cannot graphql data you can't see

2018-07-10 21:55:13 -07:00
parent dd9b7ce86e
commit e0ba9395ef
6 changed files with 24 additions and 10 deletions
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -5,6 +5,7 @@
    [com.walmartlabs.lacinia :refer [execute]]
    [com.walmartlabs.lacinia.executor :as executor]
    [com.walmartlabs.lacinia.resolve :as resolve]
+    [buddy.auth :refer [throw-unauthorized]]
    [auto-ap.db.invoices :as invoices]
    [auto-ap.utils :refer [by]]
    [auto-ap.db.vendors :as vendors]
@@ -319,7 +320,8 @@
    m))

 (defn get-invoice-page [context args value]
-  (let [extra-context
+  (let [args (assoc args :id (:id context))
+        extra-context
        (cond->  {}
          (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
          (executor/selects-field? context :invoice/company) (assoc :company-cache (by  :id (companies/get-all))))
@@ -335,7 +337,12 @@
        :start (:start args 0)
        :end (+ (:start args 0) (count invoices))}] extra-context)))

+(defn assert-admin [id]
+  (when-not (= "admin" (:role id))
+    (throw-unauthorized)))
+
 (defn get-all-invoices [context args value]
+  (assert-admin (:id context))
  (let [extra-context
        (cond->  {}
          (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
@@ -350,6 +357,7 @@
      invoices extra-context)))

 (defn get-all-checks [context args value]
+  (assert-admin (:id context))
  (let [extra-context
        (cond->  {}
          (executor/selects-field? context :invoice/vendor) (assoc :vendor-cache (by  :id (vendors/get-all)))
@@ -365,6 +373,7 @@
      checks extra-context)))

 (defn get-reminder-page [context args value]
+  (assert-admin (:id context))
  (let [extra-context
        (cond->  {}
          (executor/selects-field? context :reminder/vendor) (assoc :vendor-cache (by  :id (vendors/get-all))))
@@ -434,7 +443,10 @@
     users)))

 (defn get-user [context args value]
-  (let [users (users/get-all)
+  (assert-admin)
+
+  (let [
+        users (users/get-all)
        
        extra-context (cond-> context 
                        (executor/selects-field? context :user/companies) (assoc :company-cache (by :id (companies/get-all))))]
@@ -461,7 +473,6 @@
                         :get-all-invoices get-all-invoices
                         :get-all-checks get-all-checks
                         :bank-account-for-check bank-account-for-check
-                         
                         :get-check-page gq-checks/get-check-page
                         :get-transaction-page gq-transactions/get-transaction-page
                         :get-reminder-page get-reminder-page