Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Limit project query to member of project #872

Merged
merged 2 commits into from
Oct 12, 2023
Merged

fix: Limit project query to member of project #872

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5112748
fix: Limit project query to member of project
Oct 6, 2023
c8f1a7a
test: Fix failing test
Oct 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions terraso_backend/apps/project_management/graphql/projects.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,12 @@ def resolve_seen(self, info):
return True
return self.seen_by.filter(id=user.id).exists()

@classmethod
def get_queryset(cls, queryset, info):
# limit queries to membership lists of projects to which the user belongs
user_pk = getattr(info.context.user, "pk", None)
return queryset.filter(membership_list__memberships__user_id=user_pk)


class ProjectPrivacy(graphene.Enum):
PRIVATE = Project.PRIVATE
Expand Down
35 changes: 25 additions & 10 deletions terraso_backend/tests/graphql/test_projects_query.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,30 +19,45 @@

pytestmark = pytest.mark.django_db


def test_query_by_member(client, project, project_user):
project2 = Project(name="2")
project2.save()
query = """
PROJECT_QUERY = """
{
projects(member: "%s") {
projects {
edges {
node {
id
name
membershipList {
id
memberships {
edges {
node {
id
}
}
}
}
}
}
totalCount
}
}
""" % (
project_user.id,
)
"""


def test_query_by_member(client, project, project_user):
project2 = Project(name="2")
project2.save()
client.force_login(project_user)
response = graphql_query(query, client=client)
response = graphql_query(PROJECT_QUERY, client=client)
assert "errors" not in response.json()
edges = response.json()["data"]["projects"]["edges"]
assert len(edges) == 1
assert edges[0]["node"]["name"] == str(project.name)


def test_query_by_non_member(client, project):
response = graphql_query(PROJECT_QUERY, client=client)
payload = response.json()
assert "errors" not in payload
assert len(payload["data"]["projects"]["edges"]) == 0
assert payload["data"]["projects"]["totalCount"] == 0
6 changes: 3 additions & 3 deletions terraso_backend/tests/graphql/test_sites_query.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@
pytestmark = pytest.mark.django_db


def test_query_site_fields(client, project, user):
def test_query_site_fields(client, project, project_user):
sites = [
Site(
name="site 1",
latitude=1.0,
longitude=-1.0,
owner=user,
owner=project_user,
privacy="PRIVATE",
archived=False,
),
Expand Down Expand Up @@ -59,7 +59,7 @@ def test_query_site_fields(client, project, user):
}
}
"""
client.force_login(user)
client.force_login(project_user)

for site, response in [(site, graphql_query(query % site.id, client=client)) for site in sites]:
assert "errors" not in response.json()
Expand Down