Skip to content

angee.iam.permissions

GraphQL access control for Angee IAM.

iam owns "who is a platform admin", so the platform-admin GraphQL gate lives here — not buried in iam.schema — and downstream addons (e.g. integrate) import it without pulling in iam's whole schema module. Also the home of the small request/auth context helpers shared between the permission and iam's resolvers.

request_from_info

python
def request_from_info(info: strawberry.Info) -> HttpRequest

Return the Django request from Strawberry's context.

is_authenticated

python
def is_authenticated(user: Any) -> bool

Return whether user is a real authenticated session user.

session_user

python
def session_user(info: strawberry.Info) -> Any

Return the authenticated session user or raise a REBAC denial.

The shared "this resolver requires a signed-in user" gate; iam's resolvers and downstream self-service mutations (e.g. integrate) use it so the anonymous-deny check lives in exactly one place.

is_platform_admin

python
def is_platform_admin(user: Any) -> bool

Return whether user reaches IAM's platform-admin role.

SECURITY: evaluate this with the REAL request actor, never inside a system_context/sudo block. For a RebacManager user model the check is User.objects.filter(pk=...).exists(), and sudo bypasses the REBAC auth/user read scoping — so under sudo this returns True for ANY authenticated user. Gate first (outside sudo), then sudo only the data read.

require_platform_admin

python
def require_platform_admin(info: strawberry.Info) -> Any

Return the session user or raise when it lacks platform-admin reach.

PlatformAdminPermission

python
class PlatformAdminPermission(BasePermission)

Allow only actors that reach IAM's const-backed platform admin role.

has_permission

python
def has_permission(source: Any, info: strawberry.Info, **kwargs: Any) -> bool

Return whether the request user has platform-admin reach.

Released under the AGPL-3.0 License.