Permissions per object like in DRF and django-guardian

[sgaseretto]

Like, for example, you implement a project management software where each user can participate in different projects and have a different role in each project, like SCRUM Master, Product Owner, and Developer. One user can be in different projects and have a different role for each project that will allow him to do different kinds of queries and mutations in each project. Is it possible to achieve something like this with graphene-permissions and how?

[redzej]

Hi, sorry for the late reply.
I'm not sure how your current project or implementation looks like, but yes, it should work quite nice.
I added examples in README - you can use those, or look into tests directory.

Generalizing, if you have model Project and user groups per project - you could do something like that

• create users, i.e john, mark, adam.
• create project foo
• assign users to appropriate project
• create permission classes
• create queries/mutations

# example code - You may need more options or fields to get it to work, refer to readme

from django.db import models
from django.contrib.auth.models import User

class Project(models.Model):
    name = models.CharField(max_length=128)
    owner = models.ForeignKey(User, on_delete=models.PROTECT)
    scrum_master = models.ForeignKey(User, on_delete=models.PROTECT)
    developer = models.ForeignKey(User, on_delete=models.PROTECT) # or M2M Field
    # other fields ...

class AllowProjectOwner:
    @staticmethod
    def has_node_permission(info, id):
        # check if user belongs to specific group or has required role
	return info.context.user == Project.objects.get(pk=id).owner

class AllowProjectScrumMaster:
    @staticmethod
    def has_node_permission(info, id):
        return info.context.user == Project.objects.get(pk=id).scrum_master


class ProjectInfoNode(AuthNode, DjangoObjectType):
    permission_classes = (AllowProjectOwner,)

    class Meta:
        model = Project
        filter_fields = ('name',)
        interfaces = (relay.Node,)


class ProjectScrumNode(AuthNode, DjangoObjectType):
    permission_classes = (AllowProjectScrumMaster,)

    class Meta:
        model = Project
        filter_fields = ('name',)
	# for example: exclude fields or allow different filters, etc here.
        interfaces = (relay.Node,)


class ProjectQuery:
    project_info = relay.Node.Field(ProjectInfoNode)
    project_scrum_info = relay.Node.Field(ProjectScrumNode)


class Query(ProjectQuery, ObjectType):
    pass

# main schema
schema = Schema(query=Query)

I didn't test it thoroughly with django-guardian, but creating groups and checking if user is in specific group should be easy enough. If further integration with guardian would be usefull for more developers, i'll think about adding that, just give some feedback.

[adamziel]

@redzej the problem is here:

class AllowProjectOwner:
    @staticmethod
    def has_node_permission(info, id):
        # check if user belongs to specific group or has required role
	return info.context.user == Project.objects.get(pk=id).owner

That's one query, and after this method returns True there's going to be another DB trip to retrieve the same object.

[redzej]

@adamziel yes, i'm aware of that, this was just a temporary solution. Recently i got some spare time, so i`m going to submit 2 PR's regarding that.

[jrd]

Django will cache the Project.objects.get(pk=id) result and there should be no more hit (if you only request that object, i.e. no join).

One improvement could be to specifically only get the owner from the database:

return info.context.user == Project.objects.only('owner').get(pk=id).owner