Merge pull request #374 from MySecondLanguage/first-or-last

First or last

Author: MySecondLanguage

nxtbn/cart/admin_query.py

@@ -3,6 +3,7 @@
 
 from nxtbn.cart.models import Cart
 from nxtbn.cart.admin_types import CartItemType, CartType
+from nxtbn.core.admin_permissions import check_user_permissions
 
 
 class AdminCartQuery(graphene.ObjectType):
@@ -13,15 +14,18 @@ class AdminCartQuery(graphene.ObjectType):
     items_in_cart = graphene.List(CartItemType, cart_id=graphene.ID(required=True))
 
     def resolve_carts(self, info, **kwargs):
+        check_user_permissions(info, any_staff=True)
         return Cart.objects.all()
 
     def resolve_cart_by_user(self, info, user_id):
+        check_user_permissions(info, any_staff=True)
         try:
             return Cart.objects.get(user_id=user_id)
         except Cart.DoesNotExist:
             return None
 
     def resolve_items_in_cart(self, info, cart_id):
+        check_user_permissions(info, any_staff=True)
         try:
             cart = Cart.objects.get(id=cart_id)
             return cart.items.all()

nxtbn/core/admin_mutation.py

@@ -2,8 +2,10 @@
 import graphene
 
 from nxtbn.core import CurrencyTypes
+from nxtbn.core.admin_permissions import check_user_permissions
 from nxtbn.core.admin_types import CurrencyExchangeType
 from nxtbn.core.models import CurrencyExchange
+from nxtbn.users import UserRole
 
 class CurrencyExchangeInput(graphene.InputObjectType):
     base_currency = graphene.String(required=True)
@@ -21,6 +23,7 @@ class Arguments:
 
     @staticmethod
     def mutate(root, info, input):
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN])
         # Validate base_currency
         base_currency = input.base_currency
         if base_currency != settings.BASE_CURRENCY:
@@ -48,6 +51,7 @@ class Arguments:
 
     @staticmethod
     def mutate(root, info, id, input):
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN])
         try:
             currency_exchange = CurrencyExchange.objects.get(pk=id)
         except CurrencyExchange.DoesNotExist:
@@ -65,6 +69,7 @@ class Arguments:
 
     @staticmethod
     def mutate(root, info, id):
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN])
         try:
             currency_exchange = CurrencyExchange.objects.get(pk=id)
         except CurrencyExchange.DoesNotExist:

nxtbn/core/admin_queries.py

@@ -3,6 +3,7 @@
 from graphql import GraphQLError
 
 from nxtbn.core import CurrencyTypes
+from nxtbn.core.admin_permissions import check_user_permissions
 from nxtbn.core.admin_types import AdminCurrencyTypesEnum, CurrencyExchangeType
 from nxtbn.core.models import CurrencyExchange
 from graphene_django.filter import DjangoFilterConnectionField
@@ -14,15 +15,18 @@ class AdminCoreQuery(graphene.ObjectType):
     allowed_currency_list = graphene.List(AdminCurrencyTypesEnum)
 
     def resolve_currency_exchanges(self, info, **kwargs):
+        check_user_permissions(info, any_staff=True)
         return CurrencyExchange.objects.all()
 
     def resolve_currency_exchange(self, info, id):
+        check_user_permissions(info, any_staff=True)
         try:
             return CurrencyExchange.objects.get(id=id)
         except CurrencyExchange.DoesNotExist:
             return None
 
     def resolve_allowed_currency_list(self, info):
+        check_user_permissions(info, any_staff=True)
         allowed_currency_list = settings.ALLOWED_CURRENCIES
 
         if not allowed_currency_list:

nxtbn/order/admin_queries.py

@@ -1,8 +1,10 @@
 import graphene
 from graphene_django.filter import DjangoFilterConnectionField
 
