Add location-based row level security to group and individual

individual/gql_mutations.py

@@ -1,6 +1,7 @@
 import graphene
 from django.core.exceptions import ValidationError
 from django.db import transaction
+from django.db.models import Subquery, Q
 
 from core.gql.gql_mutations.base_mutation import BaseHistoryModelDeleteMutationMixin, BaseMutation, \
     BaseHistoryModelUpdateMutationMixin, BaseHistoryModelCreateMutationMixin
@@ -9,13 +10,15 @@
 from individual.models import Individual, Group, GroupIndividual
 from individual.services import IndividualService, GroupService, GroupIndividualService, \
     CreateGroupAndMoveIndividualService
+from location.models import Location, LocationManager
 
 
 class CreateIndividualInputType(OpenIMISMutation.Input):
     first_name = graphene.String(required=True, max_length=255)
     last_name = graphene.String(required=True, max_length=255)
     dob = graphene.Date(required=True)
     json_ext = graphene.types.json.JSONString(required=False)
+    village_id = graphene.Int(required=False)
 
 
 class UpdateIndividualInputType(CreateIndividualInputType):
@@ -55,6 +58,7 @@ def resolve_recipient_type(self, info):
 class CreateGroupInputType(OpenIMISMutation.Input):
     code = graphene.String(required=True)
     individuals_data = graphene.List(CreateGroupIndividualInputTypeInputObjectType, required=False)
+    village_id = graphene.Int(required=False)
 
 
 class UpdateGroupInputType(CreateGroupInputType):
@@ -82,6 +86,10 @@ def _validate_mutation(cls, user, **data):
         if not user.has_perms(
                 IndividualConfig.gql_individual_create_perms):
             raise ValidationError("mutation.authentication_required")
+        if 'village_id' in data:
+            village = Location.objects.get(id=data['village_id'])
+            if village not in Location.get_queryset(None, user):
+                raise ValidationError("mutation.authentication_required")
 
     @classmethod
     def _mutate(cls, user, **data):
@@ -110,6 +118,10 @@ def _validate_mutation(cls, user, **data):
                 IndividualConfig.gql_individual_update_perms):
             raise ValidationError("mutation.authentication_required")
 
+        village = Individual.objects.get(id=data['id']).village
+        if village and village not in Location.get_queryset(None, user):
+            raise ValidationError("mutation.authentication_required")
+
     @classmethod
     def _mutate(cls, user, **data):
         if "client_mutation_id" in data:
@@ -140,6 +152,15 @@ def _validate_mutation(cls, user, **data):
                 IndividualConfig.gql_individual_delete_perms):
             raise ValidationError("mutation.authentication_required")
 
+        villages_qs = Location.objects.filter(individual__id__in=data['ids'], type='V')
+        # must first check if villages_qs exists in case none of the individuals has location
+        if villages_qs.exists():
+            allowed_loc_ids = Location.get_queryset(None, user).values('id')
+            not_in_allowed = villages_qs.exclude(id__in=Subquery(allowed_loc_ids))
+            # all individuals' villages must be within permission for the given user
+            if not allowed_loc_ids.exists() or not_in_allowed.exists():
+                raise ValidationError("mutation.authentication_required")
+
     @classmethod
     def _mutate(cls, user, **data):
         if "client_mutation_id" in data:
@@ -175,6 +196,15 @@ def _validate_mutation(cls, user, **data):
                 IndividualConfig.gql_individual_undo_delete_perms):
             raise ValidationError("mutation.authentication_required")
 
