Features: 1) Add language validation and fallback for users without proper language settings in initialize.py; 2) Enhance user update mutation with improved error handling and dynamic attribute support; 3) Integrate is_safe_key validation in user attribute updates for better security.

Fixes: 1) Add missing imports for `settings`, `Q`, and `is_safe_key`; 2) Correct user permissions keys in `lists.py` utility.

Extra: 1) Refactor `UpdateUser` mutation for cleaner structure and unified error handling; 2) Format and tidy up list declarations and exception handling for clarity.

engine/core/management/commands/initialize.py

@@ -1,11 +1,13 @@
 import logging
 from typing import Any
 
+from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.core.management.base import BaseCommand
+from django.db.models import Q
 
 from engine.core.models import Vendor
-from engine.vibes_auth.models import Group
+from engine.vibes_auth.models import Group, User
 
 logger = logging.getLogger(__name__)
 
@@ -155,4 +157,7 @@ class Command(BaseCommand):
             perms = Permission.objects.filter(codename__in=e_commerce_admin_permissions)
             e_commerce_admin.permissions.add(*perms)
 
+        valid_codes = [code for code, _ in settings.LANGUAGES]
+        (User.objects.filter(Q(language="") | ~Q(language__in=valid_codes)).update(language=settings.LANGUAGE_CODE))
+
         self.stdout.write(self.style.SUCCESS("Successfully initialized must-have instances!"))

engine/core/utils/lists.py

@@ -16,5 +16,7 @@ BAD_KEYS_TO_LISTEN = [
     "is_staff",
     "is_superuser",
     "is_active",
-    "active",
+    "is_verified",
+    "groups",
+    "user_permissions",
 ]

engine/vibes_auth/graphene/mutations.py

@@ -17,6 +17,7 @@ from graphene_file_upload.scalars import Upload
 
 from engine.core.graphene import BaseMutation
 from engine.core.utils.messages import permission_denied_message
+from engine.core.utils.security import is_safe_key
 from engine.vibes_auth.graphene.object_types import UserType
 from engine.vibes_auth.models import User
 from engine.vibes_auth.serializers import (
@@ -107,10 +108,6 @@ class UpdateUser(BaseMutation):
         try:
             user = User.objects.get(uuid=uuid)
 
-        except User.DoesNotExist as dne:
-            name = "User"
-            raise Http404(_(f"{name} does not exist: {uuid}")) from dne
-
             if not (info.context.user.has_perm("vibes_auth.change_user") or info.context.user == user):
                 raise PermissionDenied(permission_denied_message)
 
@@ -153,20 +150,21 @@ class UpdateUser(BaseMutation):
             for attr, value in kwargs.items():
                 if attr == "password" or attr == "confirm_password":
                     continue
-            if attr not in [
+                if is_safe_key(attr) or info.context.user.has_perm("vibes_auth.change_user"):
-                "groups",
-                "user_permissions",
-                "is_verified",
-                "is_staff",
-                "is_active",
-                "is_superuser",
-            ] or info.context.user.has_perm("vibes_auth.change_user"):
                     setattr(user, attr, value)
 
                 user.save()
 
             return UpdateUser(user=user)
 
+        except User.DoesNotExist as dne:
+            name = "User"
+            raise Http404(_(f"{name} does not exist: {uuid}")) from dne
+        except Exception as e:
+            logger.warning("Could not update user: %s", str(e))
+            logger.debug(traceback.format_exc())
+            raise BadRequest(str(e)) from e
+
 
 class DeleteUser(BaseMutation):
     class Arguments: