django-graphql-auth icon indicating copy to clipboard operation
django-graphql-auth copied to clipboard

Published 20 hours ago verified publisher icon PedroBern

How to give query permission

Open MedNabilEssefaihi opened this issue 3 years ago • 1 comments

Hi community,

I want to know how can add permission to the QUERY class, to give the possibility the user to get only his data and no more ?

import graphene
from graphql_auth import mutations
from graphql_auth.schema import UserQuery, MeQuery

class Query(UserQuery, MeQuery, graphene.ObjectType):
    pass

I want to block this query per example to normal users

query {
  users {
    edges {
      node {
        username,
        archived,
        verified,
        email,
        secondaryEmail,
      }
    }
  }
}

⚠️ they don't have to see other users data

MedNabilEssefaihi avatar Nov 04 '21 01:11 MedNabilEssefaihi

Use MeQuery - I have removed UserQuery, quite dangerous to leave it in there. If you want to add a user specific mutation/query you can use the verification_required. No docs on it but it extends this https://django-graphql-jwt.domake.io/decorators.html#login-required

portedison avatar Dec 13 '21 01:12 portedison