How to return different entries depending on permissions?

[samvv]

First of all let me say I simply love the project. This kind of architecture speaks more to me than those old REST applications, and the implementation (ab)using types is just how I like it.

I'm having issues defining a query in Django where the result of the query will depend on the permission level of the user. For instance, an anonymous user isn't allowed to view anything, while a regular user is allowed to view their own items and a superuser is allowed to view anything.

Is such a thing possible with this library? I searched but didn't find anything in the docs.

[patrick91]

Hi @samvv! Thanks for the love! 😊

Maybe @bellini666 has a better answer, but I usually tend to get the user in the resolver and do filtering based on that (and combined with permission to force auth), something like this:

class IsAuthenticated(BasePermission):
    message = "User is not authenticated"
    
    def has_permission(self, source, info, **kwargs):
        return info.context.request.user.is_authenticated

@strawberry.type
class Query:
    @strawberry.field(permission_classes=[IsAuthenticated])
    def items(self, info: strawberry.Info) -> list[Item]:
        user = info.context.request.user
        
        if user.is_superuser:
            # Superuser can see everything
            queryset = YourModel.objects.all()
        else:
            # Regular users can only see their own items
            queryset = YourModel.objects.filter(owner=user)
        
        return queryset # assuming using Strawberry Django

[bellini666]

For simple cases, like checking if the user is authenticated, this is the easiest approach 😊

If you would like a more fine-grained control, like checking for model permissions, or checking those against the parent object or the returned object itself, and you are using strawberry-django (if not, highly recommended), you can check this: https://strawberry.rocks/docs/django/guide/permissions

[samvv]

I've managed to get it working using @patrick91's approach, thanks! I'm trying out @bellini666's approach right now due to changes in requirements, but that led me to this question.