graphene-django/docs/authorization.rst

Authorization in Django
=======================

There are several ways you may want to limit access to data when
working with Graphene and Django: limiting which fields are accessible
via GraphQL and limiting which objects a user can access.

Let's use a simple example model.

.. code:: python

    from django.db import models

    class Post(models.Model):
        title = models.CharField(max_length=100)
        content = models.TextField()
        published = models.BooleanField(default=False)
        owner = models.ForeignKey('auth.User')

Limiting Field Access
---------------------

To limit fields in a GraphQL query simply use the ``fields`` meta attribute.

.. code:: python

    from graphene import relay
    from graphene_django.types import DjangoObjectType
    from .models import Post

    class PostNode(DjangoObjectType):
        class Meta:
            model = Post
            fields = ('title', 'content')
            interfaces = (relay.Node, )

conversely you can use ``exclude`` meta attribute.

.. code:: python

    from graphene import relay
    from graphene_django.types import DjangoObjectType
    from .models import Post

    class PostNode(DjangoObjectType):
        class Meta:
            model = Post
            exclude = ('published', 'owner')
            interfaces = (relay.Node, )


Another pattern is to have a resolve method act as a gatekeeper, returning None
or raising an exception if the client isn't allowed to see the data.

.. code:: python

    from graphene import relay
    from graphene_django.types import DjangoObjectType
    from .models import Post

    class PostNode(DjangoObjectType):
        class Meta:
            model = Post
            fields = ('title', 'content', 'owner')
            interfaces = (relay.Node, )

        def resolve_owner(self, info):
            user = info.context.user
            if user.is_anonymous:
                raise PermissionDenied("Please login")
            if not user.is_staff:
                return None
            return self.owner


Queryset Filtering On Lists
---------------------------

In order to filter which objects are available in a queryset-based list,
define a resolve method for that field and return the desired queryset.

.. code:: python

    from graphene import ObjectType
    from graphene_django.filter import DjangoFilterConnectionField
    from .models import Post

    class Query(ObjectType):
        all_posts = DjangoFilterConnectionField(PostNode)

        def resolve_all_posts(self, info):
             return Post.objects.filter(published=True)


User-based Queryset Filtering
-----------------------------

If you are using ``GraphQLView`` you can access Django's request
with the context argument.

.. code:: python

    from graphene import ObjectType
    from graphene_django.filter import DjangoFilterConnectionField
    from .models import Post

    class Query(ObjectType):
        my_posts = DjangoFilterConnectionField(PostNode)

        def resolve_my_posts(self, info):
            # context will reference to the Django request
            if not info.context.user.is_authenticated:
                return Post.objects.none()
            else:
                return Post.objects.filter(owner=info.context.user)

If you're using your own view, passing the request context into the
schema is simple.

.. code:: python

    result = schema.execute(query, context_value=request)


Global Filtering
----------------

If you are using ``DjangoObjectType`` you can define a custom `get_queryset`.

.. code:: python

    from graphene import relay
    from graphene_django.types import DjangoObjectType
    from .models import Post

    class PostNode(DjangoObjectType):
        class Meta:
            model = Post
            fields = '__all__'

        @classmethod
        def get_queryset(cls, queryset, info):
            if info.context.user.is_anonymous:
                return queryset.filter(published=True)
            return queryset

.. warning::

    Defining a custom ``get_queryset`` gives the guaranteed it will be called
    when resolving the ``DjangoObjectType``, even through related objects.
    Note that because of this, benefits from using ``select_related``
    in objects that define a relation to this ``DjangoObjectType`` will be canceled out.
    In the case of ``prefetch_related``, the benefits of the optimization will be lost only
    if the custom ``get_queryset`` modifies the queryset. For more information about this, refers
    to Django documentation about ``prefetch_related``: https://docs.djangoproject.com/en/4.2/ref/models/querysets/#prefetch-related.


    If you want to explicitly disable the execution of the custom ``get_queryset`` when resolving,
    you can decorate the resolver with `@graphene_django.bypass_get_queryset`. Note that this
    can lead to authorization leaks if you are performing authorization checks in the custom
    ``get_queryset``.

Filtering ID-based Node Access
------------------------------

In order to add authorization to id-based node access, we need to add a
method to your ``DjangoObjectType``.

