Support for array operators in permissions

09 August, 2019 | 2 min read

Following popular demand in the community, support for array operators like _in, _nin, _has_keys_any in permission rules has been introduced in v1.0.0-beta.3.

Using array operators

Let's say we have a table users and a table organizations where a user can access zero, one or several organizations. Let's see how we can model this.

We have a users table with some sample data:

users table

And an organizations table with some sample data:

organizations table

In the permissions tab of the organizations table, we add a new role called user:

In the expanded section, we can now add the following custom check for insert:

Set permissions for user role

Let's break this down.

We can use a session variable called X-Hasura-Allowed-Org-Ids , which contains an array of org_id values, to specify which organizations a particular user has access to. In the permissions rule, we say that a row in the organizations table can be accessed if the value in its `id` column is part of the list that the user has access to.

Let's go to GraphiQL and pass the following request headers: the X-Hasura-Role is user (for which we added the permissions). Then we'll pass a X-Hasura-User-Id and X-Hasura-Allowed-Org-Ids containing an array of allowed organizations. For now, we just want to access one organization.

Let's now access all four organizations:

Note: the rules that say which organizations may be accessed by which users remains with an external system and will be passed to Hasura, e.g. inside a JWT token.

The array operators are _in, _nin, _has_keys_any and _has_keys_all. More information on this change can be found in the changelog. Do check this feature out and let us know what you think!


Get Started with GraphQL Now

Hasura Cloud gives you a fully managed, production ready GraphQL API as a service to help you build modern apps faster.



Works at Hasura.

Read More

Ready to get started?
Start for free on Hasura Cloud or you could contact our sales team for a detailed walk-through on how Hasura may benefit your business.
Get monthly product updates
Sign up for full access to our community highlights, new features, and occasional baby animal gifs! Oh, and we have a strict no-spam rule. ✌️