taoufik07 / django-graphene-permissions Goto Github PK

Hello! What's the difference to this repo https://github.com/redzej/graphene-permissions ?

This project is properly blocking access. However when using libraries that check status codes, a 200 looks like a success, when it really isn't.

Can this package work without relay.Node interfaces?
Checking for permissions happens in get_node func, but if used without relay, this func never gets called.

suppose i want only admin and retailer can access the api but, not any other user like Customer, doctor, etc

then how can i use these two permission at same time for single API?

i have tried this but failed
Ex:

@permissions_checker([IsAdmin, IsRetailer])

Is there any way to use more than one permission at a time, please reply.....

I couldn't figure it out how to use it to implement permissions per object. Can you provide some examples of queries and mutations based on permissions per object?
Like a simple project manager where where a manager can add user stories to a project and to sprints and the rest of the members only can see the user stories from the current sprint, and a user can be the manager of one project, and a member in another one

Hi,

I have a question for adding permission for SerializerMutation, because some of my mutations are created from it.

# schema.py
from graphene_django.rest_framework.mutation import SerializerMutation

class CreateUpdateContract(SerializerMutation):
    class Meta:
        serializer_class = ContractsListSerializer

class Mutation(graphene.ObjectType):
    create_contract = CreateUpdateContract.Field()
    update_contract = CreateUpdateContract.Field()

Is there a way to add permission for this class? I tried to wrap @permissions_checker for the SerializerMutation in this way:

class SerializerMutationWithPermission(SerializerMutation):
    class Meta:
        abstract = True
    
    @classmethod
    @permissions_checker([IsAuthenticated, MyPermission])
    def mutate_and_get_payload(cls, root, info, **input):
        kwargs = cls.get_serializer_kwargs(root, info, **input)
        serializer = cls._meta.serializer_class(**kwargs)

        if serializer.is_valid():
            return cls.perform_mutate(serializer, info)
        else:
            errors = ErrorType.from_errors(serializer.errors)

            return cls(errors=errors)

class MyPermission(BasePermission):
    @staticmethod
    def has_permission(context):
        return context.user.groups.filter(name = 'staff').exists() or context.user.is_superuser

But I encountered an error saying 'NoneType' object has no attribute 'context' when I performed this mutation. Could you please advise? Thank you!

I am not sure if this is by design, but I was surprised when I realized has_object_permission does not fire for a list of objects within another node. In order to overcome, I ended up introducing an authorization middleware such as:

from django_graphene_permissions import PermissionDenied, check_object_permissions


class AuthorizationMiddleware(object):
    """
    Make sure to filter out objects where the info.context (e.g. the authenticated user)
    does not have the authorization to query.
    """

    def resolve(self, next, root, info, **args):
        result = next(root, info, **args)

        try:
            if check_object_permissions(
                info.return_type.graphene_type.permission_classes(),
                info.context,
                result.value,
            ):
                return result
            else:
                raise PermissionDenied()
        except AttributeError:
            return result

This is heavily inspired by graphql-python/graphene#385 (comment) .