Search code examples
djangographene-python

Django graphene relay restricting queries to objects owned the user


I am doing the graphene tutorial on filtering with relay from: http://docs.graphene-python.org/projects/django/en/latest/filtering/ where the user is restricted to query objects that they previously created. I am using graphene 2, django 2, and django-filter 1.11.

class AnimalFilter(django_filters.FilterSet):
    # Do case-insensitive lookups on 'name'
    name = django_filters.CharFilter(lookup_expr=['iexact']) #changed this to work

    class Meta:
        model = Animal
        fields = ['name', 'genus', 'is_domesticated']

    @property
    def qs(self):
        # The query context can be found in self.request.
        return super(AnimalFilter, self).qs.filter(owner=self.request.user)

I am having an inserting the self.request.user part, where the user data is loaded. When I do a query like:

query {
  allAnimalss {
    edges {
      node {
        id,
        name
      }
    }
  }
}

I get an error in the query field:

{
  "errors": [
    {
      "message": "'NoneType' object has no attribute 'user'",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ]
    }
  ],
  "data": {
    "allAnimals": null
  }
}

If I remove the filter it works fine. The tutorial mentioned "owned by the authenticated user (set in context.user)." what does this mean?

I tried adding a get_context_data function to the views.py

def get_context_data(self, **kwargs):
    context = super().get_context_data(**kwargs)
    context['user'] = self.request.user
    return context

and also changing self.request.user to self.context.user but it does not work


Solution

  • You can access the request and thereby the user via info.context in the resolver method. The docs are not great explaining this, but here you can see an example

    def resolve_something(self, info, something_id):
        # Here info.context is the django request object
        something = Something.objects.get(something_id)
        if info.context.user.id == something.user_id:
            # The user owns this object!
            return something
    
        # Return None or raise an exception here maybe since it's not the owner
        return None