role-based query / mutation allow list

[hilalh]

I would love to have role-based query / mutation allow list rather than checking for permissions manually inside each and every model, both the console and the actual server need to modified for that. Any sort of implementation ideas?

[shanecontinued]

I think it would be great if we had a dropdown section in permissions when you edit a role, similar to column selection, where you can toggle on/off queries/mutations. A real world use case would be where I want to only allow by_pk queries for some users so that they can't get a full list of items and can only get data where they know the id of the resource.

[franciscolourenco]

I would also be interested in a way to allow only by_pk queries on rows where a ownerId is null, so that the user needs to know the id of the row in order to read it. And then allowing all queries on rows with a ownerId, so that the owner can list all their rows. Is there currently a solution to this? https://firebase.google.com/docs/firestore/security/rules-structure#granular_operations

[rahulagarwal13]

@shanetierney and @franciscolourenco - have you seen the "allow root fields" permission feature: https://hasura.io/docs/latest/auth/authorization/permission-rules/#disabling-root-fields, that could help you with the by_pk use-case. We have also released a comprehensive role based allow list manager in V13 - by_pk use-case because we solved

[franciscolourenco]

have you seen the "allow root fields" permission feature Yes it solves some cases but not all

We have also released a comprehensive role based allow list manager in V13

V13? I'm not sure what you are talking about.

[rahulagarwal13]

@franciscolourenco - I meant in Hasura V2.13 - https://hasura.io/docs/latest/security/allow-list/#role-based-allow-list