[Question] Thoughts on where/how permissions are enforced?

[kbyatnal]

IMO ideally, each domain should enforce its own permissions. This would require passing along some sort of context with every call, and then services enforce permissions based on the requested data and context.

Curious to hear what others are doing as well.

[phalt]

Great question. I was having a think about this the other day. Django has a robust permissions / groups / users system and we should take advantage of that. Most API requests into a service should have a user associated to them, so I would imagine you'd want to tap into the user permissions system at the API layer, basically redoing what DRF does (which has a great permissions system IMO). As for service to service perms - you could decorate APIs and require a "request" or, like you say, a "context" object to be passed into methods.

[c-py]

I found a good example of putting authentication in business logic in the graphene-django issues here. I also found that when I implemented this, django-rules was quite useful for extending the built in django permission model. I did however need to pass in the user object to use this.