DjangomodelFormMutation Authorization

[jgarzautexas]

I'm able to use DjangoModelFormMutation but am curious of how to limit mutation access along with query access similar to https://docs.graphene-python.org/projects/django/en/latest/authorization/

Currently I simply have a class inheriting from DjangoModelFormMutation. I want to be able to restrict access to the owners of the Model Objects, and possibly do other filter on based on user for querying.

This is currently how I am handling it and fine to keep doing this if this is the best practice.

   @classmethod
    def mutate_and_get_payload(cls, root, info, **input):
        user = info.context.user

        # TODO add a check to see if user has access
        if not user.is_authenticated:
            raise GraphQLError("Unauthorized")

        return super().mutate_and_get_payload(root, info, **input)

Thanks for the help.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[heckad]

@zbyte64 Any news?

[sjdemartini]

Yes, the approach recommended above, of overriding mutate_and_get_payload to add any additional authorization logic, seems like the right technique to me when using a DjangoModelFormMutation or any other subclass of the relay ClientIDMutation (https://docs.graphene-python.org/en/latest/relay/mutations/#mutations). Whereas with an ordinary non-relay graphene.Mutation (not a subclass of ClientIDMutation), I would recommend adding that authorization logic to the mutate method directly.

See this old comment graphql-python/graphene#659 (comment) from the graphene project about ClientIDMutation (of which DjangoModelFormMutation is a subclass) and why mutate_and_get_payload is the place for custom logic, as opposed to mutate.