Add authentication checks to existing GraphQL models, rename private_…

…fields to manual_fields and check if a custom resolver is defined for those fields
Inter-Actief · Feb 3, 2025 · 994f3f0 · 994f3f0
1 parent f971d7b
commit 994f3f0
Show file tree

Hide file tree

Showing 12 changed files with 269 additions and 54 deletions.
diff --git a/amelie/about/graphql.py b/amelie/about/graphql.py
@@ -4,9 +4,17 @@
 from graphene_django import DjangoObjectType
 
 from amelie.about.models import Page
+from amelie.graphql.decorators import check_authorization
 
 
+@check_authorization
 class PageType(DjangoObjectType):
+    public_fields = [
+        "name_nl", "name_en", "name",
+        "slug_nl", "slug_en", "slug",
+        "content_nl", "content_en", "content",
+        "educational", "last_modified"
+    ]
     class Meta:
         model = Page
         description = "Type definition for a single Page"

diff --git a/amelie/activities/graphql.py b/amelie/activities/graphql.py
@@ -4,7 +4,9 @@
 from graphene_django import DjangoObjectType
 
 from amelie.activities.models import Activity, ActivityLabel
-from amelie.calendar.graphql import EventType, EVENT_TYPE_BASE_FIELDS
+from amelie.calendar.graphql import EventType, EVENT_TYPE_BASE_FIELDS, EVENT_TYPE_BASE_PUBLIC_FIELDS
+from amelie.graphql.decorators import check_authorization
+from amelie.graphql.helpers import is_logged_in
 from amelie.graphql.pagination.connection_field import DjangoPaginationConnectionField
 
 
@@ -20,7 +22,32 @@ class Meta:
         }
 
 
+@check_authorization
 class ActivityType(EventType):
+    public_fields = [
+        "enrollment",
+        "enrollment_begin",
+        "enrollment_end",
+        "maximum",
+        "waiting_list_locked",
+        "photos",
+        "components",
+        "price",
+        "can_unenroll",
+        "image_icon",
+        "activity_label",
+        "absolute_url",
+        "random_photo_url",
+        "photo_url",
+        "calendar_url",
+        "enrollment_open",
+        "enrollment_closed",
+        "can_edit",
+        "enrollment_full",
+        "enrollment_almost_full",
+        "has_enrollment_options",
+        "has_costs"
+    ] + EVENT_TYPE_BASE_PUBLIC_FIELDS
 
     class Meta:
         model = Activity
@@ -76,7 +103,7 @@ def resolve_enrollment_closed(self: Activity, info):
         return self.enrollment_closed()
 
     def resolve_can_edit(self: Activity, info):
-        if hasattr(info.context.user, 'person'):
+        if is_logged_in(info):
             return self.can_edit(info.context.user.person)
         return False
 
@@ -93,7 +120,17 @@ def resolve_has_costs(self: Activity, info):
         return self.has_costs()
 
 
+@check_authorization
 class ActivityLabelType(DjangoObjectType):
+    public_fields = [
+        "name_en",
+        "name_nl",
+        "color",
+        "icon",
+        "explanation_en",
+        "explanation_nl",
+        "active"
+    ]
     class Meta:
         model = ActivityLabel
         fields = [

diff --git a/amelie/calendar/graphql.py b/amelie/calendar/graphql.py
@@ -24,12 +24,34 @@
     "public",
     "dutch_activity",
 ]
+EVENT_TYPE_BASE_PUBLIC_FIELDS = [
+    "id",
+    "begin",
+    "end",
+    "entire_day",
+    "summary_nl",
+    "summary_en",
+    "promo_nl",
+    "promo_en",
+    "description_nl",
+    "description_en",
+    "organizer",
+    "location",
+    "public",
+    "dutch_activity",
+    "attachments",
+    "summary",
+    "description",
+    "promo",
+    "description_short"
+]
 
 
 class EventType(DjangoObjectType):
     """
     The event type used for GraphQL operations
     """
+    public_fields = EVENT_TYPE_BASE_PUBLIC_FIELDS
 
     class Meta:
         # Make sure that this type is not actually being registered. But it can be used by other types as a base class.

diff --git a/amelie/companies/graphql.py b/amelie/companies/graphql.py
@@ -6,12 +6,20 @@
 from django.utils.translation import gettext_lazy as _
 
 from amelie.activities.graphql import ActivityLabelType
-from amelie.calendar.graphql import EventType, EVENT_TYPE_BASE_FIELDS
+from amelie.calendar.graphql import EventType, EVENT_TYPE_BASE_FIELDS, EVENT_TYPE_BASE_PUBLIC_FIELDS
 from amelie.companies.models import Company, WebsiteBanner, TelevisionBanner, VivatBanner, CompanyEvent
+from amelie.graphql.decorators import check_authorization
 from amelie.graphql.pagination.connection_field import DjangoPaginationConnectionField
 
