (GET "/" [] - {:status 200 - :body (pr-str (invoices/get-all)) - :headers {"Content-Type" "application/edn"}}) - - (GET "/unpaid" {:keys [query-params] :as r} - {:status 200 - :body (pr-str (invoices/get-unpaid (query-params "company"))) - :headers {"Content-Type" "application/edn"}}) - - (GET "/pending" {:keys [query-params]} - {:status 200 - :body (pr-str (invoices/get-pending (query-params "company"))) - :headers {"Content-Type" "application/edn"}}) - - (POST "/approve" {:keys [query-params]} - (invoices/approve) - {:status 200 - :body (pr-str (invoices/get-pending (query-params "company"))) - :headers {"Content-Type" "application/edn"}}) - (POST "/reject" {:keys [query-params]} - (invoices/reject) - {:status 200 - :body (pr-str (invoices/get-pending (query-params "company"))) - :headers {"Content-Type" "application/edn"}}) - (POST "/upload" + #_(POST "/upload" {{ files "file"} :params :as params} (let [{:keys [filename tempfile]} files companies (companies/get-all) @@ -106,7 +82,8 @@ :headers {"Content-Type" "application/edn"}})) (POST "/upload-integreat" - {{:keys [excel-rows]} :edn-params} + {{:keys [excel-rows]} :edn-params identity :identity} + (assert-admin identity) (let [columns [:raw-date :vendor-name :check :location :invoice-number :amount :company :bill-entered :bill-rejected :added-on :exported-on] all-vendors (by :name (vendors/get-all)) diff --git a/src/clj/auto_ap/routes/reminders.clj b/src/clj/auto_ap/routes/reminders.clj index 5e6ae69b..28256913 100644 --- a/src/clj/auto_ap/routes/reminders.clj +++ b/src/clj/auto_ap/routes/reminders.clj @@ -3,6 +3,7 @@ [auto-ap.db.reminders :as reminders] [auto-ap.db.vendors :as vendors] [auto-ap.routes.utils :refer [wrap-secure]] + [auto-ap.graphql.utils :refer [assert-admin]] [config.core :refer [env]] [clj-http.client :as http] [clj-time.coerce :as c] @@ -72,7 +73,8 @@ :body "{}" :headers {"Content-Type" "application/edn"}}) (wrap-routes - (PUT "/:id" {:keys [ edn-params] {:keys [id] } :route-params} + (PUT "/:id" {:keys [ edn-params] {:keys [id] } :route-params identity :identity} + (assert-admin identity) (let [id (if (int? id) id (Integer/parseInt id))] diff --git a/src/clj/auto_ap/routes/vendors.clj b/src/clj/auto_ap/routes/vendors.clj index a1b07852..df59405a 100644 --- a/src/clj/auto_ap/routes/vendors.clj +++ b/src/clj/auto_ap/routes/vendors.clj @@ -1,6 +1,7 @@ (ns auto-ap.routes.vendors (:require [auto-ap.db.vendors :as vendors] [auto-ap.entities.vendors :as entity] + [auto-ap.graphql.utils :refer [assert-admin]] [auto-ap.routes.utils :refer [wrap-secure wrap-spec]] [auto-ap.db.reminders :as reminders] [clj-time.core :as time] @@ -15,11 +16,13 @@ :headers {"Content-Type" "application/edn"}}) (wrap-routes (PUT "/:id" {:keys [edn-params] {:keys [id]} :route-params :as r} + (assert-admin (:identity r)) {:status 200 :body (pr-str (vendors/upsert id edn-params)) :headers {"Content-Type" "application/edn"}}) #(wrap-spec % ::entity/vendor)) (POST "/:id/remind" {:keys [edn-params] {:keys [id :<< as-int]} :route-params :as r} + (assert-admin (:identity r)) (let [id (if (int? id) id (Integer/parseInt id))