From c5a5067155b13479372e1099a82013af6c465e12 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Sat, 4 Oct 2025 10:23:39 +0200 Subject: [PATCH] update rights, prevent gms api access for others than admins --- admin/src/graphql/updateHomeCommunity.js | 2 +- backend/src/auth/ADMIN_RIGHTS.ts | 4 +--- backend/src/auth/DLT_CONNECTOR_RIGHTS.ts | 2 +- backend/src/auth/RIGHTS.ts | 4 +--- backend/src/graphql/model/AdminCommunityView.ts | 1 - backend/src/graphql/model/Community.ts | 4 ---- .../src/graphql/resolver/CommunityResolver.test.ts | 10 +++++----- backend/src/graphql/resolver/CommunityResolver.ts | 12 ++++++------ backend/src/seeds/graphql/mutations.ts | 1 - backend/src/seeds/graphql/queries.ts | 3 --- 10 files changed, 15 insertions(+), 28 deletions(-) diff --git a/admin/src/graphql/updateHomeCommunity.js b/admin/src/graphql/updateHomeCommunity.js index 19bfb7396..036db91e5 100644 --- a/admin/src/graphql/updateHomeCommunity.js +++ b/admin/src/graphql/updateHomeCommunity.js @@ -8,7 +8,7 @@ export const updateHomeCommunity = gql` location: $location hieroTopicId: $hieroTopicId ) { - id + uuid } } ` diff --git a/backend/src/auth/ADMIN_RIGHTS.ts b/backend/src/auth/ADMIN_RIGHTS.ts index 9ba3e7ccd..69100d7d2 100644 --- a/backend/src/auth/ADMIN_RIGHTS.ts +++ b/backend/src/auth/ADMIN_RIGHTS.ts @@ -5,8 +5,6 @@ export const ADMIN_RIGHTS = [ RIGHTS.DELETE_USER, RIGHTS.UNDELETE_USER, RIGHTS.COMMUNITY_UPDATE, - RIGHTS.COMMUNITY_BY_UUID, - RIGHTS.COMMUNITY_BY_IDENTIFIER, - RIGHTS.HOME_COMMUNITY, + RIGHTS.COMMUNITY_WITH_API_KEYS, RIGHTS.PROJECT_BRANDING_MUTATE, ] diff --git a/backend/src/auth/DLT_CONNECTOR_RIGHTS.ts b/backend/src/auth/DLT_CONNECTOR_RIGHTS.ts index 399b7c2d4..9b4c56eaa 100644 --- a/backend/src/auth/DLT_CONNECTOR_RIGHTS.ts +++ b/backend/src/auth/DLT_CONNECTOR_RIGHTS.ts @@ -1,3 +1,3 @@ import { RIGHTS } from './RIGHTS' -export const DLT_CONNECTOR_RIGHTS = [RIGHTS.COMMUNITY_BY_IDENTIFIER, RIGHTS.HOME_COMMUNITY] +export const DLT_CONNECTOR_RIGHTS = [RIGHTS.COMMUNITIES, RIGHTS.COMMUNITY_UPDATE] diff --git a/backend/src/auth/RIGHTS.ts b/backend/src/auth/RIGHTS.ts index 012a4e627..d26bdc702 100644 --- a/backend/src/auth/RIGHTS.ts +++ b/backend/src/auth/RIGHTS.ts @@ -69,9 +69,7 @@ export enum RIGHTS { SET_USER_ROLE = 'SET_USER_ROLE', DELETE_USER = 'DELETE_USER', UNDELETE_USER = 'UNDELETE_USER', - COMMUNITY_BY_UUID = 'COMMUNITY_BY_UUID', - COMMUNITY_BY_IDENTIFIER = 'COMMUNITY_BY_IDENTIFIER', - HOME_COMMUNITY = 'HOME_COMMUNITY', COMMUNITY_UPDATE = 'COMMUNITY_UPDATE', + COMMUNITY_WITH_API_KEYS = 'COMMUNITY_WITH_API_KEYS', PROJECT_BRANDING_MUTATE = 'PROJECT_BRANDING_MUTATE', } diff --git a/backend/src/graphql/model/AdminCommunityView.ts b/backend/src/graphql/model/AdminCommunityView.ts index 50cee146a..8a685fa86 100644 --- a/backend/src/graphql/model/AdminCommunityView.ts +++ b/backend/src/graphql/model/AdminCommunityView.ts @@ -38,7 +38,6 @@ export class AdminCommunityView { this.updatedAt = dbCom.updatedAt this.uuid = dbCom.communityUuid this.authenticatedAt = dbCom.authenticatedAt - this.gmsApiKey = dbCom.gmsApiKey this.hieroTopicId = dbCom.hieroTopicId if (dbCom.location) { this.location = Point2Location(dbCom.location as Point) diff --git a/backend/src/graphql/model/Community.ts b/backend/src/graphql/model/Community.ts index 62cec9cf7..e5ccad59b 100644 --- a/backend/src/graphql/model/Community.ts +++ b/backend/src/graphql/model/Community.ts @@ -12,7 +12,6 @@ export class Community { this.creationDate = dbCom.creationDate this.uuid = dbCom.communityUuid this.authenticatedAt = dbCom.authenticatedAt - this.gmsApiKey = dbCom.gmsApiKey this.hieroTopicId = dbCom.hieroTopicId } @@ -40,9 +39,6 @@ export class Community { @Field(() => Date, { nullable: true }) authenticatedAt: Date | null - @Field(() => String, { nullable: true }) - gmsApiKey: string | null - @Field(() => String, { nullable: true }) hieroTopicId: string | null } diff --git a/backend/src/graphql/resolver/CommunityResolver.test.ts b/backend/src/graphql/resolver/CommunityResolver.test.ts index c9c925a2e..20a3680e3 100644 --- a/backend/src/graphql/resolver/CommunityResolver.test.ts +++ b/backend/src/graphql/resolver/CommunityResolver.test.ts @@ -324,6 +324,10 @@ describe('CommunityResolver', () => { beforeEach(async () => { jest.clearAllMocks() + await userFactory(testEnv, peterLustig) + // login as admin + await mutate({ mutation: login, variables: peterLoginData }) + comHomeCom1 = DbCommunity.create() comHomeCom1.foreign = false comHomeCom1.url = 'http://localhost' @@ -547,13 +551,10 @@ describe('CommunityResolver', () => { describe('with empty list', () => { beforeEach(async () => { - await cleanDB() - jest.clearAllMocks() + await DbCommunity.clear() }) it('returns no community entry', async () => { - // const result: Community[] = await query({ query: getCommunities }) - // expect(result.length).toEqual(0) await expect(query({ query: communitiesQuery })).resolves.toMatchObject({ data: { communities: [], @@ -785,7 +786,6 @@ describe('CommunityResolver', () => { ).resolves.toMatchObject({ data: { updateHomeCommunity: { - id: expect.any(Number), foreign: homeCom?.foreign, name: homeCom?.name, description: homeCom?.description, diff --git a/backend/src/graphql/resolver/CommunityResolver.ts b/backend/src/graphql/resolver/CommunityResolver.ts index a46e30144..5fe7eea44 100644 --- a/backend/src/graphql/resolver/CommunityResolver.ts +++ b/backend/src/graphql/resolver/CommunityResolver.ts @@ -35,7 +35,7 @@ export class CommunityResolver { ) } - @Authorized([RIGHTS.COMMUNITIES]) + @Authorized([RIGHTS.COMMUNITY_WITH_API_KEYS]) @Query(() => [AdminCommunityView]) async allCommunities(@Args() paginated: Paginated): Promise { // communityUUID could be oneTimePassCode (uint32 number) @@ -54,7 +54,7 @@ export class CommunityResolver { return dbCommunities.map((dbCom: DbCommunity) => new Community(dbCom)) } - @Authorized([RIGHTS.COMMUNITY_BY_IDENTIFIER]) + @Authorized([RIGHTS.COMMUNITIES]) @Query(() => Community) async communityByIdentifier( @Arg('communityIdentifier') communityIdentifier: string, @@ -67,7 +67,7 @@ export class CommunityResolver { return new Community(community) } - @Authorized([RIGHTS.HOME_COMMUNITY]) + @Authorized([RIGHTS.COMMUNITIES]) @Query(() => Community) async homeCommunity(): Promise { const community = await getHomeCommunity() @@ -78,10 +78,10 @@ export class CommunityResolver { } @Authorized([RIGHTS.COMMUNITY_UPDATE]) - @Mutation(() => Community) + @Mutation(() => AdminCommunityView) async updateHomeCommunity( @Args() { uuid, gmsApiKey, location, hieroTopicId }: EditCommunityInput, - ): Promise { + ): Promise { const homeCom = await getCommunityByUuid(uuid) if (!homeCom) { throw new LogError('HomeCommunity with uuid not found: ', uuid) @@ -101,6 +101,6 @@ export class CommunityResolver { homeCom.hieroTopicId = hieroTopicId ?? null await DbCommunity.save(homeCom) } - return new Community(homeCom) + return new AdminCommunityView(homeCom) } } diff --git a/backend/src/seeds/graphql/mutations.ts b/backend/src/seeds/graphql/mutations.ts index ec0a966a8..e42e738f2 100644 --- a/backend/src/seeds/graphql/mutations.ts +++ b/backend/src/seeds/graphql/mutations.ts @@ -375,7 +375,6 @@ export const logout = gql` export const updateHomeCommunityQuery = gql` mutation ($uuid: String!, $gmsApiKey: String!) { updateHomeCommunity(uuid: $uuid, gmsApiKey: $gmsApiKey) { - id foreign name description diff --git a/backend/src/seeds/graphql/queries.ts b/backend/src/seeds/graphql/queries.ts index 5a8e06cc0..466e96516 100644 --- a/backend/src/seeds/graphql/queries.ts +++ b/backend/src/seeds/graphql/queries.ts @@ -146,7 +146,6 @@ export const communitiesQuery = gql` creationDate uuid authenticatedAt - gmsApiKey } } ` @@ -162,7 +161,6 @@ export const getCommunityByIdentifierQuery = gql` creationDate uuid authenticatedAt - gmsApiKey } } ` @@ -178,7 +176,6 @@ export const getHomeCommunityQuery = gql` creationDate uuid authenticatedAt - gmsApiKey } } `