Address PR #1373 review: fix CI test failure + drop redundant comments

Test fix: graphql_jwt's @login_required wrapper requires a ResolveInfo
arg (uses isinstance check). Spec the MagicMock with ResolveInfo so the
decorator passes through to the wrapped guard. Imported ResolveInfo
from graphene (not graphql).

Style: dropped two inline 'subclasses must override' comments on
IOSettings fields. The ClassVar[Optional[type[...]]] = None annotation
already signals the intent and _require_io_setting documents the guard.

Author: JSv4

config/graphql/base.py

@@ -86,8 +86,6 @@ def resolve_total_count(root, info, **kwargs):
 class DRFDeletion(graphene.Mutation):
     class IOSettings(ABC):
         lookup_field: ClassVar[str] = "id"
-        # Concrete subclasses must override ``model`` with their Django model;
-        # see ``_require_io_setting`` for the runtime guard.
         model: ClassVar[Optional[type[django.db.models.Model]]] = None
 
     class Arguments:
@@ -148,8 +146,6 @@ class DRFMutation(graphene.Mutation):
     class IOSettings(ABC):
         pk_fields: ClassVar[list[str]] = []
         lookup_field: ClassVar[str] = "id"
-        # Concrete subclasses must override ``model``, ``graphene_model`` and
-        # ``serializer``; see ``_require_io_setting`` for the runtime guard.
         model: ClassVar[Optional[type[django.db.models.Model]]] = None
         graphene_model: ClassVar[Optional[type[DjangoObjectType]]] = None
         serializer: ClassVar[Optional[type[serializers.Serializer]]] = None

opencontractserver/tests/test_security_hardening.py

@@ -1264,14 +1264,20 @@ def test_drf_deletion_mutate_raises_when_lookup_value_missing(self):
         """``DRFDeletion.mutate`` must raise ``ValueError`` when the lookup arg is omitted."""
         from unittest.mock import MagicMock
 
+        from graphene import ResolveInfo
+
         from config.graphql.base import DRFDeletion
 
         class _DeleteCorpus(DRFDeletion):
             class IOSettings(DRFDeletion.IOSettings):
                 model = Corpus
                 lookup_field = "id"
 
-        info = MagicMock()
+        # ``@login_required`` from graphql_jwt looks for a ``ResolveInfo`` arg
+        # via ``isinstance``; spec the mock so the decorator passes through
+        # to the wrapped function where the real lookup-value check fires.
+        info = MagicMock(spec=ResolveInfo)
+        info.context = MagicMock()
         info.context.user = MagicMock(is_authenticated=True)
 
         with self.assertRaises(ValueError) as ctx: