Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PoC for raw queries instead of graphQL #167

Merged
merged 2 commits into from
Feb 3, 2025
Merged

PoC for raw queries instead of graphQL #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9f28e7f
PoC for raw queries instead of graphQL
oharsta Jan 30, 2025
9906361
WIP for raw queries
oharsta Jan 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions apps/mainsite/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ def legacy_boolean_parsing(env_key, default_value):
'signing',
'staff',
'insights',
'queries',
'lti13',
'ob3',
'notifications',
Expand Down
3 changes: 3 additions & 0 deletions apps/mainsite/urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@
# include insights endpoints
url(r'^insights/', include('insights.api_urls')),

# include queries endpoints
url(r'^queries/', include('queries.api_urls')),

# ob3 poc, proxies impierce endpoints
url(r'^ob3/', include('ob3.api_urls')),

Expand Down
Empty file added apps/queries/__init__.py
View file
Open in desktop
Empty file.
104 changes: 104 additions & 0 deletions apps/queries/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
from django.db import connection
from rest_framework import status
from rest_framework.response import Response
from rest_framework.views import APIView

from directaward.models import DirectAward
from mainsite.permissions import TeachPermission

permissions_query = """
(
(exists (select 1 from staff_institutionstaff insst where insst.institution_id = ins.id and insst.user_id = %(u_id)s and insst.may_award = 1))
or
(exists (select 1 from staff_facultystaff facst where facst.faculty_id = f.id and facst.user_id = %(u_id)s and facst.may_award = 1))
or
(exists (select 1 from staff_issuerstaff issst where issst.issuer_id = i.id and issst.user_id = %(u_id)s and issst.may_award = 1))
or
(exists (select 1 from staff_badgeclassstaff bcst where bcst.badgeclass_id = bc.id and bcst.user_id = %(u_id)s and bcst.may_award = 1))
or
(exists (select 1 from users us where us.id = %(u_id)s and us.is_superuser = 1))
)
"""


def dict_fetch_all(cursor):
desc = cursor.description
rows = cursor.fetchall()
res = [dict(zip([col[0] for col in desc], row)) for row in rows]
return res


class DirectAwards(APIView):
permission_classes = (TeachPermission,)

def get(self, request, **kwargs):
unclaimed = request.GET.get("status", "unclaimed") == "unclaimed"
status_param = [DirectAward.STATUS_UNACCEPTED, DirectAward.STATUS_SCHEDULED] if unclaimed else [
DirectAward.STATUS_DELETED]
with connection.cursor() as cursor:
cursor.execute(f"""
select da.created_at, da.resend_at, da.delete_at, da.recipient_email as recipientEmail, da.eppn, da.entity_id as entityId,
Comment on lines +39 to +40

Check warning

Code scanning / Bandit

Possible SQL injection vector through string-based query construction. Warning

Possible SQL injection vector through string-based query construction.
bc.name, bc.entity_id as bc_entity_id,
i.name_english as i_name_english, i.name_dutch as i_name_dutch, i.entity_id as i_entity_id,
f.name_english as f_name_english, f.name_dutch as f_name_dutch, f.entity_id as f_entity_id,
ins.name_english as ins_name_english, ins.name_dutch as ins_name_dutch, ins.entity_id as ins_entity_id
from directaward_directaward da
inner join issuer_badgeclass bc on bc.id = da.badgeclass_id
inner join issuer_issuer i on i.id = bc.issuer_id
inner join institution_faculty f on f.id = i.faculty_id
inner join institution_institution ins on ins.id = f.institution_id
where ins.id = %(ins_id)s and da.status in %(status)s and {permissions_query} ;
""", {"ins_id": request.user.institution.id, "u_id": request.user.id, "status": status_param})
return Response(dict_fetch_all(cursor), status=status.HTTP_200_OK)


class BadgeClasses(APIView):
permission_classes = (TeachPermission,)

