From dd9b7ce86e80e35b8e8b94998a4f991b0f473441 Mon Sep 17 00:00:00 2001
From: Bryce Covert <git@brycecovertoperations.com>
Date: Tue, 10 Jul 2018 20:16:26 -0700
Subject: [PATCH] adding authorization

---
 project.clj                        |  2 +-
 src/clj/auto_ap/db/checks.clj      |  9 ++++++---
 src/clj/auto_ap/db/utils.clj       | 11 +++++++++++
 src/clj/auto_ap/graphql.clj        |  6 +++---
 src/clj/auto_ap/graphql/checks.clj |  5 +++--
 src/clj/auto_ap/routes/graphql.clj |  3 +++
 6 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/project.clj b/project.clj
index 6dcf2947..a470ac85 100644
--- a/project.clj
+++ b/project.clj
@@ -70,7 +70,7 @@
     :plugins      [[lein-figwheel "0.5.13"]
                    [lein-pdo "0.1.1"]
                    [cider/cider-nrepl "0.16.0"]]
-    :jvm-opts ["-Dconfig=config/dev.edn" "--add-modules" "java.xml.bind"]}
+    :jvm-opts ["-Dconfig=config/dev.edn" #_#_"--add-modules" "java.xml.bind"]}
    :uberjar {:prep-tasks [["cljsbuild" "once" "min"] "compile"]}
    :provided {:dependencies [[org.clojure/clojurescript "1.10.238"]
                              [reagent "0.7.0"]
diff --git a/src/clj/auto_ap/db/checks.clj b/src/clj/auto_ap/db/checks.clj
index 98c7c1c0..e40d016b 100644
--- a/src/clj/auto_ap/db/checks.clj
+++ b/src/clj/auto_ap/db/checks.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.db.checks
-  (:require [auto-ap.db.utils :refer [clj->db db->clj get-conn execute!] :as u]
+  (:require [auto-ap.db.utils :refer [clj->db db->clj get-conn execute! limited-companies] :as u]
             [auto-ap.entities.companies :as entity]
             [clojure.edn :as edn]
             [clojure.java.jdbc :as j]
@@ -68,8 +68,11 @@
           :else
           q)))
 
-(defn base-graphql [{:keys [company-id vendor-id check-number bank-account-id status amount]}]
+(defn base-graphql [{:keys [company-id vendor-id check-number bank-account-id status amount id]}]
+  (println "ID" id)
+
   (cond-> base-query
+    (limited-companies id) (helpers/merge-where [:in :company-id (limited-companies id)])
     (not (nil? company-id)) (helpers/merge-where [:= :company-id company-id])
     (not (nil? bank-account-id)) (helpers/merge-where [:= :bank-account-id bank-account-id])
     (not (nil? vendor-id)) (helpers/merge-where [:= :vendor-id vendor-id])
@@ -77,7 +80,7 @@
     (not (nil? status)) (helpers/merge-where [:= :status status])
     (not (nil? amount)) (helpers/merge-where [:= :amount amount])))
 
-(defn get-graphql [{:keys [start sort-by asc] :as args}]
+(defn get-graphql [{:keys [start sort-by asc id] :as args}]
   (query
    (cond-> (base-graphql args)
      #_#_(not (nil? sort-by) ) (add-sort-by sort-by asc)
diff --git a/src/clj/auto_ap/db/utils.clj b/src/clj/auto_ap/db/utils.clj
index 181449a6..265a03d5 100644
--- a/src/clj/auto_ap/db/utils.clj
+++ b/src/clj/auto_ap/db/utils.clj
@@ -68,3 +68,14 @@
   (let [formatted (sql/format q)]
     (println "Executing query " q " SQL: " formatted)
     (j/execute! (get-conn) formatted)))
+
+(defn limited-companies [id]
+  (cond
+    (= (:role id) "none")
+    []
+
+    (= (:role id) "admin")
+    nil
+
+    (= (:role id) "user")
+    (:companies id [])))
diff --git a/src/clj/auto_ap/graphql.clj b/src/clj/auto_ap/graphql.clj
index 030f8192..ee5b21e4 100644
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -326,7 +326,7 @@
 
         invoices (map
                   ->graphql
-                  (invoices/get-graphql (<-graphql args)))
+                  (invoices/get-graphql (<-graphql (assoc args :id (:id context)))))
         invoice-count (invoices/count-graphql (<-graphql args))]
     (resolve/with-context
       [{:invoices invoices
@@ -423,7 +423,7 @@
 
 (defn get-company [context args value]
   (->graphql
-   (filter #(can-see-company? (:identity context) %)
+   (filter #(can-see-company? (:id context) %)
            (companies/get-all))))
 
 (defn join-companies [users]
@@ -515,4 +515,4 @@
    (query id q nil ))
   ([id q v]
    (println "executing graphql query" id q v)
-   (simplify (execute schema q v {:identity id}))))
+   (simplify (execute schema q v {:id id}))))
diff --git a/src/clj/auto_ap/graphql/checks.clj b/src/clj/auto_ap/graphql/checks.clj
index 0c909c5f..9b1ff900 100644
--- a/src/clj/auto_ap/graphql/checks.clj
+++ b/src/clj/auto_ap/graphql/checks.clj
@@ -25,14 +25,15 @@
       (companies/get-by-id (:company_id value)))))
 
 (defn get-check-page [context args value]
-  (let [extra-context
+  (let [args (assoc args :id (:id context))
+        extra-context
         (cond->  {}
           (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
           (executor/selects-field? context :invoice/company) (assoc :company-cache (by  :id (companies/get-all))))
 
         checks (map
                   ->graphql
-                  (checks/get-graphql (<-graphql args)))
+                  (checks/get-graphql  (<-graphql args)))
         checks-count (checks/count-graphql (<-graphql args))]
     (resolve/with-context
       [{:checks checks
diff --git a/src/clj/auto_ap/routes/graphql.clj b/src/clj/auto_ap/routes/graphql.clj
index 66f72ded..6081d471 100644
--- a/src/clj/auto_ap/routes/graphql.clj
+++ b/src/clj/auto_ap/routes/graphql.clj
@@ -3,6 +3,7 @@
             [auto-ap.routes.utils :refer [wrap-secure wrap-spec]]
             [auto-ap.entities.companies :as entity]
             [auto-ap.graphql :as ql]
+            [buddy.auth :refer [throw-unauthorized]]
             [clojure.edn :as edn]
             [compojure.core :refer [GET PUT context defroutes
                                     wrap-routes]]))
@@ -12,6 +13,8 @@
   (wrap-routes
    (context "/graphql" []
             (GET "/" {:keys [query-params] :as r}
+                 (when (= "none" (:role (:identity r)))
+                   (throw-unauthorized))
 
                  (let [variables (some-> (query-params "variables")
                                          edn/read-string)]