From e0ba9395ef261d654b530c4115be85a91ce51f0c Mon Sep 17 00:00:00 2001
From: BC <bryce@brofessional.lan>
Date: Tue, 10 Jul 2018 21:55:13 -0700
Subject: [PATCH] cannot graphql data you can't see

---
 project.clj                              |  2 +-
 src/clj/auto_ap/db/checks.clj            |  1 -
 src/clj/auto_ap/db/invoices.clj          |  5 +++--
 src/clj/auto_ap/db/transactions.clj      |  6 ++++--
 src/clj/auto_ap/graphql.clj              | 17 ++++++++++++++---
 src/clj/auto_ap/graphql/transactions.clj |  3 ++-
 6 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/project.clj b/project.clj
index a470ac85..6dcf2947 100644
--- a/project.clj
+++ b/project.clj
@@ -70,7 +70,7 @@
     :plugins      [[lein-figwheel "0.5.13"]
                    [lein-pdo "0.1.1"]
                    [cider/cider-nrepl "0.16.0"]]
-    :jvm-opts ["-Dconfig=config/dev.edn" #_#_"--add-modules" "java.xml.bind"]}
+    :jvm-opts ["-Dconfig=config/dev.edn" "--add-modules" "java.xml.bind"]}
    :uberjar {:prep-tasks [["cljsbuild" "once" "min"] "compile"]}
    :provided {:dependencies [[org.clojure/clojurescript "1.10.238"]
                              [reagent "0.7.0"]
diff --git a/src/clj/auto_ap/db/checks.clj b/src/clj/auto_ap/db/checks.clj
index e40d016b..d2e4ceac 100644
--- a/src/clj/auto_ap/db/checks.clj
+++ b/src/clj/auto_ap/db/checks.clj
@@ -69,7 +69,6 @@
           q)))
 
 (defn base-graphql [{:keys [company-id vendor-id check-number bank-account-id status amount id]}]
-  (println "ID" id)
 
   (cond-> base-query
     (limited-companies id) (helpers/merge-where [:in :company-id (limited-companies id)])
diff --git a/src/clj/auto_ap/db/invoices.clj b/src/clj/auto_ap/db/invoices.clj
index e4810299..bfbcaf9f 100644
--- a/src/clj/auto_ap/db/invoices.clj
+++ b/src/clj/auto_ap/db/invoices.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.db.invoices
-  (:require [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query] :as utils]
+  (:require [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query limited-companies] :as utils]
             [auto-ap.parse :as parse]
             [auto-ap.db.companies :as companies]
             [auto-ap.db.invoices-checks :as invoices-checks]
@@ -108,8 +108,9 @@
 
 
 
-(defn base-graphql [{:keys [imported company-id status]}]
+(defn base-graphql [{:keys [imported company-id status id]}]
   (cond-> base-query
+    (limited-companies id) (helpers/merge-where [:in :company-id (limited-companies id)])
     (not (nil? imported)) (helpers/merge-where [:= :imported imported])
     (not (nil? status)) (helpers/merge-where [:= :status status])
     (not (nil? company-id)) (helpers/merge-where [:= :company-id company-id])))
diff --git a/src/clj/auto_ap/db/transactions.clj b/src/clj/auto_ap/db/transactions.clj
index 799076bf..f24933b8 100644
--- a/src/clj/auto_ap/db/transactions.clj
+++ b/src/clj/auto_ap/db/transactions.clj
@@ -4,7 +4,7 @@
             [honeysql.helpers :as helpers]
             [honeysql-postgres.format :as postgres-format]
             [honeysql-postgres.helpers :as postgres-helpers]
-            [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query] :as utils]))
+            [auto-ap.db.utils :refer [clj->db kebab->snake db->clj get-conn query limited-companies] :as utils]))
 
 (defn upsert! [row]
   (j/db-do-prepared (get-conn)
@@ -16,8 +16,10 @@
 (def base-query (sql/build :select :*
                            :from :transactions))
 
-(defn base-graphql [{:keys [company-id]}]
+(defn base-graphql [{:keys [company-id id]}]
+  (println "ID" id)
   (cond-> base-query
+    (limited-companies id) (helpers/merge-where [:in :company-id (limited-companies id)])
     (not (nil? company-id)) (helpers/merge-where [:= :company-id company-id])))
 
 (defn get-graphql [{:keys [start sort-by asc] :as args}]
diff --git a/src/clj/auto_ap/graphql.clj b/src/clj/auto_ap/graphql.clj
index ee5b21e4..54c608ee 100644
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -5,6 +5,7 @@
     [com.walmartlabs.lacinia :refer [execute]]
     [com.walmartlabs.lacinia.executor :as executor]
     [com.walmartlabs.lacinia.resolve :as resolve]
+    [buddy.auth :refer [throw-unauthorized]]
     [auto-ap.db.invoices :as invoices]
     [auto-ap.utils :refer [by]]
     [auto-ap.db.vendors :as vendors]
@@ -319,7 +320,8 @@
     m))
 
 (defn get-invoice-page [context args value]
-  (let [extra-context
+  (let [args (assoc args :id (:id context))
+        extra-context
         (cond->  {}
           (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
           (executor/selects-field? context :invoice/company) (assoc :company-cache (by  :id (companies/get-all))))
@@ -335,7 +337,12 @@
         :start (:start args 0)
         :end (+ (:start args 0) (count invoices))}] extra-context)))
 
+(defn assert-admin [id]
+  (when-not (= "admin" (:role id))
+    (throw-unauthorized)))
+
 (defn get-all-invoices [context args value]
+  (assert-admin (:id context))
   (let [extra-context
         (cond->  {}
           (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
@@ -350,6 +357,7 @@
       invoices extra-context)))
 
 (defn get-all-checks [context args value]
+  (assert-admin (:id context))
   (let [extra-context
         (cond->  {}
           (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
@@ -365,6 +373,7 @@
       checks extra-context)))
 
 (defn get-reminder-page [context args value]
+  (assert-admin (:id context))
   (let [extra-context
         (cond->  {}
           (executor/selects-field? context :reminder/vendor) (assoc :vendor-cache (by  :id (vendors/get-all))))
@@ -434,7 +443,10 @@
      users)))
 
 (defn get-user [context args value]
-  (let [users (users/get-all)
+  (assert-admin)
+
+  (let [
+        users (users/get-all)
         
         extra-context (cond-> context 
                         (executor/selects-field? context :user/companies) (assoc :company-cache (by :id (companies/get-all))))]
@@ -461,7 +473,6 @@
                          :get-all-invoices get-all-invoices
                          :get-all-checks get-all-checks
                          :bank-account-for-check bank-account-for-check
-                         
                          :get-check-page gq-checks/get-check-page
                          :get-transaction-page gq-transactions/get-transaction-page
                          :get-reminder-page get-reminder-page
diff --git a/src/clj/auto_ap/graphql/transactions.clj b/src/clj/auto_ap/graphql/transactions.clj
index 1cada089..6c0235f5 100644
--- a/src/clj/auto_ap/graphql/transactions.clj
+++ b/src/clj/auto_ap/graphql/transactions.clj
@@ -22,7 +22,8 @@
       (companies/get-by-id (:company_id value)))))
 
 (defn get-transaction-page [context args value]
-  (let [extra-context
+  (let [args (assoc args :id (:id context))
+        extra-context
         (cond->  {}
           (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
           (executor/selects-field? context :invoice/company) (assoc :company-cache (by  :id (companies/get-all))))