Disabling root fields
Introduction
When you track a table in Hasura, by default it exposes all the root fields available to the role. However, sometimes you may want a role to only have access to certain root fields of a table or have the table be accessible only through relationships.
Note
Only query and subscription root fields can be disabled.
Supported from
Disabling root fields is supported in version v2.8.0
and above.
Use cases
1. Allow a table to be accessible only through a relationship
Let's say we have two tables, authors
and articles
defined as follows:
Table | Columns | Hasura relationships |
---|---|---|
author | id , first_name , last_name , created_at , is_active | articles (array) |
articles | id , author_id , title , content , created_at , is_public | author (object) |
We would like to configure permissions of the guest
role such that they are only able to access the articles
of the
authors
which they can access i.e. access the articles
table only through the authors
-> articles
relationship.
Modifying the select permission of the articles
table:
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin
{
"type" : "pg_create_select_permission",
"args" : {
"table" : "article",
"role" : "guest",
"source": "default",
"permission" : {
"columns" : "*",
"filter" : {
"is_public": true
},
"query_root_fields": [],
"subscription_root_fields": []
}
}
}
With this the guest
role is allowed to select all columns and rows where is_public
is set to true
in the
articles
table. Note that query_root_fields
and subscription_root_fields
are set to []
, which means that the
guest
role won't be able to access the articles
table directly, but will be able to access it through the articles
relationship.
caution
If root fields are disabled then you may try to simplify the row filter permissions by giving it "all rows" but you
should be cautious here because the field may be accessible through a different type e.g. returning
field in a
mutation output type.
2. Access only via primary key
Let's say you want to allow a client to fetch data from a table only if the client knows the primary key of a row in that table.
In this case, regardless of the permission on the table, only <table>_by_pk
should be exposed in query_root
.
This can be done in the following way:
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin
{
"type" : "pg_create_select_permission",
"args" : {
"table" : "article",
"role" : "user",
"source": "default",
"permission" : {
"columns" : "*",
"filter" : {},
"query_root_fields": ["select_by_pk"],
"subscription_root_fields": ["select_by_pk"]
}
}
}
3. Disable subscription fields
You can allow a role to only be able to make query and not subscription requests.
This can be done in the following way:
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin
{
"type" : "pg_create_select_permission",
"args" : {
"table" : "article",
"role" : "user",
"source": "default",
"permission" : {
"columns" : "*",
"filter" : {},
"subscription_root_fields": []
}
}
}
The absence of query_root_fields
here signifies we want all the available query root fields to be exposed.