如何僅向 graphene-django 中的用戶個人資料所有者顯示特定字段?
[英]How to show specific field only to the user profile owner in graphene-django?
問題描述
我的graphene-django應用程序中有以下模式:
import graphene
from django.contrib.auth import get_user_model
from graphene_django import DjangoObjectType
class UserType(DjangoObjectType):
class Meta:
model = get_user_model()
fields = ("id", "username", "email")
class Query(object):
user = graphene.Field(UserType, user_id=graphene.Int())
def resolve_user(self, info, user_id):
user = get_user_model().objects.get(pk=user_id)
if info.context.user.id != user_id:
# If the query didn't access email field -> query is ok
# If the query tried to access email field -> raise an error
else:
# Logged in as the user we're querying -> let the query access all the fields
我希望能夠通過以下方式查詢架構:
# Logged in as user 1 => no errors, because we're allowed to see all fields
query {
user (userId: 1) {
id
username
email
}
}
# Not logged in as user 1 => no errors, because not trying to see email
query {
user (userId: 1) {
id
username
}
}
# Not logged in as user 1 => return error because accessing email
query {
user (userId: 1) {
id
username
email
}
}
我怎樣才能做到只有登錄用戶才能看到自己個人資料的email字段,而其他人不能看到其他人的電子郵件?
3 個解決方案
解決方案1
2 2019-10-11 13:16:24
這是我根據評論采取的方法。 這里的主要問題是能夠獲得解析器中查詢請求的字段列表。 為此,我使用了改編自此處的代碼:
def get_requested_fields(info):
"""Get list of fields requested in a query."""
fragments = info.fragments
def iterate_field_names(prefix, field):
name = field.name.value
if isinstance(field, FragmentSpread):
results = []
new_prefix = prefix
sub_selection = fragments[name].selection_set.selections
else:
results = [prefix + name]
new_prefix = prefix + name + '.'
sub_selection = \
field.selection_set.selections if field.selection_set else []
for sub_field in sub_selection:
results += iterate_field_names(new_prefix, sub_field)
return results
results = iterate_field_names('', info.field_asts[0])
return results
rest 應該非常簡單:
import graphene
from django.contrib.auth import get_user_model
from graphene_django import DjangoObjectType
class AuthorizationError(Exception):
"""Authorization failed."""
class UserType(DjangoObjectType):
class Meta:
model = get_user_model()
fields = ("id", "username", "email")
class Query(object):
user = graphene.Field(UserType, user_id=graphene.Int())
def resolve_user(self, info, user_id):
user = get_user_model().objects.get(pk=user_id)
if info.context.user.id != user_id:
fields = get_requested_fields(info)
if 'user.email' in fields:
raise AuthorizationError('Not authorized to access user email')
return user
解決方案2
1 已采納 2021-10-07 05:58:33
我最終只是這樣做了,其中查詢自己的信息時返回email的實際值,而其他人則返回None :
import graphene
from django.contrib.auth import get_user_model
from graphene_django import DjangoObjectType
class UserType(DjangoObjectType):
class Meta:
model = get_user_model()
fields = ("id", "username", "email")
def resolve_email(self, info):
if info.context.user.is_authenticated and self.pk == info.context.user.pk:
return self.email
else:
return None
class Query(graphene.ObjectType):
user = graphene.Field(UserType, user_id=graphene.Int())
def resolve_user(self, info, user_id):
return get_user_model().objects.get(pk=user_id)
解決方案3
0 2021-10-06 20:48:44
當前的答案太復雜了。 只需創建兩個 ObjectType,例如:
class PublicUserType(DjangoObjectType):
class Meta:
model = get_user_model()
fields = ('id', 'username')
class PrivateUserType(DjangoObjectType):
class Meta:
model = get_user_model()
花了 4 個多小時嘗試其他解決方案才意識到原來如此簡單
當“to”值為字符串時,石墨烯-django 忽略 Django ForeignKey 字段
[英]Django ForeignKey field ignored by graphene-django when "to" value is a string
如何在Django中僅向帳戶所有者顯示配置文件編輯功能?
[英]How to show profile editing features only to account's owner in Django?
如何在 Graphene-Django 中傳遞 django-simple-history model?
[英]How to pass django-simple-history model in Graphene-Django?
如何在 graphene-django GraphQLTestCase 中使用 django-grahql-jwt 進行身份驗證?
[英]How to authenticate with django-grahql-jwt in a graphene-django GraphQLTestCase?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
graphene-django - 如何過濾?
如何在graphene-django中使用別名
Graphene-django-如何捕獲查詢的響應?
當“to”值為字符串時,石墨烯-django 忽略 Django ForeignKey 字段
如何在Django中僅向帳戶所有者顯示配置文件編輯功能?
Graphene-django返回空節點,而不是僅返回節點字段
石墨烯-Django文件命名約定
如何在graphene-django中使用django抽象類?
如何在 Graphene-Django 中傳遞 django-simple-history model?
如何在 graphene-django GraphQLTestCase 中使用 django-grahql-jwt 進行身份驗證?
相關標簽