Field-based authorization

[msander]

I wonder how to handle field-based authorization (i.e. a schema which is based on the request).

In webargs.core._get_schema the argmap is defined as

:param argmap: Either a `marshmallow.Schema`, `dict`
            of argname -> `marshmallow.fields.Field` pairs, or a callable that returns
            a `marshmallow.Schema` instance.

From my understanding aiohttp-apispec currently just supports passing a schema instance. For field-based authorization a callable that returns a schema instance would be required. Nevertheless, we still need to be able to create a schema from that callable without a request to be able to generate the swagger docs.

Maybe something like

def generate_schema(request):
  if request is None:
      return FullSchema()
  elif request.user.is_admin():
      return FullSchema()
  else:
      return NormalSchema()

[maximdanilchenko]

Hi!
In my opinion the best way is to use FullSchema which includes all fields from NormalSchema and validate needed fields with your custom validation function (and in this function you will check user type and so on - you will call it in your request handler).
webargs (and libs based on it) is just about fields validation, it should not include some business logic and so on. Moreover, in case of async programming it becomes harder to mix it.