 
+@check_authorization
 class CompanyType(DjangoObjectType):
+    public_fields = [
+        "name_nl", "name_en", "name", "slug", "url", "logo", "logo_width", "logo_height", "profile_nl", "profile_en",
+        "profile", "short_description_nl", "short_description_en", "short_description", "start_date", "end_date",
+        "show_in_app", "app_logo", "app_logo_height", "app_logo_width"
+    ]
+
     class Meta:
         model = Company
         description = "Type definition of a single Company"
@@ -40,7 +48,18 @@ class Meta:
         }
 
 
+@check_authorization
 class CompanyEventType(EventType):
+    public_fields = [
+        "company",
+        "company_text",
+        "company_url",
+        "activity_label",
+        "activity_type",
+        "calendar_url",
+        "absolute_url",
+        "is_visible"
+    ] + EVENT_TYPE_BASE_PUBLIC_FIELDS
 
     class Meta:
         model = CompanyEvent
@@ -53,7 +72,7 @@ class Meta:
 
     activity_label = graphene.Field(ActivityLabelType, description=_("The label that belongs to this activity"))
     activity_type = graphene.String(description=_("The type of activity"))
-    calender_url = graphene.String(description=_("The url to the ics for this activity"))
+    calendar_url = graphene.String(description=_("The url to the ics for this activity"))
     absolute_url = graphene.String(description=_("The absolute URL to this event"))
     is_visible = graphene.Boolean(description=_("Whether this event is visible"))
 
@@ -72,7 +91,10 @@ def resolve_absolute_url(self: CompanyEvent, info):
     def resolve_is_visible(self: CompanyEvent, info):
         return self.is_visible()
 
+
+@check_authorization
 class WebsiteBannerType(DjangoObjectType):
+    public_fields = ["picture", "name", "slug", "active", "url"]
     class Meta:
         model = WebsiteBanner
         description = "Type definition of a single Website Banner"
@@ -82,7 +104,9 @@ class Meta:
         fields = ["picture", "name", "slug", "active", "url"]
 
 
+@check_authorization
 class TelevisionBannerType(DjangoObjectType):
+    public_fields = ["picture", "name", "slug", "active"]
     class Meta:
         model = TelevisionBanner
         description = "Type definition of a single Television Banner"
@@ -92,7 +116,9 @@ class Meta:
         fields = ["picture", "name", "slug", "active"]
 
 
+@check_authorization
 class VivatBannerType(DjangoObjectType):
+    public_fields = ["picture", "name", "slug", "active", "url"]
     class Meta:
         model = VivatBanner
         description = "Type definition of a single Vivat Banner"

diff --git a/amelie/education/graphql.py b/amelie/education/graphql.py
@@ -8,13 +8,19 @@
 from amelie.education.forms import EducationalBouquetForm
 
 from amelie.activities.graphql import ActivityLabelType
-from amelie.calendar.graphql import EventType, EVENT_TYPE_BASE_FIELDS
+from amelie.calendar.graphql import EventType, EVENT_TYPE_BASE_FIELDS, EVENT_TYPE_BASE_PUBLIC_FIELDS
+from amelie.graphql.decorators import check_authorization
 from amelie.graphql.pagination.connection_field import DjangoPaginationConnectionField
 
 from amelie.education.models import Category, Page, EducationEvent
 
 
+@check_authorization
 class EducationPageType(DjangoObjectType):
+    public_fields = [
+        "id", "name_nl", "name_en", "name", "slug", "category",
+        "content_nl", "content_en", "content", "last_changed", "position"
+    ]
     class Meta:
         model = Page
         description = "Type definition for a single Education Page"
@@ -38,7 +44,9 @@ def resolve_content(obj: Page, info):
         return obj.content
 
 
+@check_authorization
 class EducationPageCategoryType(DjangoObjectType):
+    public_fields = ["id", "name_nl", "name_en", "name", "page_set"]
     class Meta:
         model = Category
         description = "Type definition for a single education page Category"
@@ -68,7 +76,14 @@ class Meta:
         }
 
 
+@check_authorization
 class EducationEventType(EventType):
+    public_fields = [
+        "education_organizer",
+        "activity_label",
+        "activity_type",
+        "absolute_url"
+    ] + EVENT_TYPE_BASE_PUBLIC_FIELDS
 
     class Meta:
         model = EducationEvent

diff --git a/amelie/files/graphql.py b/amelie/files/graphql.py
@@ -2,9 +2,29 @@
 from graphene_django import DjangoObjectType
 
 from amelie.files.models import Attachment
+from amelie.graphql.decorators import check_authorization
 
 
+@check_authorization
 class AttachmentType(DjangoObjectType):
+    public_fields = [
+        "file",
+        "caption",
+        "thumb_small",
+        "thumb_medium",
+        "thumb_large",
+        "mimetype",
+        "owner",
+        "created",
+        "modified",
+        "thumb_small_height",
+        "thumb_small_width",
+        "thumb_medium_height",
+        "thumb_medium_width",
+        "thumb_large_height",
+        "thumb_large_width",
+        "public"
+    ]
     class Meta:
         model = Attachment
         fields = [