Create Model Permissions
We'll begin by creating ModelPermissions
for the users
model. We'll create a user
role and add a filter that will
only allow users to see their own information.
Enable Auto-select
In our browser, let's select the auto-select latest build option. This will ensure we're always seeing the latest build
generated by the dev
command:
Add ModelPermission
For our users
model, we want to introduce an authorization concept we call
permissions. This allows you to control which models
are accessible to which users — via a model permission — and which fields can be returned using type
permissions.
Presently, if we run the following query, we'll see all users' information returned:
query UsersQuery {app_users {idname}}
In just a few lines — and with the assistance of LSP powering our extension — we can declaratively restrict access so that a user is only able to see a limited set of their own data.
Open your project in VS Code and find the /app/app_connector/models/Users.hml
file.
As you can see below, when we start typing role
, LSP kicks in and assists us with creating the following permission
which checks the x-hasura-user-id
header to only return a specific user's information. We're triggering the
auto-complete options using TAB
and CTRL+SPACE
:
With the guidance of LSP, let's make our ModelPermissions
object look like the metadata below in our Users.hml
file:
---kind: ModelPermissionsversion: v1definition:modelName: Userspermissions:- role: adminselect:filter: null- role: userselect:filter:fieldComparison:field: idoperator: _eqvalue:sessionVariable: x-hasura-user-id
What just happened?
Permissions
With only a few lines of YAML, you added row-level column-level permissions to your API. You can learn more about how to pass these values as session variables using your preferred authentication solution in our auth section.
Next, we'll check out how we can restrict access to specific fields based on role.
- Build apps and APIs 10x faster
- Built-in authorization and caching
- 8x more performant than hand-rolled APIs