Skip to content

angee.iam.identity

Identity helpers: user-reference display without exposing the user object.

The OIDC login/link resolution that used to live here moved to the iam_integrate_oidc addon (it composes the integrate connection substrate with this user). What remains is the pure user-reference display other addons use to label a grant/principal without pulling a guarded user row into their scope.

user_label

python
def user_label(user: Any) -> str

Return any user model's human label from the Django auth contract.

user_public_id

python
def user_public_id(user_id: Any) -> str | None

Return a user's opaque public id without fetching the user row.

user_display_label

python
def user_display_label(user_id: Any,
                       *,
                       request: HttpRequest | None = None) -> str | None

Return a user's display label (name) without exposing the user object.

Resolved under system_context (IAM's elevation for server-side reads) so an actor-scoped caller never pulls a guarded User row into its own queryset — REBAC rejects that; only a display string leaves the helper.

Pass the Django request to memoize the label per request: a list of rows sharing an author then resolves (and queries) that user once, with repeated authors de-duplicated. Distinct authors still cost one read each — the memo de-duplicates, it does not batch.

user_principal

python
def user_principal(principal_id: str,
                   *,
                   graphql_type_name: str = "UserType") -> Any

Return the user addressed by a role-grant principal id.

user_from_public_id

python
def user_from_public_id(user_id: Any) -> Any

Return the user addressed by one GraphQL public id, or raise.

Released under the AGPL-3.0 License.