Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Boolean expression permissions #3408

Open
wants to merge 38 commits into
base: main
Choose a base branch
from
+745 −25
Open

Boolean expression permissions #3408

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
ee8d93c
First pass looking at boolean operators on permissions
Mar 14, 2024
9a8ce6c
Boolean permissions tests
Mar 14, 2024
ea4040b
Update docs
Mar 14, 2024
ecedc67
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 14, 2024
f442f06
Formatting fix
Mar 14, 2024
7f02182
Merge remote-tracking branch 'origin/boolean-expression-permissions' …
Mar 14, 2024
8b08575
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 14, 2024
6300052
Move try catch out of loop!
Mar 14, 2024
796dc99
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 14, 2024
9c9eedc
Few fixes from AI review
Mar 14, 2024
c682525
Merge remote-tracking branch 'origin/boolean-expression-permissions' …
Mar 14, 2024
9694236
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 14, 2024
c38d868
Revert some breaking changes. Move from boolean to composite permiss…
Mar 22, 2024
d455926
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 22, 2024
af0c1d4
Absolutely hadn't finished my changes!
Mar 22, 2024
340f4a0
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 22, 2024
f00a5a6
Merge branch 'strawberry-graphql:main' into boolean-expression-permis…
vethan Mar 22, 2024
7823b38
Fix to undefined Info type
Mar 22, 2024
70e695e
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 22, 2024
ed67c14
Test the async versions of composite permissions, and some linting fixes
Apr 2, 2024
7064f74
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Apr 2, 2024
62ec845
Final linting fixes
Apr 2, 2024
cf53546
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Apr 2, 2024
496cb36
Merge branch 'strawberry-graphql:main' into boolean-expression-permis…
vethan Apr 2, 2024
6226b39
Make sure to test asyncs
Apr 4, 2024
d8c9cce
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Apr 4, 2024
425d739
Of course I missed a single _async
Apr 4, 2024
4a2805a
Merge remote-tracking branch 'origin/boolean-expression-permissions' …
Apr 4, 2024
e1c2b68
refactor: use default has permission syntax for boolean permissions
erikwrede Apr 14, 2024
d338665
chore: adjust type annotation for kwargs
erikwrede Apr 14, 2024
49f9d81
chore: raise error cleanly
erikwrede Apr 14, 2024
08fc53c
Merge branch 'strawberry-graphql:main' into boolean-expression-permis…
vethan Apr 15, 2024
9ed6a54
fix: use correct type annotation for kwargs
erikwrede May 3, 2024
29fe77f
chore: adjust type hints
erikwrede May 3, 2024
1dd86ce
fix: support passing context when nesting permissions
erikwrede May 3, 2024
d9f016a
Merge branch 'boolean-expression-permissions-erik' into boolean-expre…
patrick91 May 16, 2024
901abf0
Merge branch 'main' into boolean-expression-permissions
patrick91 May 16, 2024
64bcbad
Merge branch 'refs/heads/boolean-expression-permissions-erik' into bo…
erikwrede May 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions docs/guides/permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,29 @@ consider if it is possible to use alternative solutions like the `@skip` or
without permission. Check the GraphQL documentation for more information on
[directives](https://graphql.org/learn/queries/#directives).

## Boolean Operations

When using the `PermissionExtension`, it is possible to combine permissions
using the `&` and `|` operators to form boolean logic. For example, if you
want a field to be accessible with either the `IsAdmin` or `IsOwner` permission
you could define the field as follows:

```python
import strawberry
from strawberry.permission import PermissionExtension, BasePermission


@strawberry.type
class Query:
@strawberry.field(
extensions=[
PermissionExtension(permissions=[(IsAdmin() | IsOwner())], fail_silently=True)
]
)
def name(self) -> str:
return "ABC"
```

## Customizable Error Handling

To customize the error handling, the `on_unauthorized` method on the
Expand Down
125 changes: 110 additions & 15 deletions strawberry/permission.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,24 @@ def has_permission(
"Permission classes should override has_permission method"
)

def on_unauthorized(self) -> None:
def resolve_permission_sync(self, source: Any, info: Info, **kwargs: Any) -> bool:
if self.has_permission(source, info, **kwargs):
return True
else:
raise self.on_unauthorized()
patrick91 marked this conversation as resolved.
Show resolved Hide resolved

async def resolve_permission_async(self, source: Any, info: Info,
**kwargs: Any) -> bool:
if await await_maybe(self.has_permission(source, info, **kwargs)):
return True
else:
raise self.on_unauthorized()

def on_unauthorized(self) -> Exception:
"""
Default error raising for permissions.
This can be overridden to customize the behavior.
"""

