ytursyna
/
public
forked from root/public
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2767 Commits
59 Branches
1 Tag
132 MiB
Tree: f0a9a35a5f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f0a9a35a5f'
${ noResults }
public/docs/db/db-authorization.md

62 lines
3.0 KiB
Raw Normal View History unescape_control_characters

database relationship and authorizations
3 years ago
# DB authorization
Every request to Hasura executes against a set of session variables. These variables are expected to be set by the authentication system.
Normally there are some main variables for the authorization context:
- `X-Hasura-User-Id`: this variable usually denotes the user executing the request.
- `X-Hasura-Role`: This variable denotes the role with which the user is executing the current request. Hasura has a built-in notion of a role, and will explicitly look for this variable to infer the role.
- `X-Hasura-campus`: this variable contains the campus that the user currently is on.
In our database we have several roles which are simple arbitrary names.
Each role can be given a set of permissions and actions (`select`, `insert`, `update`, `delete`). That will execute against each table of the database.
To give the user with a certain role a permission to make a request, we must set a permission rule that would look something like this:
```json
{"user_id": {"_eq": "X-Hasura-User-Id"}}
```
This is the same as saying : if the value of the `user_id` column equals the value of the session variable `X-Hasura-User-Id`, allow this request to execute on the current row.
It is possible to express pretty complex rules, by using, for example the operators `_and` and `_or` to create a chain rule. It is even possible to query tables not related to the current object as part of the rule execution. You can see more about it [here](https://hasura.io/docs/latest/graphql/core/auth/authorization/index.html).
## Roles
These are the roles presented in the database:
- `anonymous`: this role allows non logged in users to query (only using `select`) tables:
- `users` : and columns `id`, `login`
- `object` : and columns `id`, `childAttr`, `campus`, `name`, `type`
- `result` : and columns `groupId`, `objectId`, `progressId`, `userId`, `grade`, `campus`
- `transactions` : and columns `objectId`, `userId`, `amount`, `type`
- `progress` : and columns `isDone`, `objectId`, `userId`, `id`, `grade`, `campus`
- `user` : this role allows the following queries:
- without check:
- `group`, `group_user`, `match`, `registration_user`, `event`, `event_user`, `object`, `object_child`, `object_status`, `object_type`, `registration`, `role`, `transaction_type`
- with checks:
- `audit`, `result`, `transaction`, `user_role`, `user`, `progress`
- `campus-admin` : this role allows users to query every table, but with the session variables `X-Hasura-campus` check. This means that users with this role will only be able to query information from their own campus.
- `admin-campus-read-only` : this role allows users to query almost all tables with a campus permission verification.
Example:
```json
{ "campus" : { "_in" : "X-Hasura-campus" } }
```
- `admin` : this role allows users to query any action in any table on the database.
- `admin-read-only` : this role allows users to query almost all tables only using the `select` action.
This is how the user and role tables are related to each other:
![alt text](../img/db/user-roles.jpg "hierarchical roles")