Add additional permission checks for GraphQL queries

(cherry picked from commit fce5c228675796113c1b00b4a0b399ace2878210) (cherry picked from commit 7f40457b)

Add additional permission checks for GraphQL queries
48397712 · Hangzhi Yu · Jonathan Weth · 30517bda · 48397712 · 48397712
Verified Commit 48397712 authored 2 years ago by Hangzhi Yu Committed by Jonathan Weth 2 years ago
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,8 +6,16 @@ All notable changes to this project will be documented in this file.
 The format is based on `Keep a Changelog`_,
 and this project adheres to `Semantic Versioning`_.
-`2.12.3` - 2023-03-07
+`2.12.4`_ - 2023-03-19
---------------------
+----------------------
+Fixed
+~~~~~
+* Some GraphQL queries could return more data than permitted in related fields.
+`2.12.3`_ - 2023-03-07
+----------------------
 Fixed
 ~~~~~
@@ -989,3 +997,4 @@ Fixed
 .. _2.12.1: https://edugit.org/AlekSIS/Official/AlekSIS/-/tags/2.12.1
 .. _2.12.2: https://edugit.org/AlekSIS/Official/AlekSIS/-/tags/2.12.2
 .. _2.12.3: https://edugit.org/AlekSIS/Official/AlekSIS/-/tags/2.12.3
+.. _2.12.4: https://edugit.org/AlekSIS/Official/AlekSIS/-/tags/2.12.4
--- a/aleksis/core/rules.py
+++ b/aleksis/core/rules.py
@@ -35,49 +35,49 @@ rules.add_perm("core.view_persons_rule", view_persons_predicate)
 # View person
 view_person_predicate = has_person & (
-    has_global_perm("core.view_person") | has_object_perm("core.view_person") | is_current_person
+    is_current_person | has_global_perm("core.view_person") | has_object_perm("core.view_person")
 )
 rules.add_perm("core.view_person_rule", view_person_predicate)
 # View person address
 view_address_predicate = has_person & (
-    has_global_perm("core.view_address") | has_object_perm("core.view_address") | is_current_person
+    is_current_person | has_global_perm("core.view_address") | has_object_perm("core.view_address")
 )
 rules.add_perm("core.view_address_rule", view_address_predicate)
 # View person contact details
 view_contact_details_predicate = has_person & (
-    has_global_perm("core.view_contact_details")
+    is_current_person
+    | has_global_perm("core.view_contact_details")
    | has_object_perm("core.view_contact_details")
-    | is_current_person
 )
 rules.add_perm("core.view_contact_details_rule", view_contact_details_predicate)
 # View person photo
 view_photo_predicate = has_person & (
-    has_global_perm("core.view_photo") | has_object_perm("core.view_photo") | is_current_person
+    is_current_person | has_global_perm("core.view_photo") | has_object_perm("core.view_photo")
 )
 rules.add_perm("core.view_photo_rule", view_photo_predicate)
 # View person avatar image
 view_avatar_predicate = has_person & (
-    has_global_perm("core.view_avatar") | has_object_perm("core.view_avatar") | is_current_person
+    is_current_person | has_global_perm("core.view_avatar") | has_object_perm("core.view_avatar")
 )
 rules.add_perm("core.view_avatar_rule", view_avatar_predicate)
 # View persons groups
 view_groups_predicate = has_person & (
-    has_global_perm("core.view_person_groups")
+    is_current_person
+    | has_global_perm("core.view_person_groups")
    | has_object_perm("core.view_person_groups")
-    | is_current_person
 )
 rules.add_perm("core.view_person_groups_rule", view_groups_predicate)
 # Edit person
 edit_person_predicate = has_person & (
-    has_global_perm("core.change_person")
+    is_current_person & is_site_preference_set("account", "editable_fields_person")
+    | has_global_perm("core.change_person")
    | has_object_perm("core.change_person")
-    | is_current_person & is_site_preference_set("account", "editable_fields_person")
 )
 rules.add_perm("core.edit_person_rule", edit_person_predicate)
@@ -166,9 +166,9 @@ rules.add_perm(
 # View person personal details
 view_personal_details_predicate = has_person & (
-    has_global_perm("core.view_personal_details")
+    is_current_person
+    | has_global_perm("core.view_personal_details")
    | has_object_perm("core.view_personal_details")
-    | is_current_person
 )
 rules.add_perm("core.view_personal_details_rule", view_personal_details_predicate)
@@ -181,9 +181,9 @@ rules.add_perm("core.change_site_preferences_rule", change_site_preferences)
 # Change person preferences
 change_person_preferences = has_person & (
-    has_global_perm("core.change_person_preferences")
+    is_current_person
+    | has_global_perm("core.change_person_preferences")
    | has_object_perm("core.change_person_preferences")
-    | is_current_person
 )
 rules.add_perm("core.change_person_preferences_rule", change_person_preferences)
@@ -222,6 +222,12 @@ view_additional_fields_predicate = has_person & (
 )
 rules.add_perm("core.view_additionalfields_rule", view_additional_fields_predicate)
+# View group type
+view_group_type_predicate = has_person & (
+    has_global_perm("core.view_grouptype") | has_object_perm("core.view_grouptype")
+)
+rules.add_perm("core.view_grouptype_rule", view_group_type_predicate)
 # Edit group type
 change_group_type_predicate = has_person & (
    has_global_perm("core.change_grouptype") | has_object_perm("core.change_grouptype")

--- a/aleksis/core/schema.py
+++ b/aleksis/core/schema.py
@@ -13,21 +13,190 @@ from .util.frontend_helpers import get_language_cookie
 class NotificationType(DjangoObjectType):
    class Meta:
        model = Notification
+        fields = [
+            "sender",
+            "recipient",
+            "title",
+            "description",
+            "link",
+            "icon",
+            "send_at",
+            "read",
+            "sent",
+            "created",
+            "modified",
+        ]
+        @staticmethod
+        def resolve_recipient(root, info, **kwargs):
