Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Permission System

See original GitHub issue

I would like to add a permission system but want to some feedback on the API before I implement.

You would have two options and I’m proposing to add both:

Option 1: Custom queryset method

This option would let you overwrite how a queryset is filtered.

class UserNode(DjangoObjectType):
  class Meta:
    model = User
    interfaces = (relay.Node,)
    only_fields = ('email', 'first_name', 'last_name')

  @classmethod
  def get_queryset (cls, queryset, args, request, info):
    return queryset.filter(owner=request.user)

Option 2: Permissions List

This option would setup a Meta API to use to define permissions

def auth_required(queryset, args, request, info):
  if request.user.is_authenticated():
    return queryset

  return queryset.none()

class UserNode(DjangoObjectType):
  class Meta:
    model = User
    interfaces = (relay.Node,)
    only_fields = ('email', 'first_name', 'last_name')
    permissions = [auth_required]

If these look like good APIs then I’ll implement.

Issue Analytics

State:
Created 7 years ago
Reactions:33
Comments:56 (19 by maintainers)

Top GitHub Comments

8reactions

jkimbocommented, Mar 16, 2020

@sbernier1 I think overriding the default resolver is the way to go and I like your example. I think creating something like an AuthDjangoObjectType could work. I’m thinking an API like this:

def staff_required(user, info):
	if not info.context.user.is_staff:
		return False
	return True

class MyType(AuthDjangoObjectType):
	class Meta:
		model = User
		fields = ("first_name", "last_name", "email")

    class Auth:
		fields = {
			"email": [staff_required],
		}

What do you think?

Also I’m going to reopen this issue because we should at least have an official answer to this question.

8reactions

crucialfelixcommented, Aug 4, 2017

Here’s a decorator for adding auth to a mutation: https://gist.github.com/crucialfelix/cb106a008a7a62bdab4a68e1b4ab7a3c

It is even easier than your example:

    @classmethod
    @is_staff
    def mutate_and_get_payload(cls, input, context, info):
        # etc.

You can do something similar with queries and individual def resolve_things with as complex auth as you need to do (row permissions, group membership) etc.

Top Results From Across the Web

Permission System: General Introduction - IBM

The permission system defines a set of access rights to control the various operations on an application element. The access rights are: ACCESS...

Permissions on Android - Android Developers

... <grant-uri-permission> · <instrumentation> · <intent-filter> · <manifest> ... Tiles design system · Apps · Ongoing activities · Confirmation overlay ...

Role-based access control - Wikipedia

Role-based access control is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, ...

Introduction to Permission system | Kineo - Knowledge Base

LMS permission system allows you to: Create custom roles, and; Enables you to assign variable LMS permissions to these custom roles.

Best Practice for Designing User Roles and Permission System

The process or strategy through which the app has set permissions so that every user can access it easily is known as the...