very basics of security have been added.

src/clj/auto_ap/graphql.clj

@@ -288,9 +288,14 @@
       (map company-cache (:companies value))
       (map companies/get-by-id (:companies value)))))
 
+(defn can-see-company? [identity company]
+  (or (= "admin" (:role identity))
+      ((set (:companies identity)) (:id company))))
+
 (defn get-company [context args value]
   (->graphql
-   (companies/get-all)))
+   (filter #(can-see-company? (:identity context) %)
+           (companies/get-all))))
 
 (defn join-companies [users]
   (let [companies (by :id (companies/get-all))]
@@ -365,7 +370,8 @@
     m))
                  
 (defn query
-  ([q]
-   (simplify (execute schema q nil nil)))
-  ([q v]
-   (simplify (execute schema q v nil))))
+  ([id q]
+   (query id q nil ))
+  ([id q v]
+   (println id q v)
+   (simplify (execute schema q v {:identity id}))))

src/clj/auto_ap/routes/companies.clj

@@ -9,7 +9,7 @@
 (defroutes routes
   (wrap-routes
    (context "/companies" []
-            (GET "/" []
+            (GET "/" r 
                  {:status 200
                   :body (pr-str (companies/get-all))
                   :headers {"Content-Type" "application/edn"}})

src/clj/auto_ap/routes/graphql.clj

@@ -11,11 +11,11 @@
 (defroutes routes
   (wrap-routes
    (context "/graphql" []
-            (GET "/" {:keys [query-params]}
+            (GET "/" {:keys [query-params] :as r}
+
                  (let [variables (some-> (query-params "variables")
                                          edn/read-string)]
-                   (println variables)
                    {:status 200
-                    :body (pr-str (ql/query (query-params "query") variables))
+                    :body (pr-str (ql/query (:identity r) (query-params "query") variables ))
                     :headers {"Content-Type" "application/edn"}})))
    wrap-secure))