Support for ABAC compatible permission classes

[vjrasane]

Currently permission classes seem to be geared towards a RBAC authorization scheme.

The permission classes defined for a resolver are run before the result of the resolver is available, i.e. the source object is None for the initial permission check. The source object is only available when checking permissions for fields of the source object. This makes it difficult to check for the ownership of the initial object, based on username or id for example.

It would be useful if the permission classes could implement permission checks for both before and after the resolver has been run and the result is available.

Upvote & Fund

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.

[patrick91]

hi @vjrasane do you have any idea of how this would look like?

I think this could be probably implemented with extensions and schema directive, but I want to hear your thoughts too, especially since I'm not too familiar with ABAC permissions

[DoctorJohn]

Certainly an interesting request! Extending our permission class to be called before and after resolving a field sounds doable. Do you still need this @vjrasane and would you be interested in working on it?