Multiple column + row permissions for the same role
In some cases we might want to allow access to certain columns for a role only if a particular condition is met while allowing access to other columns based on a different condition i.e. have different column permissions based on different row permissions.
Currently it is not possible to define multiple column + row permission rules for the same role.
We can work around this limitation by using views.
Let's say we have a table called
user_info with columns
(id, name, city, email, phone, address).
We want the role
user to be able to access:
addresscolumns only if the
idcolumn is the requesting user's id i.e. the current user is the owner of the row.
citycolumns for all rows.
We can achieve this via the following steps:
Step 1: Create a view
Create a view called
user_private with columns
(user_id, email, phone, address):
CREATE VIEW user_private AS
SELECT id AS user_id, email, phone, address
Step 2: Create a relationship
For the table
create a manual object relationship
user_info : id -> user_private : user_id:
Step 3: Define permissions
For the role
user, create the following permissions for
user_info: allow access to
citywithout any row conditions.
user_private: allow access to
user-idpassed in the session variable is equal to the row's
Step 4: Query with appropriate access control
Now we can fetch the required data with the appropriate access control by using the relationship.
X-Hasura-Role and the
X-Hasura-User-Id session variables are
2 respectively, we'll get the following result:
Observe that the
private_info field is returned as
null for all rows
without the appropriate access.
Enterprise Grade Authorization - Watch Webinar.