Permissions with graphene-django-extras

[karlosss]

Hi everyone,

I would like to implement an easy permissions system. With original graphene-django, it was quite straightforward. It was sufficient to make a similar method for each field on an object:

def resolve_field(self):
    if not has_permission():
        raise PermissionError("Access Denied!")
    return self.field

Here it is a bit more difficult, since DjangoObjectListField just bypasses these methods. The docs say that they are not needed, but even if they are present, they are just simply ignored.

Do you have any advice how to implement permissions here? Either how to force DjangoObjectListField not to ignore resolve_field method, or suggest a completely different approach.

Thanks!

[Rydra]

Pinging as I'm interested on this as well, since I want to restrict the queries our users can make

[topletal]

Hi, I tried to make django model mutations for django-graphene more accessible and customizable, in similar way to django rest framework, I published it here: https://github.com/topletal/django-model-mutations, any feedback is welcomed, also please keep in mind its just initial release and although there are decent tests, there might be some edge cases not tested yet - graphene does a lot of magic actually behind the curtains.

[shockflash]

I have a similar problem right now, but with querysets. The way graphene-django-extras handles a lot of internal logic looks odd to me. Is there any official guide for that, in addition to the small README?

[sbernier1]

I wanted to check permissions using get_queryset. It works fine with regular graphene using DjangoListField, but not with graphene-django-extras. Even though the class is named DjangoFilterPaginateListField it doesn't inherit from DjangoListField and so it doesn't call get_queryset . I've search for other functions I could hook to to check permissions, but it looks like there aren't any.

[jstacoder]

@sbernier1 you want to overload list_resolver