Merge pull request #380 from MySecondLanguage/admin-mutation

Admin mutation

Author: MySecondLanguage

nxtbn/cart/admin_query.py

@@ -3,7 +3,7 @@
 
 from nxtbn.cart.models import Cart
 from nxtbn.cart.admin_types import CartItemType, CartType
-from nxtbn.core.admin_permissions import gql_staff_required
+from nxtbn.core.admin_permissions import gql_store_admin_required
 
 
 class AdminCartQuery(graphene.ObjectType):
@@ -13,18 +13,18 @@ class AdminCartQuery(graphene.ObjectType):
 
     items_in_cart = graphene.List(CartItemType, cart_id=graphene.ID(required=True))
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_carts(self, info, **kwargs):
         return Cart.objects.all()
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_cart_by_user(self, info, user_id):
         try:
             return Cart.objects.get(user_id=user_id)
         except Cart.DoesNotExist:
             return None
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_items_in_cart(self, info, cart_id):
         try:
             cart = Cart.objects.get(id=cart_id)

nxtbn/core/admin_mutation.py

@@ -2,6 +2,7 @@
 import graphene
 
 from nxtbn.core import CurrencyTypes
+from nxtbn.core.admin_permissions import gql_required_perm
 from nxtbn.core.admin_types import CurrencyExchangeType
 from nxtbn.core.models import CurrencyExchange
 from nxtbn.users import UserRole
@@ -20,6 +21,7 @@ class Arguments:
 
     currency_exchange = graphene.Field(CurrencyExchangeType)
 
+    @gql_required_perm(CurrencyExchange, 'add_currencyexchange')
     @staticmethod
     def mutate(root, info, input):
         # Validate base_currency
@@ -47,6 +49,7 @@ class Arguments:
 
     currency_exchange = graphene.Field(CurrencyExchangeType)
 
+    @gql_required_perm(CurrencyExchange, 'change_currencyexchange')
     @staticmethod
     def mutate(root, info, id, input):
         try:
@@ -64,6 +67,7 @@ class Arguments:
 
     success = graphene.Boolean()  # Indicate whether the operation was successful
 
+    @gql_required_perm(CurrencyExchange, 'delete_currencyexchange')
     @staticmethod
     def mutate(root, info, id):
         try:

nxtbn/core/admin_permissions.py

@@ -150,7 +150,7 @@ def has_required_perm(user, code: str, model_cls=None):
     return user.has_perm(perm_code)
 
 
-def gql_required_perm(code: str): # Used in graphql only
+def gql_required_perm(model, code: str):  # model argument will be the model class
     def decorator(func):
         @functools.wraps(func)
         def wrapper(self, info, *args, **kwargs):
@@ -159,13 +159,22 @@ def wrapper(self, info, *args, **kwargs):
 
             if user.is_anonymous:
                 raise GraphQLError("Authentication required")
-
-            if operation == "query":
+            
+            if not user.is_staff:
+                raise GraphQLError("Permission denied")
+            
+            if user.is_superuser:
                 return func(self, info, *args, **kwargs)
-
 
+            if user.is_store_admin:
+                return func(self, info, *args, **kwargs)
 
-            if not user.has_perm(code):  # Check if user has the required permission
+            if operation == "query":
+                return func(self, info, *args, **kwargs)
+            
+            # Check if the user has permission for the model
+            perm_code = f"{model._meta.app_label}.{code}"  # Constructing the permission name
+            if not user.has_perm(perm_code):  # Check if the user has the required permission for the model
                 raise GraphQLError("Permission denied")  # Block unauthorized access
 
             return func(self, info, *args, **kwargs)  # Call the actual resolver
@@ -176,17 +185,49 @@ def wrapper(self, info, *args, **kwargs):
 
 
 
-def gql_staff_required(func): # Used in graphql only
+def gql_store_admin_required(func): # Used in graphql only
     @functools.wraps(func)
     def wrapper(self, info, *args, **kwargs):
         user = info.context.user
 
         if user.is_anonymous:
             raise GraphQLError("Authentication required")
+        
+        if not user.is_staff:
+            raise GraphQLError("Permission denied")
+        
+        if user.is_superuser:
+            return func(self, info, *args, **kwargs)
 