+        villages_qs = Location.objects.filter(individual__id__in=data['ids'], type='V')
+        # must first check if villages_qs exists in case none of the individuals has location
+        if villages_qs.exists():
+            allowed_loc_ids = Location.get_queryset(None, user).values('id')
+            not_in_allowed = villages_qs.exclude(id__in=Subquery(allowed_loc_ids))
+            # all individuals' villages must be within permission for the given user
+            if not allowed_loc_ids.exists() or not_in_allowed.exists():
+                raise ValidationError("mutation.authentication_required")
+
     @classmethod
     def _mutate(cls, user, **data):
         if "client_mutation_id" in data:
@@ -205,6 +235,10 @@ def _validate_mutation(cls, user, **data):
         if not user.has_perms(
                 IndividualConfig.gql_group_create_perms):
             raise ValidationError("mutation.authentication_required")
+        if 'village_id' in data:
+            village = Location.objects.get(id=data['village_id'])
+            if village not in Location.get_queryset(None, user):
+                raise ValidationError("mutation.authentication_required")
 
     @classmethod
     def _mutate(cls, user, **data):
@@ -232,6 +266,9 @@ def _validate_mutation(cls, user, **data):
         if not user.has_perms(
                 IndividualConfig.gql_group_update_perms):
             raise ValidationError("mutation.authentication_required")
+        village = Group.objects.get(id=data['id']).village
+        if village and village not in Location.get_queryset(None, user):
+            raise ValidationError("mutation.authentication_required")
 
     @classmethod
     def _mutate(cls, user, **data):
@@ -260,6 +297,15 @@ def _validate_mutation(cls, user, **data):
                 IndividualConfig.gql_group_delete_perms):
             raise ValidationError("mutation.authentication_required")
 
+        villages_qs = Location.objects.filter(group__id__in=data['ids'], type='V')
+        # must first check if villages_qs exists in case none of the groups has location
+        if villages_qs.exists():
+            allowed_loc_ids = Location.get_queryset(None, user).values('id')
+            not_in_allowed = villages_qs.exclude(id__in=Subquery(allowed_loc_ids))
+            # all groups' villages must be within permission for the given user
+            if not allowed_loc_ids.exists() or not_in_allowed.exists():
+                raise ValidationError("mutation.authentication_required")
+
     @classmethod
     def _mutate(cls, user, **data):
         if "client_mutation_id" in data:
@@ -290,6 +336,13 @@ def _validate_mutation(cls, user, **data):
         if not user.has_perms(
                 IndividualConfig.gql_group_create_perms):
             raise ValidationError("mutation.authentication_required")
+        group_village = Group.objects.get(id=data['group_id']).village
+        individual_village = Individual.objects.get(id=data['individual_id']).village
+        if group_village and individual_village:
+            if group_village.id != individual_village.id:
+                raise ValidationError("mutation.individual_group_village_mismatch")
+            elif group_village not in Location.get_queryset(None, user):
+                raise ValidationError("mutation.authentication_required")
 
     @classmethod
     def _mutate(cls, user, **data):
@@ -317,6 +370,13 @@ def _validate_mutation(cls, user, **data):
         if not user.has_perms(
                 IndividualConfig.gql_group_update_perms):
             raise ValidationError("mutation.authentication_required")
+        group_village = Group.objects.get(id=data['group_id']).village
+        individual_village = Individual.objects.get(id=data['individual_id']).village
+        if group_village and individual_village:
+            if group_village.id != individual_village.id:
+                raise ValidationError("mutation.individual_group_village_mismatch")
+            elif group_village not in Location.get_queryset(None, user):
+                raise ValidationError("mutation.authentication_required")
 
     @classmethod
     def _mutate(cls, user, **data):
@@ -347,6 +407,19 @@ def _validate_mutation(cls, user, **data):
         if not user.has_perms(
                 IndividualConfig.gql_group_delete_perms):
             raise ValidationError("mutation.authentication_required")
+        villages_qs = Location.objects.filter(
+            type='V'
+        ).filter(
+            Q(group__groupindividual__id__in=data['ids']) |
+            Q(individual__groupindividual__id__in=data['ids'])
+        )
+        # must first check if villages_qs exists in case none of the groups or individuals has location
+        if villages_qs.exists():
+            allowed_loc_ids = Location.get_queryset(None, user).values('id')
+            not_in_allowed = villages_qs.exclude(id__in=Subquery(allowed_loc_ids))
+            # all groups' & individuals' villages must be within permission for the given user
+            if not allowed_loc_ids.exists() or not_in_allowed.exists():
+                raise ValidationError("mutation.authentication_required")
 