+from nxtbn.core.admin_permissions import check_user_permissions
 from nxtbn.order.admin_types import OrderType
 from nxtbn.order.models import Address, Order
+from nxtbn.users import UserRole
 
 
 class AdminOrderQuery(graphene.ObjectType):
@@ -13,9 +15,11 @@ class AdminOrderQuery(graphene.ObjectType):
     # address = graphene.Field(AddressGraphType, id=graphene.Int(required=True))
 
     def resolve_orders(self, info, **kwargs):
+        check_user_permissions(info, any_staff=True)
         return Order.objects.all()
 
     def resolve_order(self, info, id):
+        check_user_permissions(info, any_staff=True)
         try:
             order = Order.objects.get(id=id)
         except Order.DoesNotExist:
@@ -24,9 +28,11 @@ def resolve_order(self, info, id):
         return order
 
     def resolve_addresses(self, info):
+        check_user_permissions(info, any_staff=True)
         return Address.objects.all()
 
     def resolve_address(self, info, id):
+        check_user_permissions(info, any_staff=True)
         try:
             address = Address.objects.get(id=id)
         except Address.DoesNotExist:

nxtbn/product/admin_mutations.py

@@ -20,7 +20,7 @@ class Arguments:
     category = graphene.Field(CategoryType)
 
     def mutate(self, info, id, input):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER, UserRole.ADMIN])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER])
         category = Category.objects.get(id=id)
         category.name = input.name
         category.description = input.description
@@ -48,7 +48,7 @@ class Arguments:
     product_translation = graphene.Field(ProductTranslationType)
 
     def mutate(self, info, base_product_id, lang_code, name, summary, description, meta_title, meta_description):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER, UserRole.TRANSLATOR])
         try:
             product_translation = ProductTranslation.objects.get(product_id=base_product_id, language_code=lang_code)
         except ProductTranslation.DoesNotExist:
@@ -76,7 +76,7 @@ class Arguments:
     category_translation = graphene.Field(CategoryTranslationType)
 
     def mutate(self, info, base_category_id, lang_code, name, description, meta_title, meta_description):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER, UserRole.ADMIN])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER, UserRole.TRANSLATOR])
         try:
             category_translation = CategoryTranslation.objects.get(category_id=base_category_id, language_code=lang_code)
         except CategoryTranslation.DoesNotExist:
@@ -103,7 +103,7 @@ class Arguments:
     supplier_translation = graphene.Field(SupplierTranslationType)
 
     def mutate(self, info, base_supplier_id, lang_code, name, description, meta_title, meta_description):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER, UserRole.ADMIN])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER, UserRole.TRANSLATOR])
         try:
             supplier_translation = SupplierTranslation.objects.get(supplier_id=base_supplier_id, language_code=lang_code)
         except SupplierTranslation.DoesNotExist:
@@ -127,7 +127,7 @@ class Arguments:
     product_variant_translation = graphene.Field(ProductVariantTranslationType)
 
     def mutate(self, info, base_product_variant_id, lang_code, name, description, meta_title, meta_description):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER, UserRole.ADMIN])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER, UserRole.TRANSLATOR])
         try:
             product_variant_translation = ProductVariantTranslation.objects.get(product_variant_id=base_product_variant_id, language_code=lang_code)
         except ProductVariantTranslation.DoesNotExist:
@@ -147,7 +147,7 @@ class Arguments:
     product_tag_translation = graphene.Field(ProductTagTranslationType)
 
     def mutate(self, info, base_product_tag_id, lang_code, name, description, meta_title, meta_description):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER, UserRole.ADMIN])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER, UserRole.TRANSLATOR])
         try:
             product_tag_translation = ProductTagTranslation.objects.get(product_tag_id=base_product_tag_id, language_code=lang_code)
         except ProductTagTranslation.DoesNotExist:
@@ -170,7 +170,7 @@ class Arguments:
     collection_translation = graphene.Field(CollectionTranslationType)
 
     def mutate(self, info, base_collection_id, lang_code, name, description, meta_title, meta_description):
-        check_user_permissions(info, allowed_roles=[UserRole.PRODUCT_MANAGER, UserRole.STORE_MANAGER, UserRole.ADMIN])
+        check_user_permissions(info, allowed_roles=[UserRole.STORE_MANAGER, UserRole.ADMIN, UserRole.PRODUCT_MANAGER, UserRole.TRANSLATOR])
         try:
             collection_translation = CollectionTranslation.objects.get(collection_id=base_collection_id, language_code=lang_code)
         except CollectionTranslation.DoesNotExist:

nxtbn/product/admin_queries.py

@@ -95,15 +95,15 @@ def resolve_product_variants(root, info, **kwargs):
         return Product.objects.all()
 
     def resolve_category(root, info, id):
-        # check_user_permissions(info, any_staff=True)
+        check_user_permissions(info, any_staff=True)
 
         try:
             return Category.objects.get(pk=id)
         except Category.DoesNotExist:
             return None
 
     def resolve_categories(root, info, **kwargs):
-        # check_user_permissions(info, any_staff=True)
+        check_user_permissions(info, any_staff=True)
         return Category.objects.all()
 
