djangographqlgraphene-django

Django GrahpQL ACL?


Is there a Django GraphQL ACL? Like you can't access the Query/Mutation if the user has no permission.

For Example, the login user has a only permission on products Query/Mutation but no permission on human resources Query/Mutation. How can I return a error message like "Permission Denied!"?


Solution

  • If you use graphene-django-cud (for mutations) there is a check_permissions hook that you can hook into to raise an error if you don't want a specific user doing something.

    from graphene_django_cud.mutations import DjangoUpdateMutation
    from graphql import GraphQLError
    
    class UpdateUserMutation(DjangoUpdateMutation):
        class Meta:
            model = User
            login_required = True
    
        @classmethod
        def check_permissions(cls, root, info, input, id, obj):
            if not can_update(obj, info.context.user):
                raise GraphQLError("You do not have permission to access this mutation.")
    

    Something to note: note the arguments for check_permissions is wrong in their docs (linked above). I've written the correct arguments in the snippet. Their github has it correct.

    Similar to this, when you are querying, inside your usual resolver just do this:

    def resolve_users(cls, root, info, id=None):
        user_obj = User.objects.get(id=id)
    
        if not can_view(user_obj, info.context.user):
            raise GraphQLError("You shall not pass")
        
        return user_obj