-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protecting Mutation or Queries #3
Comments
Thanks for the feedback! Of course, you can protect your queries and mutations verifying the from django.contrib.auth import get_user_model
import graphene
class Query(graphene.ObjectType):
me = graphene.Field(UserType)
users = graphene.List(UserType)
def resolve_me(self, info, **kwargs):
user = info.context.user
if user.is_anonymous:
raise Exception('Authentication credentials were not provided')
return user
def resolve_users(self, info, **kwargs):
user = info.context.user
if not user.is_active or not user.is_staff:
raise Exception('You do not have permission to perform this action')
return get_user_model().objects.all() As a shortcut, you can implement a from functools import wraps
def context(f):
def _context(func):
def wrapper(*args, **kwargs):
info = args[f.__code__.co_varnames.index('info')]
return func(info.context, *args, **kwargs)
return wrapper
return _context
def login_required(f):
@wraps(f)
@context(f)
def wrapper(context, *args, **kwargs):
if context.user.is_anonymous:
raise Exception('Authentication credentials were not provided')
return f(*args, **kwargs)
return wrapper
def staff_member_required(f):
@wraps(f)
@context(f)
def wrapper(context, *args, **kwargs):
user = context.user
if user.is_active and user.is_staff:
return f(*args, **kwargs)
raise Exception('You do not have permission to perform this action')
return wrapper Using decorators... from django.contrib.auth import get_user_model
import graphene
class Query(graphene.ObjectType):
me = graphene.Field(UserType)
users = graphene.List(UserType)
@login_required
def resolve_me(self, info, **kwargs):
return info.context.user
@staff_member_required
def resolve_users(self, info, **kwargs):
return get_user_model().objects.all() The same for mutations. |
Hi @CBinyenya, |
@mongkok, maybe is a good idea include this decorators in the package |
Hi @felipemfp, |
This issue contains helpful documentation, can I suggest that you add it to the main readme? ✍️ 😬 |
Yes, you are quite right, I should include it in the README :) @tutturen @felipemfp, in case it can help you, I developed a package with these decorators. |
@mongkok Shouldn't these decorators be a part of this package? I guess most people who use this package will need them anyway. Also, in the README there is a reference to |
Thanks @elwoodxblues, In my opinion, auth decorators are for general use, it can also be used for any backend included in the On the other hand I have my doubts, to include the decorators in this library would be of great help for all of us. At the moment I reopen the issue. |
I've included the auth decorators, you can find a full list of them and examples on the documentation. Thanks for all your comments. |
Hi @mongkok, thanks a lot for making so many people's lives easier with your effort. I'd like to have creation/verification/refreshing of tokens unprotected and all others that can be reached through the global schema protected. Can I ask what is the proper way of protecting the whole schema with the JWT using the lib? What I mean is, something not repeated rather than defininq @login_required for each Query and Mutation separately. |
Hi can you help me how to put token in header ? |
This is a helpful project, I just have one question, is there a way to protect mutations and queries from unauthorized uses?
The text was updated successfully, but these errors were encountered: