very basics of security have been added.

2018-06-04 22:22:15 -07:00
parent 44fff9e88a
commit fbccc0b209
6 changed files with 27 additions and 23 deletions
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -288,9 +288,14 @@
      (map company-cache (:companies value))
      (map companies/get-by-id (:companies value)))))

+(defn can-see-company? [identity company]
+  (or (= "admin" (:role identity))
+      ((set (:companies identity)) (:id company))))
+
 (defn get-company [context args value]
  (->graphql
-   (companies/get-all)))
+   (filter #(can-see-company? (:identity context) %)
+           (companies/get-all))))

 (defn join-companies [users]
  (let [companies (by :id (companies/get-all))]
@@ -365,7 +370,8 @@
    m))
                 
 (defn query
-  ([q]
-   (simplify (execute schema q nil nil)))
-  ([q v]
-   (simplify (execute schema q v nil))))
+  ([id q]
+   (query id q nil ))
+  ([id q v]
+   (println id q v)
+   (simplify (execute schema q v {:identity id}))))
--- a/src/clj/auto_ap/routes/companies.clj
+++ b/src/clj/auto_ap/routes/companies.clj
@@ -9,7 +9,7 @@
 (defroutes routes
  (wrap-routes
   (context "/companies" []
-            (GET "/" []
+            (GET "/" r 
                 {:status 200
                  :body (pr-str (companies/get-all))
                  :headers {"Content-Type" "application/edn"}})
--- a/src/clj/auto_ap/routes/graphql.clj
+++ b/src/clj/auto_ap/routes/graphql.clj
@@ -11,11 +11,11 @@
 (defroutes routes
  (wrap-routes
   (context "/graphql" []
-            (GET "/" {:keys [query-params]}
+            (GET "/" {:keys [query-params] :as r}
+
                 (let [variables (some-> (query-params "variables")
                                         edn/read-string)]
-                   (println variables)
                   {:status 200
-                    :body (pr-str (ql/query (query-params "query") variables))
+                    :body (pr-str (ql/query (:identity r) (query-params "query") variables ))
                    :headers {"Content-Type" "application/edn"}})))
   wrap-secure))
--- a/src/cljs/auto_ap/subs.cljs
+++ b/src/cljs/auto_ap/subs.cljs
@@ -50,8 +50,7 @@
 ::user
 (fn [db]
   (when (:user db)
-     (let [{:strs [name] :as x} (js->clj (.parse js/JSON (base64/decodeString (second (str/split (:user db) #"\.")))))]
-       {:name name}))))
+     (js->clj (.parse js/JSON (base64/decodeString (second (str/split (:user db) #"\.")))) :keywordize-keys true))))

 (re-frame/reg-sub
 ::active-page
--- a/src/cljs/auto_ap/views/main.cljs
+++ b/src/cljs/auto_ap/views/main.cljs
@@ -13,18 +13,18 @@
  ({:login :blank
    :check :blank
    :needs-activation :blank
-     :index :left-panel
-     :invoices :left-panel
-     :import-invoices :left-panel
-     :unpaid-invoices :left-panel
-     :paid-invoices :left-panel
+    :index :left-panel
+    :invoices :left-panel
+    :import-invoices :left-panel
+    :unpaid-invoices :left-panel
+    :paid-invoices :left-panel
    :admin :admin-left-panel
    :admin-companies :admin-left-panel
    :admin-users :admin-left-panel
    :admin-excel-import :admin-left-panel
    :admin-vendors :admin-left-panel
    :admin-reminders :admin-left-panel
-     :new-invoice :blank} page :blank))
+    :new-invoice :blank} page :blank))

 (defn login-dropdown []
  (let [user (re-frame/subscribe [::subs/user])
@@ -36,8 +36,9 @@
         [:a {:class "navbar-link login" :on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} (:name @user)]
         [:div {:class "navbar-dropdown"}
          [:a {:class "navbar-item"} "My profile"]
-          [:a {:class "navbar-item" :href (bidi/path-for routes/routes :admin)
-               :on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} "Administration"]
+          (when (= "admin" (:role @user))
+            [:a {:class "navbar-item" :href (bidi/path-for routes/routes :admin)
+                 :on-click (fn [e] (re-frame/dispatch [::events/toggle-menu :account]))} "Administration"])
          [:hr {:class "navbar-divider"}]
          [:a.navbar-item {:on-click (fn [e] (.preventDefault e) (re-frame/dispatch [::events/logout]))} "Logout"]]]
        [:a.navbar-item {:href login-url} "Login"])]]))
@@ -169,7 +170,7 @@

        [:p.menu-label "Accounts Payable"]
        [:ul.menu-list
-         [:li.menu-item
+         #_[:li.menu-item
          [:a {:href (bidi/path-for routes/routes :import-invoices) , :class (str "item" (active-when= ap :import-invoices))}
           [:span {:class "icon"}
            [:i {:class "fa fa-star-o"}]]
--- a/src/cljs/auto_ap/views/pages/index.cljs
+++ b/src/cljs/auto_ap/views/pages/index.cljs
@@ -4,6 +4,4 @@

 (defn index-page []
  [:div
-   [:h1.title "Dashboard"]
-   [:h2.subtitle "To get started, "
-    [:a {:href (bidi/path-for routes/routes :import-invoices)} "Import some invoices"]]])
+   [:h1.title "Dashboard"]])