.. code:: python

    from graphene_django.types import DjangoObjectType
    from .models import Post

    class PostNode(DjangoObjectType):
        class Meta:
            model = Post
            fields = ('title', 'content')
            interfaces = (relay.Node, )

        @classmethod
        def get_node(cls, info, id):
            try:
                post = cls._meta.model.objects.get(id=id)
            except cls._meta.model.DoesNotExist:
                return None

            if post.published or info.context.user == post.owner:
                return post
            return None


Adding Login Required
---------------------

To restrict users from accessing the GraphQL API page the standard Django LoginRequiredMixin_ can be used to create your own standard Django Class Based View, which includes the ``LoginRequiredMixin`` and subclasses the ``GraphQLView``.:

.. code:: python

    # views.py

    from django.contrib.auth.mixins import LoginRequiredMixin
    from graphene_django.views import GraphQLView


    class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
        pass

After this, you can use the new ``PrivateGraphQLView`` in the project's URL Configuration file ``url.py``:

For Django 2.2 and above:

.. code:: python

    urlpatterns = [
        # some other urls
        path('graphql/', PrivateGraphQLView.as_view(graphiql=True, schema=schema)),
    ]

.. _LoginRequiredMixin: https://docs.djangoproject.com/en/dev/topics/auth/default/#the-loginrequired-mixin
Added first version of the docs 2016-09-21 08:30:36 +03:00			`Authorization in Django`
			`=======================`

Add `Adding login required` section to authorization 2017-02-09 19:18:50 +03:00			`There are several ways you may want to limit access to data when`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`working with Graphene and Django: limiting which fields are accessible`
			`via GraphQL and limiting which objects a user can access.`

			`Let's use a simple example model.`

			`.. code:: python`

			`from django.db import models`

			`class Post(models.Model):`
Fix Post name attribute The `PostNode` class uses as model Post which does not have any field `title` 2016-12-05 13:01:49 +03:00			`title = models.CharField(max_length=100)`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`content = models.TextField()`
			`published = models.BooleanField(default=False)`
			`owner = models.ForeignKey('auth.User')`

			`Limiting Field Access`
			`---------------------`

Use field and exclude in docs instead deprecated attrs (#740) 2019-09-07 19:49:41 +03:00			To limit fields in a GraphQL query simply use the ``fields`` meta attribute.
Added first version of the docs 2016-09-21 08:30:36 +03:00
			`.. code:: python`

			`from graphene import relay`
			`from graphene_django.types import DjangoObjectType`
			`from .models import Post`

			`class PostNode(DjangoObjectType):`
			`class Meta:`
			`model = Post`
Use field and exclude in docs instead deprecated attrs (#740) 2019-09-07 19:49:41 +03:00			`fields = ('title', 'content')`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`interfaces = (relay.Node, )`

Use field and exclude in docs instead deprecated attrs (#740) 2019-09-07 19:49:41 +03:00			conversely you can use ``exclude`` meta attribute.
Added documentation for exclude_fields as a method of limiting field access DjangoObjectType 2017-02-07 03:59:13 +03:00
			`.. code:: python`

			`from graphene import relay`
			`from graphene_django.types import DjangoObjectType`
			`from .models import Post`

			`class PostNode(DjangoObjectType):`
			`class Meta:`
			`model = Post`
Use field and exclude in docs instead deprecated attrs (#740) 2019-09-07 19:49:41 +03:00			`exclude = ('published', 'owner')`
Added documentation for exclude_fields as a method of limiting field access DjangoObjectType 2017-02-07 03:59:13 +03:00			`interfaces = (relay.Node, )`

document auth pattern: return None with resolve method (#1106) * document auth pattern: return None with resolve method * (doc, auth): also show that one can raise an exception in a resolve method 2021-02-02 20:58:21 +03:00
			`Another pattern is to have a resolve method act as a gatekeeper, returning None`
			`or raising an exception if the client isn't allowed to see the data.`

			`.. code:: python`

			`from graphene import relay`
			`from graphene_django.types import DjangoObjectType`
			`from .models import Post`

			`class PostNode(DjangoObjectType):`
			`class Meta:`
			`model = Post`
			`fields = ('title', 'content', 'owner')`
			`interfaces = (relay.Node, )`

			`def resolve_owner(self, info):`
			`user = info.context.user`
			`if user.is_anonymous:`
			`raise PermissionDenied("Please login")`
			`if not user.is_staff:`
			`return None`
			`return self.owner`


Added first version of the docs 2016-09-21 08:30:36 +03:00			`Queryset Filtering On Lists`
			`---------------------------`

			`In order to filter which objects are available in a queryset-based list,`
			`define a resolve method for that field and return the desired queryset.`

			`.. code:: python`

			`from graphene import ObjectType`
			`from graphene_django.filter import DjangoFilterConnectionField`
			`from .models import Post`

			`class Query(ObjectType):`
Update authorization.rst Someone probably forgot to change `CategoryNode`, from the previous tutorial, to `PostNode`. 2018-02-23 21:59:19 +03:00			`all_posts = DjangoFilterConnectionField(PostNode)`
Added first version of the docs 2016-09-21 08:30:36 +03:00
Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			`def resolve_all_posts(self, info):`
Update authorization.rst 2018-09-05 14:21:39 +03:00			`return Post.objects.filter(published=True)`