-        if not user.is_staff:  # Check if the user is a staff member
-            raise GraphQLError("Permission denied")  # Block access if the user is not staff
+        if user.is_store_admin:
+            return func(self, info, *args, **kwargs)
 
         return func(self, info, *args, **kwargs)  # Call the actual resolver
 
+    return wrapper
+
+
+def gql_store_staff_required(func): # Used in graphql only
+    @functools.wraps(func)
+    def wrapper(self, info, *args, **kwargs):
+        user = info.context.user
+
+        if user.is_anonymous:
+            raise GraphQLError("Authentication required")
+        
+        if not user.is_staff:
+            raise GraphQLError("Permission denied")
+        
+        if user.is_superuser:
+            return func(self, info, *args, **kwargs)
+        
+        if user.is_store_admin:
+            return func(self, info, *args, **kwargs)
+
+        if user.is_store_staff:
+            return func(self, info, *args, **kwargs)
+        else:
+            raise GraphQLError("Permission denied")
+
+    
     return wrapper

nxtbn/core/admin_queries.py

@@ -3,7 +3,7 @@
 from graphql import GraphQLError
 
 from nxtbn.core import CurrencyTypes
-from nxtbn.core.admin_permissions import gql_staff_required
+from nxtbn.core.admin_permissions import gql_store_admin_required
 from nxtbn.core.admin_types import AdminCurrencyTypesEnum, CurrencyExchangeType
 from nxtbn.core.models import CurrencyExchange
 from graphene_django.filter import DjangoFilterConnectionField
@@ -14,7 +14,7 @@ class AdminCoreQuery(graphene.ObjectType):
     currency_exchange = graphene.Field(CurrencyExchangeType, id=graphene.ID(required=True))
     allowed_currency_list = graphene.List(AdminCurrencyTypesEnum)
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_currency_exchanges(self, info, **kwargs):
         return CurrencyExchange.objects.all()
 
@@ -24,7 +24,7 @@ def resolve_currency_exchange(self, info, id):
         except CurrencyExchange.DoesNotExist:
             return None
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_allowed_currency_list(self, info):
         allowed_currency_list = settings.ALLOWED_CURRENCIES
 

nxtbn/core/enum_perms.py

@@ -15,5 +15,8 @@ class PermissionsEnum(models.TextChoices):
     CAN_BULK_PRODUCT_STATUS_UPDATE = "can_bulk_product_status_update"
     CAN_BULK_PRODUCT_DELETE = "can_bulk_product_delete"
 
+    CAN_RECEIVE_TRANSFERRED_STOCK = "can_receive_transferred_stock" 
+    CAN_MARK_STOCK_TRANSFER_AS_COMPLETED = "can_mark_stock_transfer_as_completed"
+
     CAN_READ_CUSTOMER = "can_read_customer"
     CAN_UPDATE_CUSTOMER = "can_create_customer"

nxtbn/filemanager/api/dashboard/views.py

@@ -5,6 +5,7 @@
 from django_filters.rest_framework import DjangoFilterBackend
 
 
+from nxtbn.core.admin_permissions import CommonPermissions
 from nxtbn.filemanager.models import Document, Image
 from nxtbn.filemanager.api.dashboard.serializers import (
     DocumentSerializer,
@@ -21,6 +22,8 @@ class Meta:
         fields = ['id', 'name']
 
 class ImageListView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Image
     serializer_class = ImageSerializer
     queryset = Image.objects.all().order_by('-created_at')
     pagination_class = NxtbnPagination
@@ -29,19 +32,25 @@ class ImageListView(generics.ListCreateAPIView):
 
 
 class ImageDetailView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Image
     queryset = Image.objects.all()
     serializer_class = ImageSerializer
     pagination_class = NxtbnPagination
     lookup_field = "id"
 
 
 class DocumentListView(generics.ListCreateAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Document
     serializer_class = DocumentSerializer
     queryset = Document.objects.all()
     pagination_class = NxtbnPagination
 
 
 class DocumentDetailView(generics.RetrieveUpdateDestroyAPIView):
+    permission_classes = (CommonPermissions, )
+    model = Document
     queryset = Document.objects.all()
     serializer_class = DocumentSerializer
     pagination_class = NxtbnPagination

nxtbn/order/admin_queries.py

@@ -1,7 +1,7 @@
 import graphene
 from graphene_django.filter import DjangoFilterConnectionField
 
