fix: Limit project query to member of project

techmatters · Oct 6, 2023 · 5112748 · 5112748
1 parent 4e5efa8
commit 5112748
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/terraso_backend/apps/project_management/graphql/projects.py b/terraso_backend/apps/project_management/graphql/projects.py
@@ -143,6 +143,12 @@ def resolve_seen(self, info):
             return True
         return self.seen_by.filter(id=user.id).exists()
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        # limit queries to membership lists of projects to which the user belongs
+        user_pk = getattr(info.context.user, "pk", None)
+        return queryset.filter(membership_list__memberships__user_id=user_pk)
+
 
 class ProjectPrivacy(graphene.Enum):
     PRIVATE = Project.PRIVATE

diff --git a/terraso_backend/tests/graphql/test_projects_query.py b/terraso_backend/tests/graphql/test_projects_query.py
@@ -19,30 +19,45 @@
 
 pytestmark = pytest.mark.django_db
 
-
-def test_query_by_member(client, project, project_user):
-    project2 = Project(name="2")
-    project2.save()
-    query = """
+PROJECT_QUERY = """
     {
-      projects(member: "%s") {
+      projects {
         edges {
           node {
             id
             name
             membershipList {
               id
+              memberships {
+                edges {
+                  node {
+                    id
+                  }
+                }
+              }
             }
           }
         }
+        totalCount
       }
     }
-    """ % (
-        project_user.id,
-    )
+    """
+
+
+def test_query_by_member(client, project, project_user):
+    project2 = Project(name="2")
+    project2.save()
     client.force_login(project_user)
-    response = graphql_query(query, client=client)
+    response = graphql_query(PROJECT_QUERY, client=client)
     assert "errors" not in response.json()
     edges = response.json()["data"]["projects"]["edges"]
     assert len(edges) == 1
     assert edges[0]["node"]["name"] == str(project.name)
+
+
+def test_query_by_non_member(client, project):
+    response = graphql_query(PROJECT_QUERY, client=client)
+    payload = response.json()
+    assert "errors" not in payload
+    assert len(payload["data"]["projects"]["edges"]) == 0
+    assert payload["data"]["projects"]["totalCount"] == 0