adding authorization

2018-07-10 20:16:26 -07:00
parent d87ebbbfe4
commit dd9b7ce86e
6 changed files with 27 additions and 9 deletions
--- a/project.clj
+++ b/project.clj
@@ -70,7 +70,7 @@
    :plugins      [[lein-figwheel "0.5.13"]
                   [lein-pdo "0.1.1"]
                   [cider/cider-nrepl "0.16.0"]]
-    :jvm-opts ["-Dconfig=config/dev.edn" "--add-modules" "java.xml.bind"]}
+    :jvm-opts ["-Dconfig=config/dev.edn" #_#_"--add-modules" "java.xml.bind"]}
   :uberjar {:prep-tasks [["cljsbuild" "once" "min"] "compile"]}
   :provided {:dependencies [[org.clojure/clojurescript "1.10.238"]
                             [reagent "0.7.0"]
--- a/src/clj/auto_ap/db/checks.clj
+++ b/src/clj/auto_ap/db/checks.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.db.checks
-  (:require [auto-ap.db.utils :refer [clj->db db->clj get-conn execute!] :as u]
+  (:require [auto-ap.db.utils :refer [clj->db db->clj get-conn execute! limited-companies] :as u]
            [auto-ap.entities.companies :as entity]
            [clojure.edn :as edn]
            [clojure.java.jdbc :as j]
@@ -68,8 +68,11 @@
          :else
          q)))

-(defn base-graphql [{:keys [company-id vendor-id check-number bank-account-id status amount]}]
+(defn base-graphql [{:keys [company-id vendor-id check-number bank-account-id status amount id]}]
+  (println "ID" id)
+
  (cond-> base-query
+    (limited-companies id) (helpers/merge-where [:in :company-id (limited-companies id)])
    (not (nil? company-id)) (helpers/merge-where [:= :company-id company-id])
    (not (nil? bank-account-id)) (helpers/merge-where [:= :bank-account-id bank-account-id])
    (not (nil? vendor-id)) (helpers/merge-where [:= :vendor-id vendor-id])
@@ -77,7 +80,7 @@
    (not (nil? status)) (helpers/merge-where [:= :status status])
    (not (nil? amount)) (helpers/merge-where [:= :amount amount])))

-(defn get-graphql [{:keys [start sort-by asc] :as args}]
+(defn get-graphql [{:keys [start sort-by asc id] :as args}]
  (query
   (cond-> (base-graphql args)
     #_#_(not (nil? sort-by) ) (add-sort-by sort-by asc)
--- a/src/clj/auto_ap/db/utils.clj
+++ b/src/clj/auto_ap/db/utils.clj
@@ -68,3 +68,14 @@
  (let [formatted (sql/format q)]
    (println "Executing query " q " SQL: " formatted)
    (j/execute! (get-conn) formatted)))
+
+(defn limited-companies [id]
+  (cond
+    (= (:role id) "none")
+    []
+
+    (= (:role id) "admin")
+    nil
+
+    (= (:role id) "user")
+    (:companies id [])))
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -326,7 +326,7 @@

        invoices (map
                  ->graphql
-                  (invoices/get-graphql (<-graphql args)))
+                  (invoices/get-graphql (<-graphql (assoc args :id (:id context)))))
        invoice-count (invoices/count-graphql (<-graphql args))]
    (resolve/with-context
      [{:invoices invoices
@@ -423,7 +423,7 @@

 (defn get-company [context args value]
  (->graphql
-   (filter #(can-see-company? (:identity context) %)
+   (filter #(can-see-company? (:id context) %)
           (companies/get-all))))

 (defn join-companies [users]
@@ -515,4 +515,4 @@
   (query id q nil ))
  ([id q v]
   (println "executing graphql query" id q v)
-   (simplify (execute schema q v {:identity id}))))
+   (simplify (execute schema q v {:id id}))))
--- a/src/clj/auto_ap/graphql/checks.clj
+++ b/src/clj/auto_ap/graphql/checks.clj
@@ -25,14 +25,15 @@
      (companies/get-by-id (:company_id value)))))

 (defn get-check-page [context args value]
-  (let [extra-context
+  (let [args (assoc args :id (:id context))
+        extra-context
        (cond->  {}
          (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
          (executor/selects-field? context :invoice/company) (assoc :company-cache (by  :id (companies/get-all))))

        checks (map
                  ->graphql
-                  (checks/get-graphql (<-graphql args)))
+                  (checks/get-graphql  (<-graphql args)))
        checks-count (checks/count-graphql (<-graphql args))]
    (resolve/with-context
      [{:checks checks
--- a/src/clj/auto_ap/routes/graphql.clj
+++ b/src/clj/auto_ap/routes/graphql.clj
@@ -3,6 +3,7 @@
            [auto-ap.routes.utils :refer [wrap-secure wrap-spec]]
            [auto-ap.entities.companies :as entity]
            [auto-ap.graphql :as ql]
+            [buddy.auth :refer [throw-unauthorized]]
            [clojure.edn :as edn]
            [compojure.core :refer [GET PUT context defroutes
                                    wrap-routes]]))
@@ -12,6 +13,8 @@
  (wrap-routes
   (context "/graphql" []
            (GET "/" {:keys [query-params] :as r}
+                 (when (= "none" (:role (:identity r)))
+                   (throw-unauthorized))

                 (let [variables (some-> (query-params "variables")
                                         edn/read-string)]