如何基于Graphene / Django上的用户类型限制对模型的字段访问? [英] How to limit field access on a model based on user type on Graphene/Django?
问题描述
class Employee(models.Model):
first_name = models。 CharField(max_length = 40)
last_name = models.CharField(max_length = 60)
工资= models.DecimalField(decimal_places = 2)
我希望任何人都可以访问first_name和last_name,但只希望某些用户能够读取薪水,因为这是机密数据。
然后我想将工资的写入/更新限制为什至是另一种类型的用户。
我如何限制字段的读取/写入/更新
编辑:
这是在GraphQL中API上下文。我正在使用石墨烯。我想在解析器功能中看到一个可扩展的解决方案。
查询
假设您拥有
-
定义为
employees = graphene.List(EmployeeType)
$ b $的查询b -
用于查询的解析器,例如
def resolve_employees(self,info,** kwargs):
返回Employee.objects.all()
和
- 权限在名为
can_view_salary
和can_edit_salary
的员工模型上
然后,您需要定义 EmployeeType
,其值取决于用户的 salary
。像
从graphene_django.types从myapp.models导入DjangoObjectType
导入Employee
类EmployeeType(DjangoObjectType ):
class Meta:
model = Employee
def resolve_salary(self,info):
if info.context.user.has_perm('myapp.can_view_salary' ):
返回self.salary
返回None
重要的要点是您正在创建一个自定义的解决
函数,用于根据权限值切换的薪水。您不需要为 first_name
和 last_name
创建任何其他解析程序。
< BR>
变异
先阅读文档。但没有示例进行更新。
简而言之,这是您可以采用的方法:
-
创建一种方法以将员工设置为
Mutation
方法
类MyMutations(graphene.ObjectType):
set_employee = SetEmployee.Field()
-
为
SetEmployee
创建一个方法,该方法获取Employee对象并对其进行更新。某些用户将忽略薪金字段。再次注意,通过将字符串作为输入,我忽略了十进制
问题。
class SetEmployee(graphene.Mutation):
类参数:
id = graphene.ID()
first_name = graphene.String()
last_name = graphene.String()
工资= graphene.String()
员工= graphene.Field(lambda:EmployeeType)
@classmethod
def mutate(cls,root,info,** args):
employee_id = args.get('employee_id')
#按id获取雇员对象
employee = Employee.objects.get(id = employee_id)
first_name = args.get('first_name')
last_name = args.get('last_name')
薪水= args.get('薪水')
#如果first_name:
employee.first_name = first_name
,如果姓氏:
employee.last_name,则从变异输入
中更新employee字段= last_name
(如果有薪金和info.context.user)。 has_perm('myapp.can_edit_salary'):
employee.salary =薪水
employee.save()
return SetEmployee(employee = employee)
Let's say I have a model:
class Employee(models.Model):
first_name = models.CharField(max_length=40)
last_name = models.CharField(max_length=60)
salary = models.DecimalField(decimal_places=2)
I want anyone to be able to access first_name and last_name but only want certain users to be able to read salary because this is confidential data.
And then I want to restrict write/update for salary to an even different kind of user.
How do I restrict field read/write/update depending on the request user?
EDIT:
This is in the GraphQL API context. I am using Graphene. I'd like to see a scalable solution in the resolver function.
QUERIES
Assuming that you have
a query defined like
employees = graphene.List(EmployeeType)
a resolver for the query like
def resolve_employees(self, info, **kwargs): return Employee.objects.all()
and
- permissions on your Employee model called
can_view_salary
andcan_edit_salary
Then you'll need to define the EmployeeType
with a value of salary
that is dependent on the user. Something like
from graphene_django.types import DjangoObjectType
from myapp.models import Employee
class EmployeeType(DjangoObjectType):
class Meta:
model = Employee
def resolve_salary(self, info):
if info.context.user.has_perm('myapp.can_view_salary'):
return self.salary
return None
The important takeaway is that you're creating a custom resolve
function for the salary that is switching based on the value of a permission. You don't need to create any other resolvers for first_name
and last_name
.
MUTATIONS
Read the documentation first. But there isn't an example for doing an update.
In brief, here's the approach that you can take:
Create a method to set the employee in your
Mutation
methodclass MyMutations(graphene.ObjectType): set_employee = SetEmployee.Field()
Create a method for
SetEmployee
that gets the Employee object and updates it. The salary field is ignored for certain users. Note again that I am ignoring theDecimal
issue by taking a string as an input.class SetEmployee(graphene.Mutation):
class Arguments: id = graphene.ID() first_name = graphene.String() last_name = graphene.String() salary = graphene.String() employee = graphene.Field(lambda: EmployeeType) @classmethod def mutate(cls, root, info, **args): employee_id = args.get('employee_id') # Fetch the employee object by id employee = Employee.objects.get(id=employee_id) first_name = args.get('first_name') last_name = args.get('last_name') salary = args.get('salary') # Update the employee fields from the mutation inputs if first_name: employee.first_name = first_name if last_name: employee.last_name = last_name if salary and info.context.user.has_perm('myapp.can_edit_salary'): employee.salary = salary employee.save() return SetEmployee(employee=employee)
这篇关于如何基于Graphene / Django上的用户类型限制对模型的字段访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!