Disable introspection gql (#1536)

tl-its-umich-edu · Sep 12, 2023 · 2dd6de3 · 2dd6de3
1 parent 4b57814
commit 2dd6de3
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/dashboard/graphql/view.py b/dashboard/graphql/view.py
@@ -1,5 +1,5 @@
 from graphene_django.views import GraphQLView
-import json
+from django.contrib.auth.mixins import LoginRequiredMixin
 from dashboard.common.db_util import canvas_id_to_incremented_id
 from dashboard.graphql.loaders import AssignmentsByCourseIdLoader, \
     SubmissionsByAssignmentIdLoader, SubmissionByAssignmentIdAndUserIdLoader, \
@@ -17,7 +17,7 @@
 logger = logging.getLogger(__name__)
 
 
-class DashboardGraphQLView(GraphQLView):
+class DashboardGraphQLView(LoginRequiredMixin, GraphQLView):
     def get_context(self, request):
         loaders = {
             'assignment_weight_consideration_by_course_id_loader': AssignmentWeightConsiderationByCourseIdLoader(

diff --git a/dashboard/middleware/disableintrospection.py b/dashboard/middleware/disableintrospection.py
@@ -0,0 +1,18 @@
+class IntrospectionDisabledException(Exception):
+     """
+     Disabling introspection in production mode
+     """
+     def __init__(self, message="Introspection is disabled."):
+        self.message = message
+        super().__init__(self.message)
+
+class DisableIntrospectionMiddleware:
+    """
+    This class hides the introspection.
+    """
+
+    def resolve(self, next, root, info, **kwargs):
+        if info.field_name.lower() in ['__schema', '_introspection']:
+            raise IntrospectionDisabledException
+        return next(root, info, **kwargs)
+
diff --git a/dashboard/urls.py b/dashboard/urls.py
@@ -27,6 +27,8 @@
 
 from django.views.decorators.cache import cache_page
 
+from dashboard.middleware.disableintrospection import DisableIntrospectionMiddleware
+
 from . import views
 
 import watchman.views
@@ -42,7 +44,7 @@
     path('admin/', admin.site.urls),
 
     # Note the absence of a trailing slash; adding one breaks the GraphQL implementation.
-    path('graphql', DashboardGraphQLView.as_view(graphiql=settings.DEBUG)),
+    path('graphql', DashboardGraphQLView.as_view( middleware=[] if settings.DEBUG else [DisableIntrospectionMiddleware],graphiql=settings.DEBUG)),
 
     # This is the courses catch-all. Most user-initiated requests will match the regular expression; then the React
     # front-end will manage any additional routing.