Implement Dashboard Auth logic (#1823)

* Add is_owasp_staff to the GitHub user model

* Add dashboard wrapper

* Protect Dashboard from frontend

* Add dashboard button

* undo comments

* Add wrappers

* Refactor and handle loading

* Improve button style

* Fix session user type

* Update backend tests

* Update projects wrapper

* Use useDjangoSession

* Protect backend

* Update DashboardWrapper

* Update tests

* Update docker

* Undo docker

* Undo docker

* Mock auth

* Update e2e tests

* Update e2e

* Update permissions for pdf

* Update playwright config with mock GitHub client ID and secret

* Update permissions

* Update playwright config

* Update timeout

* Update .env.example and timeout

* Update e2e login test

* Update Session.user type

* Refactor and merge migrations

* Apply suggestions

* Update tests

* Update code

* Add credentials

* Remove comments from permissions.py

* Apply suggestions

* Update unit tests

* Update e2e

* Apply rabbit suggestions

* Update code

---------

Co-authored-by: Kate Golovanova <[email protected]>
Co-authored-by: Arkadii Yakovets <[email protected]>
Co-authored-by: Arkadii Yakovets <[email protected]>

Author: 3 people

backend/apps/github/api/internal/nodes/user.py

@@ -17,6 +17,7 @@
         "followers_count",
         "following_count",
         "id",
+        "is_owasp_staff",
         "location",
         "login",
         "name",

backend/apps/github/migrations/0033_user_is_owasp_staff.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.2.4 on 2025-07-23 08:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("github", "0032_user_github_user_created_at_desc_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="is_owasp_staff",
+            field=models.BooleanField(
+                default=False,
+                help_text="Indicates if the user is an OWASP staff member.",
+                verbose_name="OWASP Staff",
+            ),
+        ),
+    ]

backend/apps/github/migrations/0034_merge_20250804_1817.py

@@ -0,0 +1,12 @@
+# Generated by Django 5.2.4 on 2025-08-04 18:17
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("github", "0033_alter_release_published_at"),
+        ("github", "0033_user_is_owasp_staff"),
+    ]
+
+    operations = []

backend/apps/github/models/user.py

@@ -35,6 +35,12 @@ class Meta:
 
     is_bot = models.BooleanField(verbose_name="Is bot", default=False)
 
+    is_owasp_staff = models.BooleanField(
+        default=False,
+        verbose_name="OWASP Staff",
+        help_text="Indicates if the user is an OWASP staff member.",
+    )
+
     contributions_count = models.PositiveIntegerField(
         verbose_name="Contributions count", default=0
     )

backend/apps/nest/api/internal/mutations/user.py

@@ -10,6 +10,7 @@
 from strawberry.types import Info
 
 from apps.github.models import User as GithubUser
+from apps.nest.api.internal.nodes.user import AuthUserNode
 from apps.nest.models import User
 
 logger = logging.getLogger(__name__)
@@ -30,6 +31,7 @@ class GitHubAuthResult:
 
     message: str
     ok: bool
+    user: AuthUserNode | None = None
 
 
 @strawberry.type
@@ -85,6 +87,7 @@ def github_auth(self, info: Info, access_token: str) -> GitHubAuthResult:
             return GitHubAuthResult(
                 message="Successfully authenticated with GitHub.",
                 ok=True,
+                user=nest_user,
             )
         except BadCredentialsException:
             return GitHubAuthResult(

backend/apps/nest/api/internal/nodes/user.py

@@ -8,3 +8,8 @@
 @strawberry_django.type(User, fields=["username"])
 class AuthUserNode:
     """GraphQL node for User model."""
+
+    @strawberry_django.field
+    def is_owasp_staff(self) -> bool:
+        """Check if the user is an OWASP staff member."""
+        return self.github_user.is_owasp_staff if self.github_user else False

backend/apps/owasp/api/internal/permissions/__init__.py

@@ -0,0 +1,17 @@
+"""Strawberry Permission Classes for Project Health Metrics."""
+
+from strawberry.permission import BasePermission
+
+
+class HasDashboardAccess(BasePermission):
+    """Permission class to check if the user has dashboard access."""
+
+    message = "You must have dashboard access to access this resource."
+
+    def has_permission(self, source, info, **kwargs) -> bool:
+        """Check if the user has dashboard access."""
+        return (
+            (user := info.context.request.user)
+            and user.is_authenticated
+            and user.github_user.is_owasp_staff
+        )

backend/apps/owasp/api/internal/permissions/project_health_metrics.py

@@ -7,6 +7,7 @@
 from apps.owasp.api.internal.nodes.project_health_metrics import ProjectHealthMetricsNode
 from apps.owasp.api.internal.nodes.project_health_stats import ProjectHealthStatsNode
 from apps.owasp.api.internal.ordering.project_health_metrics import ProjectHealthMetricsOrder
+from apps.owasp.api.internal.permissions.project_health_metrics import HasDashboardAccess
 from apps.owasp.models.project_health_metrics import ProjectHealthMetrics
 
 
@@ -19,6 +20,7 @@ class ProjectHealthMetricsQuery:
         description="List of project health metrics.",
         pagination=True,
         ordering=ProjectHealthMetricsOrder,
+        permission_classes=[HasDashboardAccess],
     )
     def project_health_metrics(
         self,
@@ -39,7 +41,9 @@ def project_health_metrics(
         """
         return ProjectHealthMetrics.get_latest_health_metrics()
 
-    @strawberry.field
+    @strawberry.field(
+        permission_classes=[HasDashboardAccess],
+    )
     def project_health_stats(self) -> ProjectHealthStatsNode:
         """Resolve overall project health stats.
 
@@ -49,7 +53,9 @@ def project_health_stats(self) -> ProjectHealthStatsNode:
         """
         return ProjectHealthMetrics.get_stats()
 
-    @strawberry.field
+    @strawberry.field(
+        permission_classes=[HasDashboardAccess],
+    )
     def project_health_metrics_distinct_length(
         self,
         filters: ProjectHealthMetricsFilter | None = None,

backend/apps/owasp/api/internal/queries/project_health_metrics.py

@@ -0,0 +1,30 @@
+"""Permissions for OWASP API views."""
+
+from functools import wraps
+
+from django.http import HttpResponseForbidden
+
+
+def has_dashboard_permission(request):
+    """Check if user has dashboard access."""
+    return (user := request.user) and user.is_authenticated and user.github_user.is_owasp_staff
+
+
+def dashboard_access_required(view_func):
+    """Require dashboard access permission.
+
+    Args:
+        view_func: The view function to wrap.
+
+    Returns:
+        The wrapped view function that checks for dashboard access permission.
+
+    """
+
+    @wraps(view_func)
+    def _wrapper(request, *args, **kwargs):
+        if not has_dashboard_permission(request):
+            return HttpResponseForbidden("You must have dashboard access to access this resource.")
+        return view_func(request, *args, **kwargs)
+
+    return _wrapper