remove password related user fields from gql. Require admin permissio…

…ns to query some user fields.
sillsdev · Jan 24, 2024 · 89f9ab8 · 89f9ab8
1 parent d2a6e99
commit 89f9ab8
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/backend/LexBoxApi/Auth/Attributes/AdminRequiredAttribute.cs b/backend/LexBoxApi/Auth/Attributes/AdminRequiredAttribute.cs
@@ -9,3 +9,12 @@ public AdminRequiredAttribute() : base(PolicyName)
     {
     }
 }
+
+
+public static class AdminRequiredAttributeExtensions
+{
+    public static IObjectFieldDescriptor AdminRequired(this IObjectFieldDescriptor descriptor)
+    {
+        return descriptor.Authorize(AdminRequiredAttribute.PolicyName);
+    }
+}
diff --git a/backend/LexBoxApi/GraphQL/CustomTypes/UserGqlConfiguration.cs b/backend/LexBoxApi/GraphQL/CustomTypes/UserGqlConfiguration.cs
@@ -0,0 +1,21 @@
+using LexBoxApi.Auth.Attributes;
+using LexCore.Entities;
+
+namespace LexBoxApi.GraphQL.CustomTypes;
+
+[ObjectType]
+public class UserGqlConfiguration : ObjectType<User>
+{
+    protected override void Configure(IObjectTypeDescriptor<User> descriptor)
+    {
+        descriptor.Ignore(u => u.Salt);
+        descriptor.Ignore(u => u.PasswordHash);
+        descriptor.Ignore(u => u.CanLogin());
+
+        descriptor.Field(u => u.Email).AdminRequired();
+        descriptor.Field(u => u.EmailVerified).AdminRequired();
+        descriptor.Field(u => u.Username).AdminRequired();
+        descriptor.Field(u => u.Projects).AdminRequired();
+        descriptor.Field(u => u.Locked).AdminRequired();
+    }
+}
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
@@ -135,6 +135,7 @@ type Project {
   deletedDate: DateTime
   resetStatus: ResetStatus!
   projectOrigin: ProjectMigrationStatus!
+  migratedDate: DateTime
   userCount: Int!
   updatedDate: DateTime!
 }
@@ -181,19 +182,16 @@ type UniqueValueError implements Error {
 }
 
 type User {
-  canLogin: Boolean!
+  email: String! @authorize(policy: "AdminRequiredPolicy")
+  emailVerified: Boolean! @authorize(policy: "AdminRequiredPolicy")
+  username: String @authorize(policy: "AdminRequiredPolicy")
+  projects: [ProjectUsers!]! @authorize(policy: "AdminRequiredPolicy")
+  locked: Boolean! @authorize(policy: "AdminRequiredPolicy")
   name: String!
-  email: String!
   localizationCode: String!
   isAdmin: Boolean!
-  passwordHash: String!
-  salt: String!
   lastActive: DateTime!
-  emailVerified: Boolean!
   canCreateProjects: Boolean!
-  locked: Boolean!
-  username: String
-  projects: [ProjectUsers!]!
   id: UUID!
   createdDate: DateTime!
   updatedDate: DateTime!
@@ -331,6 +329,7 @@ input ProjectFilterInput {
   resetStatus: ResetStatusOperationFilterInput
   projectOrigin: ProjectMigrationStatusOperationFilterInput
   migrationStatus: ProjectMigrationStatusOperationFilterInput
+  migratedDate: DateTimeOperationFilterInput
   userCount: IntOperationFilterInput
   id: UuidOperationFilterInput
   createdDate: DateTimeOperationFilterInput
@@ -363,6 +362,7 @@ input ProjectSortInput {
   resetStatus: SortEnumType
   projectOrigin: SortEnumType
   migrationStatus: SortEnumType
+  migratedDate: SortEnumType
   userCount: SortEnumType
   id: SortEnumType
   createdDate: SortEnumType