Features: 1) Add language validation and fallback for users without proper language settings in initialize.py; 2) Enhance user update mutation with improved error handling and dynamic attribute support; 3) Integrate is_safe_key validation in user attribute updates for better security.

Fixes: 1) Add missing imports for `settings`, `Q`, and `is_safe_key`; 2) Correct user permissions keys in `lists.py` utility. Extra: 1) Refactor `UpdateUser` mutation for cleaner structure and unified error handling; 2) Format and tidy up list declarations and exception handling for clarity.
2025-11-25 14:26:14 +03:00 · 2025-11-25 14:26:14 +03:00 · 43ece8c25c
commit 43ece8c25c
parent 476e9c73c5
3 changed files with 63 additions and 58 deletions
--- a/engine/core/management/commands/initialize.py
+++ b/engine/core/management/commands/initialize.py
@ -1,11 +1,13 @@
 import logging
 from typing import Any

+from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.core.management.base import BaseCommand
+from django.db.models import Q

 from engine.core.models import Vendor
-from engine.vibes_auth.models import Group
+from engine.vibes_auth.models import Group, User

 logger = logging.getLogger(__name__)

@ -155,4 +157,7 @@ class Command(BaseCommand):
            perms = Permission.objects.filter(codename__in=e_commerce_admin_permissions)
            e_commerce_admin.permissions.add(*perms)

+        valid_codes = [code for code, _ in settings.LANGUAGES]
+        (User.objects.filter(Q(language="") | ~Q(language__in=valid_codes)).update(language=settings.LANGUAGE_CODE))
+
        self.stdout.write(self.style.SUCCESS("Successfully initialized must-have instances!"))
--- a/engine/core/utils/lists.py
+++ b/engine/core/utils/lists.py
@ -16,5 +16,7 @@ BAD_KEYS_TO_LISTEN = [
    "is_staff",
    "is_superuser",
    "is_active",
-    "active",
+    "is_verified",
+    "groups",
+    "user_permissions",
 ]
--- a/engine/vibes_auth/graphene/mutations.py
+++ b/engine/vibes_auth/graphene/mutations.py
@ -17,6 +17,7 @@ from graphene_file_upload.scalars import Upload

 from engine.core.graphene import BaseMutation
 from engine.core.utils.messages import permission_denied_message
+from engine.core.utils.security import is_safe_key
 from engine.vibes_auth.graphene.object_types import UserType
 from engine.vibes_auth.models import User
 from engine.vibes_auth.serializers import (
@ -107,10 +108,6 @@ class UpdateUser(BaseMutation):
        try:
            user = User.objects.get(uuid=uuid)

-        except User.DoesNotExist as dne:
-            name = "User"
-            raise Http404(_(f"{name} does not exist: {uuid}")) from dne
-
            if not (info.context.user.has_perm("vibes_auth.change_user") or info.context.user == user):
                raise PermissionDenied(permission_denied_message)

@ -153,20 +150,21 @@ class UpdateUser(BaseMutation):
            for attr, value in kwargs.items():
                if attr == "password" or attr == "confirm_password":
                    continue
-            if attr not in [
-                "groups",
-                "user_permissions",
-                "is_verified",
-                "is_staff",
-                "is_active",
-                "is_superuser",
-            ] or info.context.user.has_perm("vibes_auth.change_user"):
+                if is_safe_key(attr) or info.context.user.has_perm("vibes_auth.change_user"):
                    setattr(user, attr, value)

                user.save()

            return UpdateUser(user=user)

+        except User.DoesNotExist as dne:
+            name = "User"
+            raise Http404(_(f"{name} does not exist: {uuid}")) from dne
+        except Exception as e:
+            logger.warning("Could not update user: %s", str(e))
+            logger.debug(traceback.format_exc())
+            raise BadRequest(str(e)) from e
+

 class DeleteUser(BaseMutation):
    class Arguments: