Skip to main content
Version: v2.x

Disabling root fields

Introduction

When you track a table in Hasura, by default it exposes all the root fields available to the role. However, sometimes you may want a role to only have access to certain root fields of a table or have the table be accessible only through relationships.

Note

Only query and subscription root fields can be disabled.

Supported from

Disabling root fields is supported in version v2.8.0 and above.

Use cases

1. Allow a table to be accessible only through a relationship

Let's say we have two tables, authors and articles defined as follows:

TableColumnsHasura relationships
authorid, first_name, last_name, created_at, is_activearticles (array)
articlesid, author_id, title, content, created_at, is_publicauthor (object)

We would like to configure permissions of the guest role such that they are only able to access the articles of the authors which they can access i.e. access the articles table only through the authors -> articles relationship.

Modifying the select permission of the articles table:

POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
"type" : "pg_create_select_permission",
"args" : {
"table" : "article",
"role" : "guest",
"source": "default",
"permission" : {
"columns" : "*",
"filter" : {
"is_public": true
},
"query_root_fields": [],
"subscription_root_fields": []
}
}
}

With this the guest role is allowed to select all columns and rows where is_public is set to true in the articles table. Note that query_root_fields and subscription_root_fields are set to [], which means that the guest role won't be able to access the articles table directly, but will be able to access it through the articles relationship.

caution

If root fields are disabled then you may try to simplify the row filter permissions by giving it "all rows" but you should be cautious here because the field may be accessible through a different type e.g. returning field in a mutation output type.

2. Access only via primary key

Let's say you want to allow a client to fetch data from a table only if the client knows the primary key of a row in that table.

In this case, regardless of the permission on the table, only <table>_by_pk should be exposed in query_root.

This can be done in the following way:

POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
"type" : "pg_create_select_permission",
"args" : {
"table" : "article",
"role" : "user",
"source": "default",
"permission" : {
"columns" : "*",
"filter" : {},
"query_root_fields": ["select_by_pk"],
"subscription_root_fields": ["select_by_pk"]
}
}
}

3. Disable subscription fields

You can allow a role to only be able to make query and not subscription requests.

This can be done in the following way:

POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
"type" : "pg_create_select_permission",
"args" : {
"table" : "article",
"role" : "user",
"source": "default",
"permission" : {
"columns" : "*",
"filter" : {},
"subscription_root_fields": []
}
}
}

The absence of query_root_fields here signifies we want all the available query root fields to be exposed.