I found a way to set permissions on starwberry type fields like this:
#strawberry.type
class SomeModel:
id: strawberry.ID
login: Optional[str] = strawberry.field(permission_classes=[Permission])
But when I try to put the same logic on input fields, to make them immutable for certain users like this:
#strawberry.input
class SomeModel:
login: str = strawberry.field(permission_classes=[Permission])
It doesn't work, is there a way to make what I want with standard strawberry functionality or may be some other tool?
I read the official strawberry documentation on permissions, but didn't find any info on setting permissions on separate input fields. I also searched docs of a couple packages that extends functionality of strawberry, but didn't find any useful info
Strawberry doesn't support permissions in input fields, I don't think we considered that use case!
Will you be willing to open an issue describing what you need? Hopefully it's not too difficult to implement 😊
Related
Please suggest me the best way. I am developing a Django application, you will have 3 types of User: Administrator, Reseller and User. They must have hierarchy. The administrator can see everything. The dealer can see everything that its users did. The User only sees what he did.
How can I make these permissions with hierarchy?
You can handle it with 2 differents ways:
First solution (seems to be better in your case): using Django permissions
Here you're gonna create groups, permissions and users. A good practice is to link permissions to groups, and then to link your users to groups. This way, it's easy to change something in the future.
Second solution: create 3 different profiles that inherits from the User base class. It will be more complicated to handle thought.
I'm working on something similar. Per-line authorizations are a bit of a pain in Django. There are two projects out there that can achieve all you are asking for: django-permission and django-guardian. I needed more finely grained permissions and had to roll my own.
I'm learning Django framework and I'm trying to implement some social features / permissions for objects. What is the best solutions for such thing eg.:
We have some model (eg.: photo):
name_field
picture_field
owner_field
allowed_group_users_field
allowed_group_users_field <----- field where we will put gorup / users whose are able to see photo.
Now view which will handle showing pictures should use: "#user_passes_test" decorator which will check if requesting user is included in allowed_group_users_field.
And my question is:
Is it correct way to solve such thing or there are better solutions for that - maybe other decorator is more suitable or other way of implementation..?
Hello and welcome onboard!
I have a relatively new account also in stackoverflow but I have quite some experience with django.
The way i see it, you want to create groups like foreign keys one to many, to users who are allowed to see this.
Your solution with a decorator is pretty common and there is nice documentation here, https://docs.djangoproject.com/en/1.4/topics/auth/#limiting-access-to-logged-in-users-that-pass-a-test and an example for the kind of group you need, here https://djangosnippets.org/snippets/1703/.
So, all you have to do is to extend the current decorator with your own logic (if user belongs to specific group) and it will work.
I hope i answer your question!
I'm trying to write my own Trac plugin to notify an external system of changes to tickets matching a certain criteria. From my research so far, I've figured out that implementing the ITicketChangeListener interface is the way to go.
The method definitions are all very straight forward, but what's not straight forward for me is the Ticket object and accessing its custom fields. I've learned that you can access default ticket fields as simply as:
# t is a Ticket object
theStatus = t['status']
I've found several sources that say this won't work:
myCustomField = t['my_custom_field']
Yet none of them tell me what will work.
In addition, I need to know if the old_values argument of the ticket_changed() method will have my custom fields or if I'll have to do something different there as well.
I'm fairly new to Python and very new to Trac. Any help to point me in the right direction is appreciated.
The sources are wrong about custom ticket fields. The value-by-name approach should work. And *old_values* contains all fields values, including custom fields too. That's it.
You may want to look at the TracAnnouncer source for some change-listener coding examples.
I made a django application recently with multiple settings files, each setting file has its own SITE_ID and each SITE_ID is associated with site_id from the django_site table. Now, I want to create staff for certain sites only and other admins for all sites, how would I do something like that?
best wishes,
Mo - not sure whether you're still looking for an answer for this but this cross-post could be along the lines of what you're looking for.
I'm afraid I have bad news for you, you'll have to implement it on your own. What can
you do is to implement a new class say SiteUsers, it can look as follows:
class SiteUsers(models.Model):
site = models.ForeignKey(Site)
users = models.ForeignKey(User)
then you can use a kind of user_passes_test decorator to force access control. I'm not aware
of any ready to use solution.
another option would be to use groups. create set of groups for each site and sort users
to those groups. I think you'll have to have groups like:
site_1_add, site_1_delete, site_1_....
site_2_add, site_2_delete, site_2_....
however I'm afraid it does not scale so well. you will not find out unless you'll try.
anyway going either way will require a lot of admin customization. I really would need to do some research myself first.
I am currently writing an application which I plan to sell as SaaS. Without giving away "secrets," I can say that it is basically a "document editing system" in which many users will be submitting documents.
The basic heirarchy is this:
Institution
Individual
Document
Sub-document
So each Individual should be able to BROWSE all documents that were submitted by anybody in their institution, but should only be able to EDIT documents that they created.
No individual should even be aware of the existence of another Institution--that should all be completely hidden.
I have written a Django/Python class that would facilitate this, but every document regarding authentication that I have read requires that I use the User object. Is this just a limitation of Django, or is there a way to do this?
If there is a way, how can I get my own "Individual" class details attached to the "request" objects so I can validate the things I should be showing the users?
What you're looking for is authorization, not authentication. Django's built-in authorization system is fairly crude, as you've discovered. You'll need something like django-authority if you want a more complete solution.
The auth module is typically used to cover authentication cases.
Gives you groups (Institutions), Users (Individuals) and permissions.
Using these features you can perform checking if a user is a member of a group or owns a doc before allowing them to see or edit the doc.
http://docs.djangoproject.com/en/dev/topics/auth/
If you need to go beyond the typical use case, supporting LDAP for example, then you can look at writing your own authentication backend.
http://docs.djangoproject.com/en/dev/topics/auth/#other-authentication-sources
In general, if you need to attach more information to the builtin User model, you would create new model which subclasses models.Model (not User), and identify it in settings as AUTH_PROFILE_MODULE. You can get the appropriate instance of your model from a user by calling user.get_profile(). (see http://docs.djangoproject.com/en/dev/topics/auth/#storing-additional-information-about-users).
This is generally useful for adding extra fields to User such as address, contact information, etc. While it would be possible to use this for your authentication needs, you'd most likely be better off using the built in groups, or a more comprehensive solution like django-authority as others have mentioned. I've included this answer only because it seems to be what you were asking for (a way to attach a class to User), but not really what you need (authorization).