# Instantiate error class
error = self.error_class(self.message or "")

Expand All @@ -71,12 +83,11 @@ def on_unauthorized(self) -> None:
error.extensions = dict()
error.extensions.update(self.error_extensions)

raise error
return error

@property
def schema_directive(self) -> object:
def schema_directive(self) -> List[object]:
vethan marked this conversation as resolved.
Show resolved Hide resolved
if not self._schema_directive:

class AutoDirective:
__strawberry_directive__ = StrawberrySchemaDirective(
self.__class__.__name__,
Expand All @@ -87,7 +98,84 @@ class AutoDirective:

self._schema_directive = AutoDirective()

return self._schema_directive
return [self._schema_directive]

@property
def is_async(self) -> bool:
return iscoroutinefunction(self.has_permission)
erikwrede marked this conversation as resolved.
Show resolved Hide resolved

def __and__(self, other: BasePermission):
return AndPermission(self, other)

def __or__(self, other):

return OrPermission(self, other)


class BoolPermission(BasePermission, abc.ABC):
left: BasePermission
right: BasePermission

def __init__(self, left: BasePermission, right: BasePermission):
vethan marked this conversation as resolved.
Show resolved Hide resolved
self.left = left
self.right = right

def has_permission(self, source: Any, info: Info, **kwargs: Any) -> Union[
bool, Awaitable[bool]]:
pass

@property
def is_async(self) -> bool:
return self.left.is_async | self.right.is_async

@property
def schema_directive(self) -> List[object]:
return self.left.schema_directive + self.right.schema_directive


class AndPermission(BoolPermission):
def __init__(self, left: BasePermission, right: BasePermission):
super().__init__(left, right)

def resolve_permission_sync(self, source: Any, info: Info, **kwargs: Any) -> bool:
if not self.left.has_permission(source, info, **kwargs):
raise self.left.on_unauthorized()
if not self.right.has_permission(source, info, **kwargs):
raise self.right.on_unauthorized()

return True

async def resolve_permission_async(self, source: Any, info: Info,
**kwargs: Any) -> bool:
if not await await_maybe(self.left.has_permission(source, info, **kwargs)):
raise self.left.on_unauthorized()
if not await await_maybe(self.right.has_permission(source, info, **kwargs)):
raise self.right.on_unauthorized()

return True


class OrPermission(BoolPermission):
def __init__(self, left: BasePermission, right: BasePermission):
super().__init__(left, right)

def resolve_permission_sync(self, source: Any, info: Info, **kwargs: Any) -> bool:
if self.left.has_permission(source, info, **kwargs):
return True
if self.right.has_permission(source, info, **kwargs):
return True

raise self.left.on_unauthorized()


async def resolve_permission_async(self, source: Any, info: Info,
**kwargs: Any) -> bool:
if await await_maybe(self.left.has_permission(source, info, **kwargs)):
return True
if await await_maybe(self.right.has_permission(source, info, **kwargs)):
return True

raise self.left.on_unauthorized()


class PermissionExtension(FieldExtension):
Expand Down Expand Up @@ -122,7 +210,8 @@ def apply(self, field: StrawberryField) -> None:
"""
if self.use_directives:
field.directives.extend(
p.schema_directive for p in self.permissions if p.schema_directive
[directive for p in self.permissions for directive in p.schema_directive
if p.schema_directive]
)
# We can only fail silently if the field is optional or a list
if self.fail_silently:
Expand Down Expand Up @@ -152,8 +241,13 @@ def resolve(
raises an exception if not
"""
for permission in self.permissions:
if not permission.has_permission(source, info, **kwargs):
return self._on_unauthorized(permission)
try:
permission.resolve_permission_sync(source, info, **kwargs)
except BaseException as e:
if self.fail_silently:
return [] if self.return_empty_list else None
else:
raise e
return next_(source, info, **kwargs)

async def resolve_async(
Expand All @@ -164,12 +258,13 @@ async def resolve_async(
**kwargs: Dict[str, Any],
) -> Any:
for permission in self.permissions:
has_permission = await await_maybe(
permission.has_permission(source, info, **kwargs)
)

if not has_permission:
return self._on_unauthorized(permission)
try:
await permission.resolve_permission_async(source, info, **kwargs)
except BaseException as e:
if self.fail_silently:
return [] if self.return_empty_list else None
else:
raise e
next = next_(source, info, **kwargs)
if inspect.isasyncgen(next):
return next
Expand Down
Loading
Loading