SpacetimeDB icon indicating copy to clipboard operation
SpacetimeDB copied to clipboard
verified publisher icon clockworklabs

RLS: Add support for parameterized queries

Open joshua-spacetime opened this issue 1 year ago • 2 comments

Support the @sender parameter as defined by the RLS proposal.

/// A user only has access to their row
#[spacetimedb::client_visibility_filter]
const USER_FILTER: Filter = Filter::Sql("
    SELECT * FROM user WHERE identity = @sender
");

joshua-spacetime avatar Aug 16 '24 20:08 joshua-spacetime

P1 - Need to support @sender

bfops avatar Nov 20 '24 21:11 bfops

This will be implemented initially as syntactic sugar meaning that we will resolve the @sender parameter at parse time.

Implications:

  • This changes the semantics of sql string comparison
    • Two clients can submit byte-wise equivalent, but not semantically equivalent sql queries
    • Will have to review everywhere that we compare or hash sql strings
    • One place that I know of is when a new subscription is made

Required tests:

  • @sender query
  • @sender subscription
  • @sender subscriptions (byte-wise equal) from two different clients

joshua-spacetime avatar Mar 18 '25 18:03 joshua-spacetime

Closed by #2483

joshua-spacetime avatar Mar 21 '25 19:03 joshua-spacetime