Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Added permissions validation context to api error #858

Merged
merged 4 commits into from
Oct 10, 2023
Merged

fix: Added permissions validation context to api error #858

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
304192f
fix: Added permissions validation context to api error
josebui Oct 2, 2023
adddc59
fix: Only authenticated users can approve story map invite with token
josebui Oct 3, 2023
81037bc
fix: Added story map title context to permissions error
josebui Oct 5, 2023
45dfaa9
fix: Removed debug print
josebui Oct 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion terraso_backend/apps/graphql/schema/story_maps.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see https://www.gnu.org/licenses/.

from datetime import datetime

import django_filters
import graphene
import rules
Expand Down Expand Up @@ -345,11 +347,20 @@ def mutate_and_get_payload(cls, root, info, **kwargs):
"Attempt to approve a Membership, but user has no permission",
extra=kwargs,
)
raise GraphQLNotAllowedException(
error = GraphQLNotAllowedException(
model_name=Membership.__name__,
operation=MutationTypes.UPDATE,
message="permissions_validation",
)
return cls(
errors=[{"message": str(error)}],
story_map=StoryMap(
id="",
title=story_map.title,
created_at=datetime.now(),
updated_at=datetime.now(),
),
)

try:
membership.membership_list.approve_membership(
Expand Down
5 changes: 3 additions & 2 deletions terraso_backend/apps/story_map/permission_rules.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,9 @@ def allowed_to_approve_story_map_membership(user, obj):
@rules.predicate
def allowed_to_approve_story_map_membership_with_token(user, obj):
membership = obj.get("membership")
request_user = user
return request_user.id == membership.user.id
if not membership.user:
return False
return user.id == membership.user.id


@rules.predicate
Expand Down
15 changes: 14 additions & 1 deletion terraso_backend/tests/graphql/mutations/test_story_map_mutations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -459,7 +459,7 @@ def test_story_map_approve_membership_with_token_for_unregistered_user(


def test_story_map_approve_membership_with_token_for_registered_user_fails_due_user_mismatch(
client_query, story_map_user_memberships_approve_tokens
client_query, story_map_user_memberships_approve_tokens, story_maps
):
token = story_map_user_memberships_approve_tokens[1]

Expand All @@ -469,6 +469,12 @@ def test_story_map_approve_membership_with_token_for_registered_user_fails_due_u
$input: StoryMapMembershipApproveTokenMutationInput!
){
approveStoryMapMembershipToken(input: $input) {
storyMap {
title
id
createdAt
updatedAt
}
membership {
id
membershipStatus
Expand All @@ -485,7 +491,14 @@ def test_story_map_approve_membership_with_token_for_registered_user_fails_due_u
)
json_response = response.json()

print(json_response)
josebui marked this conversation as resolved.
Show resolved Hide resolved

assert "errors" in json_response["data"]["approveStoryMapMembershipToken"]
error_result = json_response["data"]["approveStoryMapMembershipToken"]["errors"][0]["message"]
json_error = json.loads(error_result)
assert json_error[0]["code"] == "update_not_allowed"
assert (
json_response["data"]["approveStoryMapMembershipToken"]["storyMap"]["title"]
== story_maps[0].title
)
assert json_response["data"]["approveStoryMapMembershipToken"]["storyMap"]["id"] == ""