     # All translations

nxtbn/settings.py

@@ -334,9 +334,11 @@ def get_env_var(key, default=None, var_type=str):
     'SCHEMA': 'nxtbn.admin_schema.admin_schema',
     'MIDDLEWARE': [
         'graphene_django.debug.DjangoDebugMiddleware',
+        'nxtbn.users.auth_middleware.MaxQueryDepthMiddleware',
         'nxtbn.users.auth_middleware.NXTBNGraphQLAuthenticationMiddleware',
     ],
     'RELAY_CONNECTION_MAX_LIMIT': 100, # pagination limit
+    'RELAY_CONNECTION_ENFORCE_FIRST_OR_LAST': True,
 }
 
 

nxtbn/users/__init__.py

@@ -151,4 +151,13 @@ class UserRole(models.TextChoices):
     - Restrictions:
       - Cannot add, edit, or delete any data.
       - Cannot manage users, roles, or system settings.
+    """
+
+    TRANSLATOR = 'TRANSLATOR', 'Translator'
+    """
+    Translator:
+    - Description: Responsible for translating content into different languages.
+    - Permissions:
+      - Translate product listings, categories, and other site content.
+      - Manage translations for various languages.
     """

nxtbn/users/admin_mutation.py

@@ -109,3 +109,5 @@ def mutate(self, info, refresh_token):
 class AdminUserMutation(graphene.ObjectType):
     login = AdminLoginMutation.Field()
     refresh_token = AdminTokenRefreshMutation.Field()
+
+    

nxtbn/users/auth_middleware.py

@@ -2,6 +2,60 @@
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.auth import get_user_model
 
+
+from graphql import GraphQLError
+from graphql.language.ast import FieldNode, FragmentSpreadNode, InlineFragmentNode
+
+
+class MaxQueryDepthMiddleware:
+    def __init__(self, max_depth=6, max_top_level_fields=2):
+        self.max_depth = max_depth
+        self.max_top_level_fields = max_top_level_fields
+
+    def resolve(self, next, root, info, **kwargs):
+        operation = info.operation
+
+        # Bypass validation for introspection queries
+        if self._is_introspection_query(operation):
+            return next(root, info, **kwargs)
+
+        # Validate max depth
+        query_depth = self._calculate_depth(operation.selection_set, info)
+        if query_depth > self.max_depth:
+            raise GraphQLError(f"Query depth exceeds the maximum limit of {self.max_depth}. Current depth: {query_depth}.")
+
+        # Validate max top-level fields
+        top_level_fields_count = len(operation.selection_set.selections)
+        if top_level_fields_count > self.max_top_level_fields:
+            raise GraphQLError(f"Query exceeds the maximum of {self.max_top_level_fields} top-level fields. Current count: {top_level_fields_count}.")
+
+        # Continue to the next middleware or resolver
+        return next(root, info, **kwargs)
+
+    def _is_introspection_query(self, operation):
+        # Check if the operation contains any introspection fields
+        if operation.selection_set:
+            for selection in operation.selection_set.selections:
+                if isinstance(selection, FieldNode) and selection.name.value.startswith("__"):
+                    return True
+        return False
+
+    def _calculate_depth(self, selection_set, info, depth=0):
+        if not selection_set or not hasattr(selection_set, "selections"):
+            return depth
+
+        depths = []
+        for selection in selection_set.selections:
+            if isinstance(selection, (FieldNode, InlineFragmentNode)):
+                depths.append(self._calculate_depth(selection.selection_set, info, depth + 1))
+            elif isinstance(selection, FragmentSpreadNode):
+                fragment = info.fragments.get(selection.name.value)
+                if fragment:
+                    depths.append(self._calculate_depth(fragment.selection_set, info, depth + 1))
+        return max(depths, default=depth)
+
+
+
 class NXTBNGraphQLAuthenticationMiddleware:
     def __init__(self):
         self.jwt_manager = JWTManager()