feat: Basic Perms for new Resolvers

fahimalizain · Space · commit a8419fb760a3 · 2022-08-16T10:21:38.000Z
fix: Use get_list in doc-dataloader

feat: Basic Perms for new resolvers


Co-authored-by: Fahim Ali Zain &lt;fahimalizain@gmail.com&gt;

Merge-request: ROMMAN-MR-126
Merged-by: Fahim Ali Zain &lt;fahim.zain@leam.ae&gt;
diff --git a/frappe_graphql/utils/resolver/dataloaders/doctype_loader.py b/frappe_graphql/utils/resolver/dataloaders/doctype_loader.py
@@ -19,7 +19,7 @@ def get_doctype_dataloader(doctype: str) -> DataLoader:
 def _get_document_loader_fn(doctype: str):
 
     def _load_documents(keys: List[str]):
-        docs = frappe.get_all(
+        docs = frappe.get_list(
             doctype=doctype,
             filters=[["name", "IN", keys]],
             fields=["*", f"'{doctype}' as doctype"],
diff --git a/frappe_graphql/utils/resolver/link_field.py b/frappe_graphql/utils/resolver/link_field.py
@@ -50,6 +50,7 @@ def _resolve_link_field(obj, info: GraphQLResolveInfo, **kwargs):
     if not (dt and dn):
         return None
 
+    # Permission check is done within get_doctype_dataloader via get_list
     return get_doctype_dataloader(dt).load(dn)
 
 
@@ -66,6 +67,7 @@ def _resolve_dynamic_link_field(obj, info: GraphQLResolveInfo, **kwargs):
     if not dn:
         return None
 
+    # Permission check is done within get_doctype_dataloader via get_list
     return get_doctype_dataloader(dt).load(dn)
 
 
diff --git a/frappe_graphql/utils/resolver/root_query.py b/frappe_graphql/utils/resolver/root_query.py
@@ -35,11 +35,18 @@ def _get_doc_resolver(obj, info: GraphQLResolveInfo, **kwargs):
     if is_single(dt):
         kwargs["name"] = dt
 
-    return get_doctype_dataloader(dt).load(kwargs["name"])
+    dn = kwargs["name"]
+    if not frappe.has_permission(doctype=dt, doc=dn):
+        raise frappe.PermissionError(frappe._("No permission for {0}").format(dt + " " + dn))
+
+    return get_doctype_dataloader(dt).load(dn)
 
 
 def _doc_cursor_resolver(obj, info: GraphQLResolveInfo, **kwargs):
     plural_doctype = get_plural_doctype(info.field_name)
-    frappe.has_permission(doctype=plural_doctype, throw=True)
+
+    frappe.has_permission(
+        doctype=plural_doctype,
+        throw=True)
 
     return CursorPaginator(doctype=plural_doctype).resolve(obj, info, **kwargs)
