Is there a Django GraphQL ACL? Like you can't access the Query/Mutation if the user has no permission.
For Example, the login user has a only permission on products Query/Mutation but no permission on human resources Query/Mutation. How can I return a error message like "Permission Denied!"?
If you use graphene-django-cud (for mutations) there is a check_permissions
hook that you can hook into to raise an error if you don't want a specific user doing something.
from graphene_django_cud.mutations import DjangoUpdateMutation
from graphql import GraphQLError
class UpdateUserMutation(DjangoUpdateMutation):
class Meta:
model = User
login_required = True
@classmethod
def check_permissions(cls, root, info, input, id, obj):
if not can_update(obj, info.context.user):
raise GraphQLError("You do not have permission to access this mutation.")
Something to note: note the arguments for check_permissions
is wrong in their docs (linked above). I've written the correct arguments in the snippet. Their github has it correct.
Similar to this, when you are querying, inside your usual resolver just do this:
def resolve_users(cls, root, info, id=None):
user_obj = User.objects.get(id=id)
if not can_view(user_obj, info.context.user):
raise GraphQLError("You shall not pass")
return user_obj