+            if info.context.user.has_perm("core.view_person_rule", root.recipient):
+                return root.recipient
+            raise PermissionDenied()
 class PersonType(DjangoObjectType):
    class Meta:
        model = Person
+        fields = [
+            "user",
+            "first_name",
+            "last_name",
+            "additional_name",
+            "short_name",
+            "street",
+            "housenumber",
+            "postal_code",
+            "place",
+            "phone_number",
+            "mobile_number",
+            "email",
+            "date_of_birth",
+            "place_of_birth",
+            "sex",
+            "photo",
+            "avatar",
+            "guardians",
+            "primary_group",
+            "description",
+            "children",
+            "owner_of",
+            "member_of",
+        ]
    full_name = graphene.Field(graphene.String)
    def resolve_full_name(root: Person, info, **kwargs):
        return root.full_name
+    def resolve_street(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_address_rule", root):
+            return root.street
+        return None
+    def resolve_housenumber(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_address_rule", root):
+            return root.housenumber
+        return None
+    def resolve_postal_code(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_address_rule", root):
+            return root.postal_code
+        return None
+    def resolve_place(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_address_rule", root):
+            return root.place
+        return None
+    def resolve_phone_number(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_contact_details_rule", root):
+            return root.phone_number
+        return None
+    def resolve_mobile_number(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_contact_details_rule", root):
+            return root.mobile_number
+        return None
+    def resolve_email(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_contact_details_rule", root):
+            return root.email
+        return None
+    def resolve_date_of_birth(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_personal_details_rule", root):
+            return root.date_of_birth
+        return None
+    def resolve_place_of_birth(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_personal_details_rule", root):
+            return root.place_of_birth
+        return None
+    def resolve_children(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_personal_details_rule", root):
+            return get_objects_for_user(info.context.user, "core.view_person", root.children.all())
+        return []
+    def resolve_guardians(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_personal_details_rule", root):
+            return get_objects_for_user(info.context.user, "core.view_person", root.guardians.all())
+        return []
+    def resolve_member_of(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_person_groups_rule", root):
+            return get_objects_for_user(info.context.user, "core.view_group", root.member_of.all())
+        return []
+    def resolve_owner_of(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_person_groups_rule", root):
+            return get_objects_for_user(info.context.user, "core.view_group", root.owner_of.all())
+        return []
+    def resolve_primary_group(root, info, **kwargs):  # noqa
+        if info.context.user.has_perm("core.view_group_rule", root.primary_group):
+            return root.primary_group
+        raise PermissionDenied()
+    def resolve_photo(root, info, **kwargs):
+        if info.context.user.has_perm("core.view_photo_rule", root):
+            return root.photo
+        return None
+    def resolve_avatar(root, info, **kwargs):
+        if info.context.user.has_perm("core.view_avatar_rule", root):
+            return root.avatar
+        return None
 class GroupType(DjangoObjectType):
    class Meta:
        model = Group
+        fields = [
+            "name",
+            "short_name",
+            "members",
+            "owners",
+            "parent_groups",
+            "group_type",
+            "additional_fields",
+            "photo",
+            "avatar",
+        ]
+    @staticmethod
+    def resolve_parent_groups(root, info, **kwargs):
+        return get_objects_for_user(info.context.user, "core.view_group", root.parent_groups.all())
+    @staticmethod
+    def resolve_members(root, info, **kwargs):
+        persons = get_objects_for_user(info.context.user, "core.view_person", root.members.all())
+        if has_person(info.context.user) and [
+            m for m in root.members.all() if m.pk == info.context.user.person.pk
+        ]:
+            persons = (persons | Person.objects.get(pk=info.context.user.person.pk)).distinct()
+        return persons
+    @staticmethod
+    def resolve_owners(root, info, **kwargs):
+        persons = get_objects_for_user(info.context.user, "core.view_person", root.owners.all())
+        if has_person(info.context.user) and [
+            o for o in root.owners.all() if o.pk == info.context.user.person.pk
+        ]:
+            persons = (persons | Person.objects.get(pk=info.context.user.person.pk)).distinct()
+        return persons
+    @staticmethod
+    def resolve_group_type(root, info, **kwargs):
+        if info.context.user.has_perm("core.view_grouptype_rule", root.group_type):
+            return root.group_type
+        raise PermissionDenied()
+    @staticmethod
+    def resolve_additional_fields(root, info, **kwargs):
+        return get_objects_for_user(
+            info.context.user, "core.view_additionalfield", root.additional_fields.all()
+        )
 class LanguageType(ObjectType):