nexus-5/config/urls.py

from django.contrib import admin
from django.urls import path, re_path
from django.views.decorators.csrf import csrf_exempt
from django.http import HttpResponseForbidden
from strawberry.django.views import AsyncGraphQLView
from core.graphql.schema import schema
from core.views import (
    upload_service_session_image,
    upload_project_session_image,
    upload_service_session_video,
    upload_project_session_video,
    serve_protected_media,
    media_auth_check,
)


class AdminOnlyGraphQLView(AsyncGraphQLView):
    """GraphQL view that restricts GraphiQL IDE to ADMIN role only."""

    async def render_graphql_ide(self, request):
        profile = getattr(request, 'profile', None)
        if profile and hasattr(profile, 'role') and profile.role == 'ADMIN':
            return await super().render_graphql_ide(request)
        return HttpResponseForbidden("GraphiQL is only available to administrators")


urlpatterns = [
    path("admin/", admin.site.urls),
    path(
        "graphql/",
        csrf_exempt(AdminOnlyGraphQLView.as_view(schema=schema, graphiql=True))
    ),
    path("api/upload/photo/service/", csrf_exempt(upload_service_session_image), name="upload_service_session_image"),
    path("api/upload/photo/project/", csrf_exempt(upload_project_session_image), name="upload_project_session_image"),
    path("api/upload/video/service/", csrf_exempt(upload_service_session_video), name="upload_service_session_video"),
    path("api/upload/video/project/", csrf_exempt(upload_project_session_video), name="upload_project_session_video"),
    re_path(r"^api/media/(?P<path>.*)$", serve_protected_media, name="serve_protected_media"),
    # Auth check endpoint for nginx auth_request (S3 media proxy)
    re_path(r"^api/media-auth/(?P<path>.*)$", media_auth_check, name="media_auth_check"),
]