Permissions on types

[patrick91]

I was thinking about having the following two options:

1. Permissions on types
2. Default field permissions on types

Not sure if we need both, worth investigating for sure.

Permission on types

Something like this:

import strawberry

@strawberry.type(permission_classes=[AdminOnly, CurrentUser])
class User:
    id: strawberry.ID
    email: str

For this to work we need to hook into the resolvers and make sure we check the permissions of the returned object.

I see some complexity with interfaces and unions.

Also we might need to think about pre/post permissions (permission that run before the resolver and permissions that run after)

Default field permissions on types

This might be easier to implement, and it would look like this:

import strawberry

@strawberry.type(default_field_permission_classes=[AdminOnly, CurrentUser])
class User:
    id: strawberry.ID
    email: str
    name: str = strawberry.field(permission_classes=[])

(I don't like the long name)

This would basically change the permission classes for all the fields of this class, unless they already have a permission classes list set.

For something I'm working on this would be more useful than the first option.

I'm interested in people's opinion, I'd love to know what you think it's better to have :D

[XChikuX]

default_permissions should suffice

The rest is intuitive. Nothing other than the fields could have the permisson.

Add in the docs that you can only pass permission classes. Should be clear as day!

[patrick91]

For something I'm working on this would be more useful than the first option.

I wish I wrote why 🤣

These days I'm more for this:

import strawberry

@strawberry.type(permission_classes=[AdminOnly, CurrentUser])
class User:
    id: strawberry.ID
    email: str

I feel like a basic implementation of this would be to check when we create the custom resolver if the return type has permission classes, and update the resolver if that's the case

[XChikuX]

Anyone needing field level permission overrides can make their own using field extensions.

Eg. Hiding Auth fields even if you are Admin, Moderator, Premium, etc

You probably can't reduce the permission level though. Only increase it.

from pydantic import BaseModel
from typing import Optional
import strawberry
from strawberry.experimental.pydantic import type as pyd_type
from strawberry.extensions.field_extension import FieldExtension


class PermissionExtension(FieldExtension):
    def resolve(self, next_, source, info, **kwargs):
        # Check permission, return None if denied
        if not check_field_access(info.context.user, info.field_name, source.id):
            return None
        return next_(source, info, **kwargs)


class UserModel(BaseModel):
    id: int
    fname: str
    email: str
    phone: str


perm_ext = PermissionExtension()


@pyd_type(model=UserModel)
class UserGQL:
    # Public fields - just use auto
    id: strawberry.auto
    fname: strawberry.auto

    # Protected fields - attach extension
    email: Optional[str] = strawberry.field(extensions=[perm_ext])
    phone: Optional[str] = strawberry.field(extensions=[perm_ext])

Now supports pydantic.experimental :) #4171