diff --git a/engine/core/management/commands/initialize.py b/engine/core/management/commands/initialize.py index 909166fb..ca94dde7 100644 --- a/engine/core/management/commands/initialize.py +++ b/engine/core/management/commands/initialize.py @@ -1,11 +1,13 @@ import logging from typing import Any +from django.conf import settings from django.contrib.auth.models import Permission from django.core.management.base import BaseCommand +from django.db.models import Q from engine.core.models import Vendor -from engine.vibes_auth.models import Group +from engine.vibes_auth.models import Group, User logger = logging.getLogger(__name__) @@ -155,4 +157,7 @@ class Command(BaseCommand): perms = Permission.objects.filter(codename__in=e_commerce_admin_permissions) e_commerce_admin.permissions.add(*perms) + valid_codes = [code for code, _ in settings.LANGUAGES] + (User.objects.filter(Q(language="") | ~Q(language__in=valid_codes)).update(language=settings.LANGUAGE_CODE)) + self.stdout.write(self.style.SUCCESS("Successfully initialized must-have instances!")) diff --git a/engine/core/utils/lists.py b/engine/core/utils/lists.py index d97b638c..e21086e2 100644 --- a/engine/core/utils/lists.py +++ b/engine/core/utils/lists.py @@ -16,5 +16,7 @@ BAD_KEYS_TO_LISTEN = [ "is_staff", "is_superuser", "is_active", - "active", + "is_verified", + "groups", + "user_permissions", ] diff --git a/engine/vibes_auth/graphene/mutations.py b/engine/vibes_auth/graphene/mutations.py index 11274918..eac24e6d 100644 --- a/engine/vibes_auth/graphene/mutations.py +++ b/engine/vibes_auth/graphene/mutations.py @@ -17,6 +17,7 @@ from graphene_file_upload.scalars import Upload from engine.core.graphene import BaseMutation from engine.core.utils.messages import permission_denied_message +from engine.core.utils.security import is_safe_key from engine.vibes_auth.graphene.object_types import UserType from engine.vibes_auth.models import User from engine.vibes_auth.serializers import ( @@ -107,65 +108,62 @@ class UpdateUser(BaseMutation): try: user = User.objects.get(uuid=uuid) + if not (info.context.user.has_perm("vibes_auth.change_user") or info.context.user == user): + raise PermissionDenied(permission_denied_message) + + email = kwargs.get("email") + + if (email is not None and not is_valid_email(email)) or User.objects.filter(email=email).exclude( + uuid=uuid + ).exists(): + raise BadRequest(_("malformed email")) + + phone_number = kwargs.get("phone_number") + + if (phone_number is not None and not is_valid_phone_number(phone_number)) or ( + User.objects.filter(phone_number=phone_number).exclude(uuid=uuid).exists() and phone_number is not None + ): + raise BadRequest(_(f"malformed phone number: {phone_number}")) + + password = kwargs.get("password", "") + confirm_password = kwargs.get("confirm_password", "") + + if password: + validate_password(password=password, user=user) + + if not compare_digest(password, "") and compare_digest(password, confirm_password): + user.set_password(password) + user.save() + + attribute_pairs = kwargs.pop("attributes", "") + + if attribute_pairs: + for attribute_pair in attribute_pairs.split(";"): + if "-" in attribute_pair: + attr, value = attribute_pair.split("-", 1) + if not user.attributes: + user.attributes = {} + user.attributes.update({attr: value}) + else: + raise BadRequest(_(f"Invalid attribute format: {attribute_pair}")) + + for attr, value in kwargs.items(): + if attr == "password" or attr == "confirm_password": + continue + if is_safe_key(attr) or info.context.user.has_perm("vibes_auth.change_user"): + setattr(user, attr, value) + + user.save() + + return UpdateUser(user=user) + except User.DoesNotExist as dne: name = "User" raise Http404(_(f"{name} does not exist: {uuid}")) from dne - - if not (info.context.user.has_perm("vibes_auth.change_user") or info.context.user == user): - raise PermissionDenied(permission_denied_message) - - email = kwargs.get("email") - - if (email is not None and not is_valid_email(email)) or User.objects.filter(email=email).exclude( - uuid=uuid - ).exists(): - raise BadRequest(_("malformed email")) - - phone_number = kwargs.get("phone_number") - - if (phone_number is not None and not is_valid_phone_number(phone_number)) or ( - User.objects.filter(phone_number=phone_number).exclude(uuid=uuid).exists() and phone_number is not None - ): - raise BadRequest(_(f"malformed phone number: {phone_number}")) - - password = kwargs.get("password", "") - confirm_password = kwargs.get("confirm_password", "") - - if password: - validate_password(password=password, user=user) - - if not compare_digest(password, "") and compare_digest(password, confirm_password): - user.set_password(password) - user.save() - - attribute_pairs = kwargs.pop("attributes", "") - - if attribute_pairs: - for attribute_pair in attribute_pairs.split(";"): - if "-" in attribute_pair: - attr, value = attribute_pair.split("-", 1) - if not user.attributes: - user.attributes = {} - user.attributes.update({attr: value}) - else: - raise BadRequest(_(f"Invalid attribute format: {attribute_pair}")) - - for attr, value in kwargs.items(): - if attr == "password" or attr == "confirm_password": - continue - if attr not in [ - "groups", - "user_permissions", - "is_verified", - "is_staff", - "is_active", - "is_superuser", - ] or info.context.user.has_perm("vibes_auth.change_user"): - setattr(user, attr, value) - - user.save() - - return UpdateUser(user=user) + except Exception as e: + logger.warning("Could not update user: %s", str(e)) + logger.debug(traceback.format_exc()) + raise BadRequest(str(e)) from e class DeleteUser(BaseMutation):