Filter relationships in backend

[etiennecaldo]

Hi everyone, Thank you for the great work here. I have been using this framework smoothly in production app for few months. My question today is: how could I achieve a filter relationships in backend to hide some data. I know I can change the query for the base object but what about the relationships that are serialized?

I mean, for example a User is part of two projects and one of them is "secret" (that means only Admin may view it).

What I would like to do is:

• when User sends request user/1?include=projects, I want user to have only one relationship and I want to have only one project in the "included" field of the response.
• when Admin sends same request, I want the two projects both in user's relationships and in "included" field.

I know how to differentiate Admin from User but after that, how could I filter the relationships before they are serialized?

Solution 1:

• using the lazy="dynamic" attribute and adapting the query of child in after_get_objet but it let me only control one level of children. Imagine if I want to get all projects of users that are in same project as me: Something like user/1?include=projects.users.projects It would not work for deep children.

Solution 2:

• in after_get, I would de-serialize, check deeply all objects I want to remove and re-serialize. This could perhaps work but is not very efficient (it is sad to serialize then deserialize and re-serialize...)

Do you have any other idea? Thanks in advance for your help...!

[etiennecaldo]

Ok I found a solution: I overloaded the fields.Relationship class from marshmallow-jsonapi like this:

class ConditionalRelationship(Relationship):
    def __init__(self, filterValueFunc, *args, **kwargs):
        super(ConditionalRelationship, self).__init__(*args, **kwargs)
        self.filterValueFunc = filterValueFunc

    def _serialize(self, value, attr, obj):
        value = self.filterValueFunc(value, attr, obj)
        return super(ConditionalRelationship, self)._serialize(value, attr, obj)

and I do my logic in filterValueFunc, given as an input.