Django permissions required for Nodes, Mutations and Connections

[carlosmart626]

This PR adds support to required Django permissions at Nodes, Mutations and Connections.

Example Node:

    from graphene_django.types import DjangoObjectType
    from graphene_django.auth import node_require_permission
    from .models import Reporter

    class ReporterType(DjangoObjectType):

        class Meta:
            model = Reporter
            interfaces = (Node, )

        @classmethod
        @node_require_permission(permissions=('can_view_report', 'can_edit_foo', ))
        def get_node(cls, info, id):
            return super(ReporterType, cls).get_node(info, id)

Example Mutation:

    from rest_framework import serializers
    from graphene_django.types import DjangoObjectType
    from graphene_django.auth import node_require_permission
    from graphene_django.rest_framework.mutation import SerializerMutation
    from .models import Reporter


    class ReporterSerializer(serializers.ModelSerializer):
        class Meta:
            model = Reporter
            fields = '__all__'


    class MyMutation(SerializerMutation):
        class Meta:
            serializer_class = ReporterSerializer

        @classmethod
        @mutation_require_permission(permissions=('can_view_foo', 'can_edit_foo', ))
        def mutate_and_get_payload(cls, root, info, **input):
            return super(MyMutation, cls).mutate_and_get_payload(root, info, **input)

Example Connection:

    import graphene
    from graphene_django.fields import DjangoConnectionField
    from graphene_django.auth import connection_require_permission, node_require_permission
    from graphene_django.types import DjangoObjectType
    from .models import Reporter

    class ReporterType(DjangoObjectType):

        class Meta:
            model = Reporter
            interfaces = (Node, )

        @classmethod
        @node_require_permission(permissions=('can_view_report', 'can_edit_foo', ))
        def get_node(cls, info, id):
            return super(ReporterType, cls).get_node(info, id)

    class MyAuthDjangoConnectionField(DjangoConnectionField):

        @classmethod
        @connection_require_permission(permissions=('can_view_foo', ))
        def connection_resolver(cls, resolver, connection, default_manager, max_limit,
                                enforce_first_or_last, root, info, **args):
            return super(MyAuthDjangoConnectionField, cls).connection_resolver(
                resolver, connection, default_manager, max_limit,
                enforce_first_or_last, root, info, **args)

    class Query(graphene.ObjectType):
        all_reporters = MyAuthDjangoConnectionField(ReporterType)

[coveralls]

Coverage increased (+0.4%) to 93.36% when pulling 0477c1a on CarlosMart626:master into 2600f0f on graphql-python:master.

[coveralls]

Coverage increased (+0.4%) to 93.36% when pulling 0477c1a on CarlosMart626:master into 2600f0f on graphql-python:master.

[helpse]

Looks nice!

[helpse]

Hey @carlosmart626. Will this PR ever be approved?
Looks like a nice approach.
I have also worked on a simplified version, based on Django's method decorator and this PR's implementation. Something like this:

@node_require_permission(permissions=('can_view_report', 'can_edit_foo', ))
class GrupoNode(AuthMixin, DjangoObjectType):
    """
    Grupos
    """
    class Meta:
        model = Grupo
        filter_fields = ['id', 'nombre', 'iglesia', ]
        interfaces = (Node, )

This basically does the same.
node_require_permission is a wrapper for this PR's node_require_permission, but I moved the decorator's usage to the class instead of the classmethod.

[un33k]

LGTM

Permissions strategy needs to discussed

[zbyte64]

What I like about this PR is it is not inventing any new opinions. All it does is connect django's existing permission framework to our classes with helper functions. It is hard for me to imagine a permission strategy that is less opinionated or less opt-in. That is why I am approving this PR.

[carlosmart626]

@firaskafri @zbyte64 I can fix the issues to related to the pipeline to continue with this PR. Is any other issue to address here?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.