Support for array operators in permissions

Following popular demand in the community, support for array operators like _in, _nin, _has_keys_any in permission rules has been introduced in v1.0.0-beta.3.

Using array operators

Let's say we have a table users and a table organizations where a user can access zero, one or several organizations. Let's see how we can model this.

We have a users table with some sample data:

users table

And an organizations table with some sample data:

organizations table

In the permissions tab of the organizations table, we add a new role called user:

In the expanded section, we can now add the following custom check for insert:

Set permissions for user role

Let's break this down.

We can use a session variable called X-Hasura-Allowed-Org-Ids , which contains an array of org_id values, to specify which organizations a particular user has access to. In the permissions rule, we say that a row in the organizations table can be accessed if the value in its `id` column is part of the list that the user has access to.

Let's go to GraphiQL and pass the following request headers: the X-Hasura-Role is user (for which we added the permissions). Then we'll pass a X-Hasura-User-Id and X-Hasura-Allowed-Org-Ids containing an array of allowed organizations. For now, we just want to access one organization.

Let's now access all four organizations:

Note: the rules that say which organizations may be accessed by which users remains with an external system and will be passed to Hasura, e.g. inside a JWT token.

The array operators are _in, _nin, _has_keys_any and _has_keys_all. More information on this change can be found in the changelog. Do check this feature out and let us know what you think!


Hasura is an open-source engine that gives you realtime GraphQL APIs on new or existing Postgres databases, with built-in support for stitching custom GraphQL APIs and triggering webhooks on database changes.


PS: We’re hiring!