Merge pull request #385 from MySecondLanguage/make-user-data-protected

Make user data protected

Author: MySecondLanguage

nxtbn/users/admin_mutation.py

@@ -5,6 +5,7 @@
 from django.conf import settings
 from graphql import GraphQLError
 
+from nxtbn.core.admin_permissions import gql_store_admin_required
 from nxtbn.users.admin_types import PermissionType
 from nxtbn.users.api.storefront.serializers import JwtBasicUserSerializer
 from nxtbn.users.models import User
@@ -121,11 +122,19 @@ class Arguments:
     success = graphene.Boolean()
     message = graphene.String()
 
+    @gql_store_admin_required
     def mutate(self, info, user_id, permission_codename):
         try:
             user = User.objects.get(id=user_id)
         except User.DoesNotExist:
             return TogglePermissionMutation(success=False, message="User not found")
+        
+
+        if user.is_superuser or user.is_store_admin:
+            raise GraphQLError("Superusers and store administrators have all permissions by default and their permissions cannot be modified.")
+        
+        if not user.is_active or not user.is_staff:
+            raise GraphQLError("User is not an active staff member.")
 
         try:
             permission = Permission.objects.get(codename=permission_codename)

nxtbn/users/admin_queries.py

@@ -10,10 +10,10 @@
 class UserAdminQuery(graphene.ObjectType):
     users = DjangoFilterConnectionField(AdminUserType)
     user = graphene.Field(AdminUserType, id=graphene.Int(required=True))
-    permissions = graphene.List(PermissionType, user_id=graphene.Int(required=True))
+    permissions = graphene.List(PermissionType, search=graphene.String(required=True), user_id=graphene.Int(required=True))
 
     def resolve_users(self, info, **kwargs):
-        return User.objects.all()
+        return User.objects.filter(is_staff=True)
 
     def resolve_user(self, info, id):
         try:
@@ -23,15 +23,15 @@ def resolve_user(self, info, id):
 
         return user
 
-    def resolve_permissions(self, info, user_id):
+    def resolve_permissions(self, info, search, user_id):
         # Get the user by the provided user_id
         try:
             user = User.objects.prefetch_related('user_permissions').get(id=user_id)
         except User.DoesNotExist:
             return []  # If the user doesn't exist, return an empty list
 
         # Retrieve all permissions from the database
-        permissions = Permission.objects.all()
+        permissions = Permission.objects.filter(name__icontains=search)
 
         # Create a set of user's permissions for quick lookup
         user_permissions = set(user.user_permissions.all())

nxtbn/users/api/dashboard/serializers.py

@@ -119,12 +119,7 @@ class Meta:
             'password',
             'role'
         ]
-        extra_kwargs = {
-            'is_staff': {'read_only': True},
-            'is_superuser': {'read_only': True},
-            'username': {'read_only': True}
-
-        }
+        read_only_fields = ['id', 'is_superuser', 'is_staff', 'is_active', 'role', 'username']
 
     def create(self, validated_data):
         password = validated_data.pop('password', None)

nxtbn/users/api/dashboard/views.py

@@ -258,7 +258,9 @@ def get_serializer_class(self):
         return UserMututionalSerializer
 
     def get_queryset(self):
-        return User.objects.exclude(role=UserRole.CUSTOMER)
+        return User.objects.filter(
+            is_staff=True,
+        )
 
     @action(detail=True, methods=['put'])
     def deactivate(self, request, pk=None):