From a24c6119a6af161874f17dc0e4bea492be1eccde Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Sat, 20 Nov 2021 19:33:38 +0100
Subject: [PATCH] check rights on all resolvers

---
 backend/src/graphql/resolver/BalanceResolver.ts  |  3 ++-
 .../src/graphql/resolver/CommunityResolver.ts    |  5 ++++-
 backend/src/graphql/resolver/GdtResolver.ts      |  5 +++--
 .../src/graphql/resolver/KlicktippResolver.ts    |  9 +++++----
 .../src/graphql/resolver/TransactionResolver.ts  |  5 +++--
 backend/src/graphql/resolver/UserResolver.ts     | 16 ++++++++++++----
 6 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/backend/src/graphql/resolver/BalanceResolver.ts b/backend/src/graphql/resolver/BalanceResolver.ts
index e067b4d68..e368c4dc2 100644
--- a/backend/src/graphql/resolver/BalanceResolver.ts
+++ b/backend/src/graphql/resolver/BalanceResolver.ts
@@ -8,10 +8,11 @@ import { BalanceRepository } from '../../typeorm/repository/Balance'
 import { UserRepository } from '../../typeorm/repository/User'
 import { calculateDecay } from '../../util/decay'
 import { roundFloorFrom4 } from '../../util/round'
+import { RIGHTS } from '../../auth/RIGHTS'
 
 @Resolver()
 export class BalanceResolver {
-  @Authorized()
+  @Authorized([RIGHTS.BALANCE])
   @Query(() => Balance)
   async balance(@Ctx() context: any): Promise<Balance> {
     // load user and balance
diff --git a/backend/src/graphql/resolver/CommunityResolver.ts b/backend/src/graphql/resolver/CommunityResolver.ts
index 84d252064..5c9d46f34 100644
--- a/backend/src/graphql/resolver/CommunityResolver.ts
+++ b/backend/src/graphql/resolver/CommunityResolver.ts
@@ -1,12 +1,14 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 /* eslint-disable @typescript-eslint/explicit-module-boundary-types */
 
-import { Resolver, Query } from 'type-graphql'
+import { Resolver, Query, Authorized } from 'type-graphql'
+import { RIGHTS } from '../../auth/RIGHTS'
 import CONFIG from '../../config'
 import { Community } from '../model/Community'
 
 @Resolver()
 export class CommunityResolver {
+  @Authorized([RIGHTS.GET_COMMUNITY_INFO])
   @Query(() => Community)
   async getCommunityInfo(): Promise<Community> {
     return new Community({
@@ -17,6 +19,7 @@ export class CommunityResolver {
     })
   }
 
+  @Authorized([RIGHTS.COMMUNITIES])
   @Query(() => [Community])
   async communities(): Promise<Community[]> {
     if (CONFIG.PRODUCTION)
diff --git a/backend/src/graphql/resolver/GdtResolver.ts b/backend/src/graphql/resolver/GdtResolver.ts
index b4f9a512b..9110eb76b 100644
--- a/backend/src/graphql/resolver/GdtResolver.ts
+++ b/backend/src/graphql/resolver/GdtResolver.ts
@@ -9,10 +9,11 @@ import Paginated from '../arg/Paginated'
 import { apiGet } from '../../apis/HttpRequest'
 import { UserRepository } from '../../typeorm/repository/User'
 import { Order } from '../enum/Order'
+import { RIGHTS } from '../../auth/RIGHTS'
 
 @Resolver()
 export class GdtResolver {
-  @Authorized()
+  @Authorized([RIGHTS.LIST_GDT_ENTRIES])
   @Query(() => GdtEntryList)
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   async listGDTEntries(
@@ -33,7 +34,7 @@ export class GdtResolver {
     return new GdtEntryList(resultGDT.data)
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.EXIST_PID])
   @Query(() => Number)
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   async existPid(@Arg('pid') pid: number): Promise<number> {
diff --git a/backend/src/graphql/resolver/KlicktippResolver.ts b/backend/src/graphql/resolver/KlicktippResolver.ts
index e90d43a1f..fdffb940a 100644
--- a/backend/src/graphql/resolver/KlicktippResolver.ts
+++ b/backend/src/graphql/resolver/KlicktippResolver.ts
@@ -8,29 +8,30 @@ import {
   unsubscribe,
   signIn,
 } from '../../apis/KlicktippController'
+import { RIGHTS } from '../../auth/RIGHTS'
 import SubscribeNewsletterArgs from '../arg/SubscribeNewsletterArgs'
 
 @Resolver()
 export class KlicktippResolver {
-  @Authorized()
+  @Authorized([RIGHTS.GET_KLICKTIPP_USER])
   @Query(() => String)
   async getKlicktippUser(@Arg('email') email: string): Promise<string> {
     return await getKlickTippUser(email)
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.GET_KLICKTIPP_TAG_MAP])
   @Query(() => String)
   async getKlicktippTagMap(): Promise<string> {
     return await getKlicktippTagMap()
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.UNSUBSCRIBE_NEWSLETTER])
   @Mutation(() => Boolean)
   async unsubscribeNewsletter(@Arg('email') email: string): Promise<boolean> {
     return await unsubscribe(email)
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.SUBSCRIBE_NEWSLETTER])
   @Mutation(() => Boolean)
   async subscribeNewsletter(
     @Args() { email, language }: SubscribeNewsletterArgs,
diff --git a/backend/src/graphql/resolver/TransactionResolver.ts b/backend/src/graphql/resolver/TransactionResolver.ts
index ae9e318ae..b2f4b4db5 100644
--- a/backend/src/graphql/resolver/TransactionResolver.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.ts
@@ -34,6 +34,7 @@ import { TransactionTypeId } from '../enum/TransactionTypeId'
 import { TransactionType } from '../enum/TransactionType'
 import { hasUserAmount, isHexPublicKey } from '../../util/validate'
 import { LoginUserRepository } from '../../typeorm/repository/LoginUser'
+import { RIGHTS } from '../../auth/RIGHTS'
 