Added first version of the docs 2016-09-21 08:30:36 +03:00
			`User-based Queryset Filtering`
			`-----------------------------`

			If you are using ``GraphQLView`` you can access Django's request
			`with the context argument.`

			`.. code:: python`

			`from graphene import ObjectType`
			`from graphene_django.filter import DjangoFilterConnectionField`
			`from .models import Post`

			`class Query(ObjectType):`
Update authorization.rst Someone probably forgot to change `CategoryNode`, from the previous tutorial, to `PostNode`. 2018-02-23 21:59:19 +03:00			`my_posts = DjangoFilterConnectionField(PostNode)`
Added first version of the docs 2016-09-21 08:30:36 +03:00
Update authorization.rst Upgrading doc, as suggested in https://github.com/graphql-python/graphene-django/issues/282 2017-10-08 15:42:34 +03:00			`def resolve_my_posts(self, info):`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`# context will reference to the Django request`
is_authenticated is bool not callable. (#749) 2019-08-16 16:33:59 +03:00			`if not info.context.user.is_authenticated:`
Updated Django docs with latest changes in graphene-python PRs. Including unmerged PR: https://github.com/graphql-python/graphene-python.org/pull/5 2016-09-25 14:11:01 +03:00			`return Post.objects.none()`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`else:`
Update authorization.rst Upgrading doc, as suggested in https://github.com/graphql-python/graphene-django/issues/282 2017-10-08 15:42:34 +03:00			`return Post.objects.filter(owner=info.context.user)`
Added first version of the docs 2016-09-21 08:30:36 +03:00
			`If you're using your own view, passing the request context into the`
			`schema is simple.`

			`.. code:: python`

			`result = schema.execute(query, context_value=request)`

Get queryset (#528) * first attempt at adding get_queryset * add queryset_resolver to DjangoConnectionField and fix test failures * cleanup get_queryset API to match proposal as close as possible * pep8 fix: W293 * document get_queryset usage * add test for when get_queryset is defined on DjangoObjectType 2019-03-31 14:01:17 +03:00
			`Global Filtering`
			`----------------`

			If you are using ``DjangoObjectType`` you can define a custom `get_queryset`.

			`.. code:: python`

			`from graphene import relay`
			`from graphene_django.types import DjangoObjectType`
			`from .models import Post`

			`class PostNode(DjangoObjectType):`
			`class Meta:`
			`model = Post`
Warn if `fields` or `exclude` are not defined on `DjangoObjectType` (#981) 2020-06-11 13:09:52 +03:00			`fields = '__all__'`
Get queryset (#528) * first attempt at adding get_queryset * add queryset_resolver to DjangoConnectionField and fix test failures * cleanup get_queryset API to match proposal as close as possible * pep8 fix: W293 * document get_queryset usage * add test for when get_queryset is defined on DjangoObjectType 2019-03-31 14:01:17 +03:00
			`@classmethod`
			`def get_queryset(cls, queryset, info):`
			`if info.context.user.is_anonymous:`
			`return queryset.filter(published=True)`
			`return queryset`

fix: fk resolver permissions leak (#1411) * fix: fk resolver permissions leak * fix: only one query for 1o1 relation * tests: added queries count check * fix: docstring * fix: typo * docs: added warning to authorization * feat: added bypass_get_queryset decorator 2023-07-18 15:16:52 +03:00			`.. warning::`

			Defining a custom ``get_queryset`` gives the guaranteed it will be called
			when resolving the ``DjangoObjectType``, even through related objects.
			Note that because of this, benefits from using ``select_related``
			in objects that define a relation to this ``DjangoObjectType`` will be canceled out.
			In the case of ``prefetch_related``, the benefits of the optimization will be lost only
			if the custom ``get_queryset`` modifies the queryset. For more information about this, refers
			to Django documentation about ``prefetch_related``: https://docs.djangoproject.com/en/4.2/ref/models/querysets/#prefetch-related.


			If you want to explicitly disable the execution of the custom ``get_queryset`` when resolving,
			you can decorate the resolver with `@graphene_django.bypass_get_queryset`. Note that this
			`can lead to authorization leaks if you are performing authorization checks in the custom`
			``get_queryset``.
Get queryset (#528) * first attempt at adding get_queryset * add queryset_resolver to DjangoConnectionField and fix test failures * cleanup get_queryset API to match proposal as close as possible * pep8 fix: W293 * document get_queryset usage * add test for when get_queryset is defined on DjangoObjectType 2019-03-31 14:01:17 +03:00
Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			`Filtering ID-based Node Access`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`------------------------------`

			`In order to add authorization to id-based node access, we need to add a`
			method to your ``DjangoObjectType``.