     @classmethod
     def _mutate(cls, user, **data):

individual/gql_queries.py

@@ -1,6 +1,7 @@
 import graphene
 from django.contrib.auth.models import AnonymousUser
 from graphene_django import DjangoObjectType
+import graphene_django_optimizer as gql_optimizer
 
 from core import prefix_filterset, ExtendedConnection
 from core.gql_queries import UserGQLType
@@ -43,6 +44,10 @@ class Meta:
         }
         connection_class = ExtendedConnection
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        return Individual.get_queryset(queryset, info.context.user)
+
 
 class IndividualHistoryGQLType(DjangoObjectType):
     uuid = graphene.String(source='uuid')
@@ -68,6 +73,13 @@ class Meta:
         }
         connection_class = ExtendedConnection
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        accessible_individual_query = Individual.get_queryset(None, info.context.user)
+        accessible_individuals = gql_optimizer.query(accessible_individual_query, info)
+        accessible_uuids = set(accessible_individuals.values_list('uuid', flat=True))
+        return queryset.filter(id__in=accessible_uuids)
+
 
 class IndividualDataSourceUploadGQLType(DjangoObjectType):
     uuid = graphene.String(source='uuid')
@@ -132,6 +144,10 @@ class Meta:
         }
         connection_class = ExtendedConnection
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        return Group.get_queryset(queryset, info.context.user)
+
 
 class GroupHistoryGQLType(DjangoObjectType):
     uuid = graphene.String(source='uuid')
@@ -161,6 +177,13 @@ class Meta:
         }
         connection_class = ExtendedConnection
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        accessible_group_query = Group.get_queryset(None, info.context.user)
+        accessible_groups = gql_optimizer.query(accessible_group_query, info)
+        accessible_uuids = set(accessible_groups.values_list('uuid', flat=True))
+        return queryset.filter(id__in=accessible_uuids)
+
 
 class GroupIndividualGQLType(DjangoObjectType):
     uuid = graphene.String(source='uuid')
@@ -181,6 +204,10 @@ class Meta:
         }
         connection_class = ExtendedConnection
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        return GroupIndividual.get_queryset(queryset, info.context.user)
+
 
 class GroupIndividualHistoryGQLType(DjangoObjectType):
     uuid = graphene.String(source='uuid')
@@ -205,6 +232,13 @@ class Meta:
         }
         connection_class = ExtendedConnection
 
+    @classmethod
+    def get_queryset(cls, queryset, info):
+        accessible_group_query = Group.get_queryset(None, info.context.user)
+        accessible_groups = gql_optimizer.query(accessible_group_query, info)
+        accessible_uuids = set(accessible_groups.values_list('uuid', flat=True))
+        return queryset.filter(group__id__in=accessible_uuids)
+
 
 class IndividualDataUploadQGLType(DjangoObjectType, JsonExtMixin):
     uuid = graphene.String(source='uuid')

individual/migrations/0017_group_village_historicalgroup_village_and_more.py

@@ -0,0 +1,35 @@
+# Generated by Django 4.2.13 on 2024-09-05 15:27
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('location', '0018_auto_20230925_2243'),
+        ('individual', '0016_remove_recipient_from_role'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='group',
+            name='village',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.DO_NOTHING, to='location.location'),
+        ),
+        migrations.AddField(
+            model_name='historicalgroup',
+            name='village',
+            field=models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='location.location'),
+        ),
+        migrations.AddField(
+            model_name='historicalindividual',
+            name='village',
+            field=models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='location.location'),
+        ),
+        migrations.AddField(
+            model_name='individual',
+            name='village',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.DO_NOTHING, to='location.location'),
+        ),
+    ]