Loading...
Star
    Download tutorial as e-book ⚡️
    Loading...
    Github logo Edit on GitHub

    Create Model Permissions

    We'll begin by creating ModelPermissions for the users model. We'll create a user role and add a filter that will only allow users to see their own information.

    Enable Auto-select

    In our browser, let's select the auto-select latest build option. This will ensure we're always seeing the latest build generated by the dev command:

    Execute a query

    Add ModelPermission

    For our users model, we want to introduce an authorization concept we call permissions. This allows you to control which models are accessible to which users — via a model permission — and which fields can be returned using type permissions.

    Presently, if we run the following query, we'll see all users' information returned:

    query UsersQuery {
      app_users {
        id
        name
      }
    }

    In just a few lines — and with the assistance of LSP powering our extension — we can declaratively restrict access so that a user is only able to see a limited set of their own data.

    Open your project in VS Code and find the /app/app_connector/models/Users.hml file.

    As you can see below, when we start typing role, LSP kicks in and assists us with creating the following permission which checks the x-hasura-user-id header to only return a specific user's information. We're triggering the auto-complete options using TAB and CTRL+SPACE:

    Execute a query

    With the guidance of LSP, let's make our ModelPermissions object look like the metadata below in our Users.hml file:

    ---
    kind: ModelPermissions
    version: v1
    definition:
      modelName: Users
      permissions:
        - role: admin
          select:
            filter: null
        - role: user
          select:
            filter:
              fieldComparison:
                field: id
                operator: _eq
                value:
                  sessionVariable: x-hasura-user-id

    What just happened?

    Permissions

    With only a few lines of YAML, you added row-level column-level permissions to your API. You can learn more about how to pass these values as session variables using your preferred authentication solution in our auth section.

    Next, we'll check out how we can restrict access to specific fields based on role.

    Did you find this page helpful?
    Github logo Edit on GitHub
    Authorization
    Create Type Permissions
    Start with GraphQL on Hasura for Free
    • ArrowBuild apps and APIs 10x faster
    • ArrowBuilt-in authorization and caching
    • Arrow8x more performant than hand-rolled APIs
    Try GraphQL with Hasura
    Promo
    footer illustration
    Brand logo
    © 2024 Hasura Inc. All rights reserved
    Github
    Titter
    Discord
    Facebook
    Instagram
    Youtube
    Linkedin
    Star