def get(self, request, **kwargs):
with connection.cursor() as cursor:
cursor.execute("""
select bc.created_at, bc.name, bc.image, bc.entity_id, bc.archived, bc.image, bc.entity_id as bc_entity_id,
bc.badge_class_type,
i.name_english as i_name_english, i.name_dutch as i_name_dutch, i.entity_id as i_entity_id,
i.image_dutch as i_image_dutch, i.image_english as i_image_english,
f.name_english as f_name_english, f.name_dutch as f_name_dutch, f.entity_id as f_entity_id,
f.on_behalf_of, f.on_behalf_of_display_name, f.image_dutch as f_image_dutch, f.image_english as f_image_english,
(SELECT GROUP_CONCAT(DISTINCT isbt.name) FROM institution_badgeclasstag isbt
INNER JOIN issuer_badgeclass_tags ibt ON ibt.badgeclasstag_id = isbt.id
WHERE ibt.badgeclass_id = bc.id) AS tags,
(select count(id) from issuer_badgeinstance WHERE badgeclass_id = bc.id AND award_type = 'requested') as count_requested,
(select count(id) from issuer_badgeinstance WHERE badgeclass_id = bc.id AND award_type = 'direct_award') as count_direct_award,
(select 1 from staff_institutionstaff insst where insst.institution_id = ins.id and insst.user_id = %(u_id)s and insst.may_award = 1) as ins_staff,
(select 1 from staff_facultystaff facst where facst.faculty_id = f.id and facst.user_id = %(u_id)s and facst.may_award = 1) as fac_staff,
(select 1 from staff_issuerstaff issst where issst.issuer_id = i.id and issst.user_id = %(u_id)s and issst.may_award = 1) as iss_staff,
(select 1 from staff_badgeclassstaff bcst where bcst.badgeclass_id = bc.id and bcst.user_id = %(u_id)s and bcst.may_award = 1) as bc_staff
from issuer_badgeclass bc
inner join issuer_issuer i on i.id = bc.issuer_id
inner join institution_faculty f on f.id = i.faculty_id
inner join institution_institution ins on ins.id = f.institution_id
where ins.id = %(ins_id)s ;
""", {"ins_id": request.user.institution.id, "u_id": request.user.id})
return Response(dict_fetch_all(cursor), status=status.HTTP_200_OK)


class CatalogBadgeClasses(APIView):

def get(self, request, **kwargs):
with connection.cursor() as cursor:
cursor.execute("""
select bc.created_at, bc.name, bc.image, bc.entity_id, bc.archived, bc.image, bc.entity_id as bc_entity_id,
bc.badge_class_type,
i.name_english as i_name_english, i.name_dutch as i_name_dutch, i.entity_id as i_entity_id,
i.image_dutch as i_image_dutch, i.image_english as i_image_english,
f.name_english as f_name_english, f.name_dutch as f_name_dutch, f.entity_id as f_entity_id,
f.on_behalf_of, f.on_behalf_of_display_name, f.image_dutch as f_image_dutch, f.image_english as f_image_english,
ins.name_english as ins_name_english, ins.name_dutch as ins_name_dutch, ins.entity_id as ins_entity_id,
ins.institution_type
from issuer_badgeclass bc
inner join issuer_issuer i on i.id = bc.issuer_id
inner join institution_faculty f on f.id = i.faculty_id
inner join institution_institution ins on ins.id = f.institution_id
where bc.is_private = 0;
""", {})
return Response(dict_fetch_all(cursor), status=status.HTTP_200_OK)
10 changes: 10 additions & 0 deletions apps/queries/api_urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
from django.conf.urls import url

from queries.api import DirectAwards, BadgeClasses, CatalogBadgeClasses

urlpatterns = [
url(r'^direct-awards', DirectAwards.as_view(), name='api_queries_da'),
url(r'^badge-classes', BadgeClasses.as_view(), name='api_queries_bc'),
url(r'^catalog/badge-classes', CatalogBadgeClasses.as_view(), name='api_queries_bc'),

]
Loading