Support for array operators in permissions
Following popular demand in the community, support for array operators like
_has_keys_any in permission rules has been introduced in
Using array operators
Let's say we have a table
users and a table
organizations where a user can access zero, one or several organizations. Let's see how we can model this.
We have a
users table with some sample data:
organizations table with some sample data:
In the permissions tab of the
organizations table, we add a new role called
In the expanded section, we can now add the following custom check for insert:
Let's break this down.
We can use a session variable called
X-Hasura-Allowed-Org-Ids , which contains an array of
org_id values, to specify which organizations a particular user has access to. In the permissions rule, we say that a row in the
organizations table can be accessed if the value in its `id` column is part of the list that the user has access to.
Let's go to GraphiQL and pass the following request headers: the
user (for which we added the permissions). Then we'll pass a
X-Hasura-Allowed-Org-Ids containing an array of allowed organizations. For now, we just want to access one organization.
Let's now access all four organizations:
Note: the rules that say which organizations may be accessed by which users remains with an external system and will be passed to Hasura, e.g. inside a JWT token.
The array operators are
_has_keys_all. More information on this change can be found in the changelog. Do check this feature out and let us know what you think!