Multiple column + row permissions for the same role¶
Table of contents
Use case¶
In some cases we might want to allow access to certain columns for a role only if a particular condition is met while allowing access to other columns based on a different condition i.e. have different column permissions based on different row permissions.
Currently it is not possible to define multiple column + row permission rules for the same role.
We can work around this limitation by using views.
Example
Let’s say we have a table called user_info
with columns (id, name, city, email, phone, address)
.
We want the role user
to be able to access:
- the
email
,phone
andaddress
columns only if theid
column is the requesting user’s id i.e. the current user is the owner of the row. - the
id
,name
andcity
columns for all rows.
We can achieve this via the following steps:
Step 1: Create a view¶
Create a view called user_private
with columns (user_id, email, phone, address)
:
CREATE VIEW user_private AS
SELECT id AS user_id, email, phone, address
FROM user_info;
Step 2: Create a relationship¶
For the table user_info
, create a manual object relationship called
private_info
using user_info : id -> user_private : user_id
:
Step 3: Define permissions¶
For the role user
, create the following permissions for select
:
- Table
user_info
: allow access toid
,name
andcity
without any row conditions.
- View
user_private
: allow access toid
,phone
,email
andaddress
if theuser-id
passed in the session variable is equal to the row’suser_id
.
Step 4: Query with appropriate access control¶
Now we can fetch the required data with the appropriate access control by using the relationship.
If the X-Hasura-Role
and the X-Hasura-User-Id
session variables are set to user
and 2
respectively, we’ll get the following result:
query {
user_info {
id
name
city
private_info {
email
phone
address
}
}
}
Observe that the private_info
field is returned as null
for all rows without the appropriate access.