-from nxtbn.core.admin_permissions import gql_staff_required
+from nxtbn.core.admin_permissions import gql_store_admin_required
 from nxtbn.order.admin_types import OrderType
 from nxtbn.order.models import Address, Order
 from nxtbn.users import UserRole
@@ -13,11 +13,11 @@ class AdminOrderQuery(graphene.ObjectType):
 
 
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_orders(self, info, **kwargs):
         return Order.objects.all()
 
-    @gql_staff_required
+    @gql_store_admin_required
     def resolve_order(self, info, id):
         try:
             order = Order.objects.get(id=id)

nxtbn/product/admin_mutations.py

@@ -1,4 +1,5 @@
 import graphene
+from nxtbn.core.admin_permissions import gql_required_perm
 from nxtbn.product.admin_types import CategoryTranslationType, CategoryType, CollectionTranslationType, ProductTagTranslationType, ProductTranslationType, ProductVariantTranslationType, SupplierTranslationType
 from nxtbn.product.models import Category, CategoryTranslation, CollectionTranslation, ProductTagTranslation, ProductTranslation, ProductVariantTranslation, SupplierTranslation
 from nxtbn.users import UserRole
@@ -18,6 +19,7 @@ class Arguments:
 
     category = graphene.Field(CategoryType)
 
+    @gql_required_perm(Category, 'change_category')
     def mutate(self, info, id, input):
         category = Category.objects.get(id=id)
         category.name = input.name
@@ -45,6 +47,7 @@ class Arguments:
 
     product_translation = graphene.Field(ProductTranslationType)
 
+    @gql_required_perm(ProductTranslation, 'change_producttranslation')
     def mutate(self, info, base_product_id, lang_code, name, summary, description, meta_title, meta_description):
         try:
             product_translation = ProductTranslation.objects.get(product_id=base_product_id, language_code=lang_code)
@@ -72,6 +75,7 @@ class Arguments:
 
     category_translation = graphene.Field(CategoryTranslationType)
 
+    @gql_required_perm(CategoryTranslation, 'change_categorytranslation')
     def mutate(self, info, base_category_id, lang_code, name, description, meta_title, meta_description):
         try:
             category_translation = CategoryTranslation.objects.get(category_id=base_category_id, language_code=lang_code)
@@ -98,6 +102,7 @@ class Arguments:
 
     supplier_translation = graphene.Field(SupplierTranslationType)
 
+    @gql_required_perm(SupplierTranslation, 'change_suppliertranslation')
     def mutate(self, info, base_supplier_id, lang_code, name, description, meta_title, meta_description):
         try:
             supplier_translation = SupplierTranslation.objects.get(supplier_id=base_supplier_id, language_code=lang_code)
@@ -121,6 +126,7 @@ class Arguments:
 
     product_variant_translation = graphene.Field(ProductVariantTranslationType)
 
+    @gql_required_perm(ProductVariantTranslation, 'change_productvarianttranslation')
     def mutate(self, info, base_product_variant_id, lang_code, name, description, meta_title, meta_description):
         try:
             product_variant_translation = ProductVariantTranslation.objects.get(product_variant_id=base_product_variant_id, language_code=lang_code)
@@ -140,6 +146,7 @@ class Arguments:
 
     product_tag_translation = graphene.Field(ProductTagTranslationType)
 
+    @gql_required_perm(ProductTagTranslation, 'change_producttagtranslation')
     def mutate(self, info, base_product_tag_id, lang_code, name, description, meta_title, meta_description):
         try:
             product_tag_translation = ProductTagTranslation.objects.get(product_tag_id=base_product_tag_id, language_code=lang_code)
@@ -162,6 +169,7 @@ class Arguments:
 
     collection_translation = graphene.Field(CollectionTranslationType)
 
+    @gql_required_perm(CollectionTranslation, 'change_collectiontranslation')
     def mutate(self, info, base_collection_id, lang_code, name, description, meta_title, meta_description):
         try:
             collection_translation = CollectionTranslation.objects.get(collection_id=base_collection_id, language_code=lang_code)