From 1d188f46374a40f3c4d92ccf123c64826c8bf19f Mon Sep 17 00:00:00 2001
From: Marius <38134006+realmayus@users.noreply.github.com>
Date: Tue, 3 Sep 2024 12:40:38 +0200
Subject: [PATCH] Fix: don't insert "fake" context in userSessions map in roles
 resolver (#1132)

* fix: don't use loginAsUser in roles resolver, use `evaluateUserRoles` directly

* use await, clean up imports
---
 graphql/authentication.ts | 14 +++++---------
 graphql/user/fields.ts    | 17 ++---------------
 2 files changed, 7 insertions(+), 24 deletions(-)

diff --git a/graphql/authentication.ts b/graphql/authentication.ts
index 34f4ea01b..32dadbe56 100644
--- a/graphql/authentication.ts
+++ b/graphql/authentication.ts
@@ -113,20 +113,16 @@ function ensureSession(context: GraphQLContext) {
     }
 }
 
-export async function loginAsUser(user: User, context: GraphQLContext, noSession = false) {
-    if (!noSession) {
-        ensureSession(context);
-    }
+export async function loginAsUser(user: User, context: GraphQLContext) {
+    ensureSession(context);
 
     const roles = await evaluateUserRoles(user);
 
     context.user = { ...user, roles };
 
-    if (!noSession) {
-        await userSessions.set(context.sessionToken, context.user);
-        logger.info(`[${context.sessionToken}] User(${user.userID}) successfully logged in`);
-        await updateLastLogin(user);
-    }
+    await userSessions.set(context.sessionToken, context.user);
+    logger.info(`[${context.sessionToken}] User(${user.userID}) successfully logged in`);
+    await updateLastLogin(user);
 }
 
 @Resolver((of) => UserType)
diff --git a/graphql/user/fields.ts b/graphql/user/fields.ts
index 808b461db..aec56885f 100644
--- a/graphql/user/fields.ts
+++ b/graphql/user/fields.ts
@@ -12,7 +12,6 @@ import {
     notification_channel_enum as NotificationChannelEnum,
 } from '../generated';
 import { Root, Authorized, FieldResolver, Query, Resolver, Arg, Ctx, ObjectType, Field, Int } from 'type-graphql';
-import { UNAUTHENTICATED_USER, loginAsUser } from '../authentication';
 import { GraphQLContext } from '../context';
 import { Role } from '../authorizations';
 import { prisma } from '../../common/prisma';
@@ -21,7 +20,6 @@ import { queryUser, User, userForPupil, userForStudent } from '../../common/user
 import { UserType } from '../types/user';
 import { JSONResolver } from 'graphql-scalars';
 import { ACCUMULATED_LIMIT, LimitedQuery, LimitEstimated } from '../complexity';
-import { DEFAULT_PREFERENCES } from '../../common/notification/defaultPreferences';
 import { findUsers } from '../../common/user/search';
 import { getAppointmentsForUser, getEdgeAppointmentId, hasAppointmentsForUser } from '../../common/appointment/get';
 import { getMyContacts, UserContactType } from '../../common/chat/contacts';
@@ -34,8 +32,8 @@ import { Deprecated, Doc } from '../util';
 import { createChatSignature } from '../../common/chat/create';
 import assert from 'assert';
 import { getPushSubscriptions, publicKey } from '../../common/notification/channels/push';
-import _ from 'lodash';
 import { getUserNotificationPreferences } from '../../common/notification';
+import { evaluateUserRoles } from '../../common/user/evaluate_roles';
 
 @ObjectType()
 export class UserContact implements UserContactType {
@@ -117,18 +115,7 @@ export class UserFieldsResolver {
     @FieldResolver((returns) => [String])
     @Authorized(Role.ADMIN)
     async roles(@Root() user: User) {
-        const fakeContext: GraphQLContext = {
-            user: UNAUTHENTICATED_USER,
-            ip: '?',
-            prisma,
-            sessionToken: 'fake',
-            setCookie: () => {
-                /* ignore */
-            },
-            sessionID: 'FAKE',
-        };
-        await loginAsUser(user, fakeContext);
-        return fakeContext.user.roles;
+        return await evaluateUserRoles(user);
     }
 
     // -------- Notifications ---------------------