Permission control per node without relay

[nettiteeri]

We were trying to implement permission control to our software. This would require that we not only implement checks on the end point but we also want to check permissions on each level the request has.

For example, if we have a get user end point, we check that we have permission to read the user. This is works fine. But what if user has relations to a location and x number of purchases and those are requested through the user?

There is a get_queryset method we can implement with DjangoListField that I can use to check if we have permission to access the user's purchases. This works great.

My problem Then there is a get_node method for checking if we have permission to access user's location but it is not called unless we use the relay spec. I can't use relay spec in my project because it changes the queries somewhat (ads the edges/nodes structure)

Is it possible to use a field type or some interface to implement the get_node function without the relay spec? Exactly like we get the get_queryset method with DjangoListField.

[nettiteeri]

BTW, I ended up circumventing the problem with the default_resolver. It's not ideal, it triggers the permission check once for every field where once for every model would suffice.

https://github.com/graphql-python/graphene-django/issues/79#issuecomment-599307608

[LinnaViljami]

Any updates or solutions to this issue?