angee.iam.identity
Identity helpers: user-reference display without exposing the user object.
The OIDC login/link resolution that used to live here moved to the iam_integrate_oidc addon (it composes the integrate connection substrate with this user). What remains is the pure user-reference display other addons use to label a grant/principal without pulling a guarded user row into their scope.
user_label
def user_label(user: Any) -> strReturn any user model's human label from the Django auth contract.
user_public_id
def user_public_id(user_id: Any) -> str | NoneReturn a user's opaque public id without fetching the user row.
user_display_label
def user_display_label(user_id: Any,
*,
request: HttpRequest | None = None) -> str | NoneReturn a user's display label (name) without exposing the user object.
Resolved under system_context (IAM's elevation for server-side reads) so an actor-scoped caller never pulls a guarded User row into its own queryset — REBAC rejects that; only a display string leaves the helper.
Pass the Django request to memoize the label per request: a list of rows sharing an author then resolves (and queries) that user once, with repeated authors de-duplicated. Distinct authors still cost one read each — the memo de-duplicates, it does not batch.
user_principal
def user_principal(principal_id: str,
*,
graphql_type_name: str = "UserType") -> AnyReturn the user addressed by a role-grant principal id.
user_from_public_id
def user_from_public_id(user_id: Any) -> AnyReturn the user addressed by one GraphQL public id, or raise.