Protecting Mutation or Queries #3
Comments
|
Thanks for the feedback! Of course, you can protect your queries and mutations verifying the from django.contrib.auth import get_user_model
import graphene
class Query(graphene.ObjectType):
me = graphene.Field(UserType)
users = graphene.List(UserType)
def resolve_me(self, info, **kwargs):
user = info.context.user
if user.is_anonymous:
raise Exception('Authentication credentials were not provided')
return user
def resolve_users(self, info, **kwargs):
user = info.context.user
if not user.is_active or not user.is_staff:
raise Exception('You do not have permission to perform this action')
return get_user_model().objects.all()As a shortcut, you can implement a from functools import wraps
def context(f):
def _context(func):
def wrapper(*args, **kwargs):
info = args[f.__code__.co_varnames.index('info')]
return func(info.context, *args, **kwargs)
return wrapper
return _context
def login_required(f):
@wraps(f)
@context(f)
def wrapper(context, *args, **kwargs):
if context.user.is_anonymous:
raise Exception('Authentication credentials were not provided')
return f(*args, **kwargs)
return wrapper
def staff_member_required(f):
@wraps(f)
@context(f)
def wrapper(context, *args, **kwargs):
user = context.user
if user.is_active and user.is_staff:
return f(*args, **kwargs)
raise Exception('You do not have permission to perform this action')
return wrapperUsing decorators... from django.contrib.auth import get_user_model
import graphene
class Query(graphene.ObjectType):
me = graphene.Field(UserType)
users = graphene.List(UserType)
@login_required
def resolve_me(self, info, **kwargs):
return info.context.user
@staff_member_required
def resolve_users(self, info, **kwargs):
return get_user_model().objects.all()The same for mutations. |
|
Hi @CBinyenya, |
|
@mongkok, maybe is a good idea include this decorators in the package |
|
Hi @felipemfp, |
|
This issue contains helpful documentation, can I suggest that you add it to the main readme? ✍️ 😬 |
|
Yes, you are quite right, I should include it in the README :) @tutturen @felipemfp, in case it can help you, I developed a package with these decorators. |
|
@mongkok Shouldn't these decorators be a part of this package? I guess most people who use this package will need them anyway. Also, in the README there is a reference to |
|
Thanks @elwoodxblues, In my opinion, auth decorators are for general use, it can also be used for any backend included in the On the other hand I have my doubts, to include the decorators in this library would be of great help for all of us. At the moment I reopen the issue. |
|
I've included the auth decorators, you can find a full list of them and examples on the documentation. Thanks for all your comments. |
|
Hi @mongkok, thanks a lot for making so many people's lives easier with your effort. I'd like to have creation/verification/refreshing of tokens unprotected and all others that can be reached through the global schema protected. Can I ask what is the proper way of protecting the whole schema with the JWT using the lib? What I mean is, something not repeated rather than defininq @login_required for each Query and Mutation separately. |
Hi can you help me how to put token in header ? |
This is a helpful project, I just have one question, is there a way to protect mutations and queries from unauthorized uses?
The text was updated successfully, but these errors were encountered: