fureunoir/schon
fureunoir/schon
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Features: 1) Add language validation and fallback for users without proper language settings in initialize.py; 2) Enhance user update mutation with improved error handling and dynamic attribute support; 3) Integrate is_safe_key validation in user attribute updates for better security.

Browse source 
Fixes: 1) Add missing imports for `settings`, `Q`, and `is_safe_key`; 2) Correct user permissions keys in `lists.py` utility.

Extra: 1) Refactor `UpdateUser` mutation for cleaner structure and unified error handling; 2) Format and tidy up list declarations and exception handling for clarity.
This commit is contained in:
Egor Pavlovich Gorbunov 2025-11-25 14:26:14 +03:00
parent 476e9c73c5
commit 43ece8c25c
3 changed files with 63 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
engine/core/management/commands/initialize.py
View file

@ -1,11 +1,13 @@
import logging
from typing import Any
from django.conf import settings
from django.contrib.auth.models import Permission
from django.core.management.base import BaseCommand
from django.db.models import Q
from engine.core.models import Vendor
from engine.vibes_auth.models import Group
from engine.vibes_auth.models import Group, User
logger = logging.getLogger(__name__)
@ -155,4 +157,7 @@ class Command(BaseCommand):
perms = Permission.objects.filter(codename__in=e_commerce_admin_permissions)
e_commerce_admin.permissions.add(*perms)
valid_codes = [code for code, _ in settings.LANGUAGES]
(User.objects.filter(Q(language="") | ~Q(language__in=valid_codes)).update(language=settings.LANGUAGE_CODE))
self.stdout.write(self.style.SUCCESS("Successfully initialized must-have instances!"))

4
engine/core/utils/lists.py
View file

@ -16,5 +16,7 @@ BAD_KEYS_TO_LISTEN = [
"is_staff",
"is_superuser",
"is_active",
"active",
"is_verified",
"groups",
"user_permissions",
]

110
engine/vibes_auth/graphene/mutations.py
View file

@ -17,6 +17,7 @@ from graphene_file_upload.scalars import Upload
from engine.core.graphene import BaseMutation
from engine.core.utils.messages import permission_denied_message
from engine.core.utils.security import is_safe_key
from engine.vibes_auth.graphene.object_types import UserType
from engine.vibes_auth.models import User
from engine.vibes_auth.serializers import (
@ -107,65 +108,62 @@ class UpdateUser(BaseMutation):
try:
user = User.objects.get(uuid=uuid)
if not (info.context.user.has_perm("vibes_auth.change_user") or info.context.user == user):
raise PermissionDenied(permission_denied_message)
email = kwargs.get("email")
if (email is not None and not is_valid_email(email)) or User.objects.filter(email=email).exclude(
uuid=uuid
).exists():
raise BadRequest(_("malformed email"))
phone_number = kwargs.get("phone_number")
if (phone_number is not None and not is_valid_phone_number(phone_number)) or (
User.objects.filter(phone_number=phone_number).exclude(uuid=uuid).exists() and phone_number is not None
):
raise BadRequest(_(f"malformed phone number: {phone_number}"))
password = kwargs.get("password", "")
confirm_password = kwargs.get("confirm_password", "")
if password:
validate_password(password=password, user=user)
if not compare_digest(password, "") and compare_digest(password, confirm_password):
user.set_password(password)
user.save()
attribute_pairs = kwargs.pop("attributes", "")
if attribute_pairs:
for attribute_pair in attribute_pairs.split(";"):
if "-" in attribute_pair:
attr, value = attribute_pair.split("-", 1)
if not user.attributes:
user.attributes = {}
user.attributes.update({attr: value})
else:
raise BadRequest(_(f"Invalid attribute format: {attribute_pair}"))
for attr, value in kwargs.items():
if attr == "password" or attr == "confirm_password":
continue
if is_safe_key(attr) or info.context.user.has_perm("vibes_auth.change_user"):
setattr(user, attr, value)
user.save()
return UpdateUser(user=user)
except User.DoesNotExist as dne:
name = "User"
raise Http404(_(f"{name} does not exist: {uuid}")) from dne
if not (info.context.user.has_perm("vibes_auth.change_user") or info.context.user == user):
raise PermissionDenied(permission_denied_message)
email = kwargs.get("email")
if (email is not None and not is_valid_email(email)) or User.objects.filter(email=email).exclude(
uuid=uuid
).exists():
raise BadRequest(_("malformed email"))
phone_number = kwargs.get("phone_number")
if (phone_number is not None and not is_valid_phone_number(phone_number)) or (
User.objects.filter(phone_number=phone_number).exclude(uuid=uuid).exists() and phone_number is not None
):
raise BadRequest(_(f"malformed phone number: {phone_number}"))
password = kwargs.get("password", "")
confirm_password = kwargs.get("confirm_password", "")
if password:
validate_password(password=password, user=user)
if not compare_digest(password, "") and compare_digest(password, confirm_password):
user.set_password(password)
user.save()
attribute_pairs = kwargs.pop("attributes", "")
if attribute_pairs:
for attribute_pair in attribute_pairs.split(";"):
if "-" in attribute_pair:
attr, value = attribute_pair.split("-", 1)
if not user.attributes:
user.attributes = {}
user.attributes.update({attr: value})
else:
raise BadRequest(_(f"Invalid attribute format: {attribute_pair}"))
for attr, value in kwargs.items():
if attr == "password" or attr == "confirm_password":
continue
if attr not in [
"groups",
"user_permissions",
"is_verified",
"is_staff",
"is_active",
"is_superuser",
] or info.context.user.has_perm("vibes_auth.change_user"):
setattr(user, attr, value)
user.save()
return UpdateUser(user=user)
except Exception as e:
logger.warning("Could not update user: %s", str(e))
logger.debug(traceback.format_exc())
raise BadRequest(str(e)) from e
class DeleteUser(BaseMutation):