Setup todos table permissions

Head over to the Permissions tab under todos table to add relevant permissions.

Insert permission

We will allow logged-in users creating a new todo entry to only specify the is_public and title columns.

  • In the enter new role textbox, type in “user”
  • Click on edit (pencil) icon for “insert” permissions. This would open up a section below, which lets you configure custom checks and allow columns.
  • In the custom check, choose the following condition
{"user_id":{"_eq":"X-Hasura-User-Id"}}

Todos row permission insert

Now under column insert permissions, select the title and is_public columns.

Todos insert column permission

Finally under column presets, select user_id from from session variable mapping to X-HASURA-USER-ID.

Note: Session variables are key-value pairs returned from the authentication service for each request. When a user makes a request, the session token maps to a USER-ID. This USER-ID can be used in permission to show that inserts into a table are only allowed if the user_id column has a value equal to that of USER-ID, the session variable.

Click on Save Permissions.

Select permission

We will allow users to view a todo entry if it is public or if they are logged-in users.

Now click on edit icon for "select" permissions. In the custom check, choose the following condition

{"_or":[{"is_public":{"_eq":true}},{"user_id":{"_eq":"X-Hasura-User-Id"}}]}

Todos select permission row

Under column select permissions, select all the columns.

Todos select column permission

Click on Save Permissions

Update permission

We will only allow the is_completed column to be updated by a user.

Now click on edit icon for "update" permissions. In the pre-update custom check, choose With same custom checks as insert.

And under column update permissions, select the is_completed column.

Todos update permission

Click on Save Permissions once done.

Delete permission

Only logged-in users are allowed to delete a todo entry.

Finally for delete permission, under custom check, choose With same custom checks as insert, update.

Todos delete permission

Click on Save Permissions and you are done with access control for todos table.

Close

Get Started with GraphQL Now

Hasura Cloud gives you a fully managed, production ready GraphQL API as a service to help you build modern apps faster.
Ready to get started?
Start for free on Hasura Cloud or you could contact our sales team for a detailed walk-through on how Hasura may benefit your business.
Stay in the know
Sign up for full access to our community highlights, new features, and occasional baby animal gifs! Oh, and we have a strict no-spam rule. ✌️