angee.iam.permissions
GraphQL access control for Angee IAM.
iam owns "who is a platform admin", so the platform-admin GraphQL gate lives here — not buried in iam.schema — and downstream addons (e.g. integrate) import it without pulling in iam's whole schema module. Also the home of the small request/auth context helpers shared between the permission and iam's resolvers.
request_from_info
def request_from_info(info: strawberry.Info) -> HttpRequestReturn the Django request from Strawberry's context.
is_authenticated
def is_authenticated(user: Any) -> boolReturn whether user is a real authenticated session user.
session_user
def session_user(info: strawberry.Info) -> AnyReturn the authenticated session user or raise a REBAC denial.
The shared "this resolver requires a signed-in user" gate; iam's resolvers and downstream self-service mutations (e.g. integrate) use it so the anonymous-deny check lives in exactly one place.
is_platform_admin
def is_platform_admin(user: Any) -> boolReturn whether user reaches IAM's platform-admin role.
SECURITY: evaluate this with the REAL request actor, never inside a system_context/sudo block. For a RebacManager user model the check is User.objects.filter(pk=...).exists(), and sudo bypasses the REBAC auth/user read scoping — so under sudo this returns True for ANY authenticated user. Gate first (outside sudo), then sudo only the data read.
require_platform_admin
def require_platform_admin(info: strawberry.Info) -> AnyReturn the session user or raise when it lacks platform-admin reach.
PlatformAdminPermission
class PlatformAdminPermission(BasePermission)Allow only actors that reach IAM's const-backed platform admin role.
has_permission
def has_permission(source: Any, info: strawberry.Info, **kwargs: Any) -> boolReturn whether the request user has platform-admin reach.