			`.. code:: python`

			`from graphene_django.types import DjangoObjectType`
			`from .models import Post`

			`class PostNode(DjangoObjectType):`
			`class Meta:`
			`model = Post`
Use field and exclude in docs instead deprecated attrs (#740) 2019-09-07 19:49:41 +03:00			`fields = ('title', 'content')`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`interfaces = (relay.Node, )`

			`@classmethod`
fix order in params 2018-09-26 21:07:50 +03:00			`def get_node(cls, info, id):`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`try:`
Update authorization.rst 2018-09-05 14:22:54 +03:00			`post = cls._meta.model.objects.get(id=id)`
Added first version of the docs 2016-09-21 08:30:36 +03:00			`except cls._meta.model.DoesNotExist:`
			`return None`

Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			`if post.published or info.context.user == post.owner:`
Fixes typo in docs 2016-10-19 00:30:15 +03:00			`return post`
Updated Django docs with latest changes in graphene-python PRs. Including unmerged PR: https://github.com/graphql-python/graphene-python.org/pull/5 2016-09-25 14:11:01 +03:00			`return None`
Add `Adding login required` section to authorization 2017-02-09 19:18:50 +03:00
Update authorization.rst 2018-09-05 14:22:54 +03:00
Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			`Adding Login Required`
Add `Adding login required` section to authorization 2017-02-09 19:18:50 +03:00			`---------------------`

Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			To restrict users from accessing the GraphQL API page the standard Django LoginRequiredMixin_ can be used to create your own standard Django Class Based View, which includes the ``LoginRequiredMixin`` and subclasses the ``GraphQLView``.:
Add `Adding login required` section to authorization 2017-02-09 19:18:50 +03:00
			`.. code:: python`
Update doc setup (#673) * Expose doc commands in root makefile and add autobuild * Fix some errors * Alias some commands and add PHONY 2019-06-14 14:33:37 +03:00
			`# views.py`
Rebuild documentation 2019-04-26 18:48:37 +03:00
Add `Adding login required` section to authorization 2017-02-09 19:18:50 +03:00			`from django.contrib.auth.mixins import LoginRequiredMixin`
			`from graphene_django.views import GraphQLView`


			`class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):`
			`pass`

Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			After this, you can use the new ``PrivateGraphQLView`` in the project's URL Configuration file ``url.py``:

graphql 3.0 and graphene 3.0 final rebase (#951) 2020-05-09 14:13:47 +03:00			`For Django 2.2 and above:`
Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00
			`.. code:: python`

			`urlpatterns = [`
fix: fk resolver permissions leak (#1411) * fix: fk resolver permissions leak * fix: only one query for 1o1 relation * tests: added queries count check * fix: docstring * fix: typo * docs: added warning to authorization * feat: added bypass_get_queryset decorator 2023-07-18 15:16:52 +03:00			`# some other urls`
			`path('graphql/', PrivateGraphQLView.as_view(graphiql=True, schema=schema)),`
Update authorization docs to Graphene 2.0 * Re-write some language in "Limiting Field Access" * Added code to "Queryset Filtering On Lists" section to handle queries that return nothing * fix code to Filtering ID-based node access to work based on question [here](https://stackoverflow.com/questions/51057784/django-graphene-with-relay-restricting-queries-access-based-on-id/51958088#51958088) * Rewrote Adding Login Requirements to be Django 2.0 compatible Fixed login requirements 2018-08-29 10:37:27 +03:00			`]`
Add `Adding login required` section to authorization 2017-02-09 19:18:50 +03:00
Python 3 (#904) * Remove Python 2 support * Upgrade Python & Django versions * Remove unsupported Django versions * Remove unsupported Python versions * Add Python 3.8 * Drop support for django-filter < 2 * Update LoginRequiredMixin doc link * Remove redundant import * Resolve RemovedInDjango40Warning warnings * gql/graphene-django/graphene_django/tests/test_converter.py:175: RemovedInDjango40Warning: django.utils.translation.ugettext_lazy() is deprecated in favor of django.utils.translation.gettext_lazy(). * graphene-django/graphene_django/utils/utils.py:28: RemovedInDjango40Warning: force_text() is deprecated in favor of force_str(). * No need to use unicode strings with Python3 * Remove singledispatch dependency singledispatch is inluded with Python >= 3.4, no need for external package. 2020-04-06 15:21:07 +03:00			`.. _LoginRequiredMixin: https://docs.djangoproject.com/en/dev/topics/auth/default/#the-loginrequired-mixin`