Support for array operators in permissions

Following popular demand in the community, support for array operators like _in, _nin, _has_keys_any in permission rules has been introduced in v1.0.0-beta.3.

Using array operators

Let's say we have a table users and a table organizations where a user can access zero, one or several organizations. Let's see how we can model this.

We have a users table with some sample data:

users table

And an organizations table with some sample data:

organizations table

In the permissions tab of the organizations table, we add a new role called user:

In the expanded section, we can now add the following custom check for insert:

Set permissions for user role

Let's break this down.

We can use a session variable called X-Hasura-Allowed-Org-Ids , which contains an array of org_id values, to specify which organizations a particular user has access to. In the permissions rule, we say that a row in the organizations table can be accessed if the value in its `id` column is part of the list that the user has access to.

Let's go to GraphiQL and pass the following request headers: the X-Hasura-Role is user (for which we added the permissions). Then we'll pass a X-Hasura-User-Id and X-Hasura-Allowed-Org-Ids containing an array of allowed organizations. For now, we just want to access one organization.

Let's now access all four organizations:

Note: the rules that say which organizations may be accessed by which users remains with an external system and will be passed to Hasura, e.g. inside a JWT token.

The array operators are _in, _nin, _has_keys_any and _has_keys_all. More information on this change can be found in the changelog. Do check this feature out and let us know what you think!

09 Aug, 2019


09 Aug, 2019
Subscribe to stay up-to-date on all things Hasura. One newsletter, once a month.
Accelerate development and data access with radically reduced complexity.