search

PedroBern / django-graphql-auth

Django registration and authentication with GraphQL.
https://django-graphql-auth.readthedocs.io/en/latest/
MIT License
333 stars 105 forks source link

How to give query permission #131

Open MedNabilEssefaihi opened 3 years ago

MedNabilEssefaihi commented 3 years ago

Hi community,

I want to know how can add permission to the QUERY class, to give the possibility the user to get only his data and no more ?

import graphene
from graphql_auth import mutations
from graphql_auth.schema import UserQuery, MeQuery

class Query(UserQuery, MeQuery, graphene.ObjectType):
    pass

I want to block this query per example to normal users

query {
  users {
    edges {
      node {
        username,
        archived,
        verified,
        email,
        secondaryEmail,
      }
    }
  }
}

⚠️ they don't have to see other users data

portedison commented 2 years ago

Use MeQuery - I have removed UserQuery, quite dangerous to leave it in there. If you want to add a user specific mutation/query you can use the verification_required. No docs on it but it extends this https://django-graphql-jwt.domake.io/decorators.html#login-required