Permissions
This integration exposes a field extension to extend fields into using the Djangoβs Permissioning System for checking for permissions.
It supports protecting any field for cases like:
- The user is authenticated
- The user is a superuser
- The user or a group they belongs to has a given permission
- The user or the group they belongs has a given permission to the resolved value
- The user or the group they belongs has a given permission to the parent of the field
- etc
How it works
Loading graph...
graph TD A[Extension Check for Permissions] --> B; B[User Passes Checks] -->|Yes| BF[Return Resolved Value]; B -->|No| C; C[Can return 'OperationInfo'?] -->|Yes| CF[Return 'OperationInfo']; C -->|No| D; D[Field is Optional] -->|Yes| DF[Return 'None']; D -->|No| E; E[Field is a 'List'] -->|Yes| EF[Return an empty 'List']; E -->|No| F; F[Field is a relay 'Connection'] -->|Yes| FF[Return an empty relay 'Connection']; F -->|No| GF[Raises 'PermissionDenied' error];
Example
Available Options
Available options are:
-
IsAuthenticated
: Checks if the user is authenticated (i.e.user.is_autenticated
) -
IsStaff
: Checks if the user is a staff member (i.e.user.is_staff
) -
IsSuperuser
: Checks if the user is a superuser (i.e.user.is_superuser
) -
HasPerm(perms: str | list[str], any_perm: bool = True)
: Checks if the user has any or all of the given permissions (i.e.user.has_perm(perm)
) -
HasSourcePerm(perms: str | list[str], any: bool = True)
: Checks if the user has any or all of the given permissions for the root of that field (i.e.user.has_perm(perm, root)
) -
HasRetvalPerm(perms: str | list[str], any: bool = True)
: Resolves the retval and then checks if the user has any or all of the given permissions for that specific value (i.e.user.has_perm(perm, retval)
). If the return value is a list, this extension will filter the return value, removing objects that fails the check (check below for more information regarding other possibilities).
Note
The HasSourcePerm
and HasRetvalPerm
require having an
authentication backend
which supports resolving object permissions. This lib works out of the box with
django-guardian , so if you are
using it you donβt need to do anything else.
No Permission Handling
When the condition fails, the following will be returned on the field (following this priority):
-
OperationInfo
/OperationMessage
if those types are allowed at the return type -
null
in case the field is not mandatory (e.g.String
or[String]
) - An empty list in case the field is a list (e.g.
[String]!
) - An empty
Connection
in case the return type is a relay connection - Otherwise, an error will be raised
Custom Permissions Checking
You can create your own permission checking extension by subclassing
DjangoPermissionExtension
and implementing your own resolve_for_user
method.