 /*
 # Test
@@ -465,7 +466,7 @@ async function getPublicKey(email: string): Promise<string | null> {
 
 @Resolver()
 export class TransactionResolver {
-  @Authorized()
+  @Authorized([RIGHTS.TRANSACTION_LIST])
   @Query(() => TransactionList)
   async transactionList(
     @Args() { currentPage = 1, pageSize = 25, order = Order.DESC }: Paginated,
@@ -499,7 +500,7 @@ export class TransactionResolver {
     return transactions
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.SEND_COINS])
   @Mutation(() => String)
   async sendCoins(
     @Args() { email, amount, memo }: TransactionSendArgs,
diff --git a/backend/src/graphql/resolver/UserResolver.ts b/backend/src/graphql/resolver/UserResolver.ts
index 60ea265b2..64216ca16 100644
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@@ -9,7 +9,7 @@ import { LoginViaVerificationCode } from '../model/LoginViaVerificationCode'
 import { SendPasswordResetEmailResponse } from '../model/SendPasswordResetEmailResponse'
 import { User } from '../model/User'
 import { User as DbUser } from '@entity/User'
-import encode from '../../jwt/encode'
+import { encode } from '../../auth/JWT'
 import ChangePasswordArgs from '../arg/ChangePasswordArgs'
 import CheckUsernameArgs from '../arg/CheckUsernameArgs'
 import CreateUserArgs from '../arg/CreateUserArgs'
@@ -30,6 +30,7 @@ import { LoginUserBackup } from '@entity/LoginUserBackup'
 import { LoginEmailOptIn } from '@entity/LoginEmailOptIn'
 import { sendEMail } from '../../util/sendEMail'
 import { LoginElopageBuysRepository } from '../../typeorm/repository/LoginElopageBuys'
+import { RIGHTS } from '../../auth/RIGHTS'
 
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const sodium = require('sodium-native')
@@ -224,6 +225,7 @@ export class UserResolver {
   }
   */
 
+  @Authorized([RIGHTS.LOGIN])
   @Query(() => User)
   @UseMiddleware(klicktippNewsletterStateMiddleware)
   async login(
@@ -307,6 +309,7 @@ export class UserResolver {
     return user
   }
 
+  @Authorized([RIGHTS.LOGIN_VIA_EMAIL_VERIFICATION_CODE])
   @Query(() => LoginViaVerificationCode)
   async loginViaEmailVerificationCode(
     @Arg('optin') optin: string,
@@ -322,7 +325,7 @@ export class UserResolver {
     return new LoginViaVerificationCode(result.data)
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.LOGOUT])
   @Query(() => String)
   async logout(): Promise<boolean> {
     // TODO: We dont need this anymore, but might need this in the future in oder to invalidate a valid JWT-Token.
@@ -333,6 +336,7 @@ export class UserResolver {
     return true
   }
 
+  @Authorized([RIGHTS.CREATE_USER])
   @Mutation(() => String)
   async createUser(
     @Args() { email, firstName, lastName, language, publisherId }: CreateUserArgs,
@@ -481,6 +485,7 @@ export class UserResolver {
     return 'success'
   }
 
+  @Authorized([RIGHTS.SEND_RESET_PASSWORD_EMAIL])
   @Query(() => SendPasswordResetEmailResponse)
   async sendResetPasswordEmail(
     @Arg('email') email: string,
@@ -497,6 +502,7 @@ export class UserResolver {
     return new SendPasswordResetEmailResponse(response.data)
   }
 
+  @Authorized([RIGHTS.RESET_PASSWORD])
   @Mutation(() => String)
   async resetPassword(
     @Args()
@@ -514,7 +520,7 @@ export class UserResolver {
     return 'success'
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.UPDATE_USER_INFOS])
   @Mutation(() => Boolean)
   async updateUserInfos(
     @Args()
@@ -623,6 +629,7 @@ export class UserResolver {
     return true
   }
 
+  @Authorized([RIGHTS.CHECK_USERNAME])
   @Query(() => Boolean)
   async checkUsername(@Args() { username }: CheckUsernameArgs): Promise<boolean> {
     // Username empty?
@@ -646,6 +653,7 @@ export class UserResolver {
     return true
   }
 
+  @Authorized([RIGHTS.CHECK_EMAIL])
   @Query(() => CheckEmailResponse)
   @UseMiddleware(klicktippRegistrationMiddleware)
   async checkEmail(@Arg('optin') optin: string): Promise<CheckEmailResponse> {
@@ -658,7 +666,7 @@ export class UserResolver {
     return new CheckEmailResponse(result.data)
   }
 
-  @Authorized()
+  @Authorized([RIGHTS.HAS_ELOPAGE])
   @Query(() => Boolean)
   async hasElopage(@Ctx() context: any): Promise<boolean> {
     const userRepository = getCustomRepository(UserRepository)