fix: update ownership decorator

basedosdados · Apr 11, 2024 · 305a0d6 · 305a0d6
1 parent 235f1af
commit 305a0d6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 19 deletions.
diff --git a/bd_api/apps/account/models.py b/bd_api/apps/account/models.py
@@ -14,7 +14,7 @@
 from django.db.models.query import QuerySet
 from django.utils import timezone
 
-from bd_api.custom.graphql_jwt import ownership_required
+from bd_api.custom.graphql_jwt import owner_required
 from bd_api.custom.model import BaseModel
 from bd_api.custom.storage import OverwriteStorage, upload_to, validate_image
 
@@ -279,8 +279,8 @@ class Account(BaseModel, AbstractBaseUser, PermissionsMixin):
     ]
     graphql_filter_fields_blacklist = ["internal_subscription"]
     graphql_nested_filter_fields_whitelist = ["email", "username"]
-    graphql_query_decorator = ownership_required
-    graphql_mutation_decorator = ownership_required
+    graphql_query_decorator = owner_required(allow_anonymous=False)
+    graphql_mutation_decorator = owner_required(allow_anonymous=True)
 
     USERNAME_FIELD = "email"
     REQUIRED_FIELDS = ["username", "first_name", "last_name"]

diff --git a/bd_api/custom/graphql_jwt.py b/bd_api/custom/graphql_jwt.py
@@ -41,7 +41,7 @@ def wrapper(*args, **kwargs):
     return wrapper
 
 
-def ownership_required(f, exc=exceptions.PermissionDenied):
+def owner_required(allow_anonymous=False, exc=exceptions.PermissionDenied):
     """Decorator to limit graphql queries and mutations
 
     - Super users are allowed to edit all resources
@@ -61,20 +61,23 @@ def get_uid(context, exp=r"id:\s[\"]?(\d+)[\"]?"):
 
         return [int(uid) for uid in findall(exp, query)]
 
-    @wraps(f)
-    @context(f)
-    def wrapper(context, *args, **kwargs):
-        if context.user.is_staff:
-            return f(*args, **kwargs)
-        if context.user.is_superuser:
-            return f(*args, **kwargs)
-        uid = get_uid(context)
-        if context.user.is_anonymous:
-            if not uid:
+    def decorator(f):
+        @wraps(f)
+        @context(f)
+        def wrapper(context, *args, **kwargs):
+            if context.user.is_staff:
                 return f(*args, **kwargs)
-        if context.user.is_authenticated:
-            if context.user.id == uid[0]:
+            if context.user.is_superuser:
                 return f(*args, **kwargs)
-        raise exc
-
-    return wrapper
+            uid = get_uid(context)
+            if context.user.is_authenticated:
+                if context.user.id == uid[0]:
+                    return f(*args, **kwargs)
+            if context.user.is_anonymous:
+                if allow_anonymous and not uid:
+                    return f(*args, **kwargs)
+            raise exc
+
+        return wrapper
+
+    return decorator