Comments (13)
Note to self, also include example of read-only or invisible fields based on user permissions as @sqwishy requested in the chat.
I guess in my case I'd want to use different views for hiding or showing some fields. But I'm not sure how the read-only thing would work except to write a trigger to do that validation on update for every field I guess?
Although, really with read-only fields I'd prefer that requests containing them be rejected outright - even if the values match what is already on the object.
from postgrest-docs.
@sqwishy Yes, RLS rules are applied to the view owner and it's likely that you have a SUPERUSER(or a role with BYPASSRLS) as the owner and that will bypass RLS.
What you can do is to alter view api.player owner to <non-superuser>
and then create policy
for that role(or leave it at the default PUBLIC so it applies to all roles), then your RLS rules will work normally for that view.
There's an example in postgrest-starter-kit where a dedicated "api" role is created for this,
which has rls policies applied and then the views are owned by this role.
from postgrest-docs.
This may be a little tangential... I banged my head against RLS and ended up enforcing it in the API views like so: WHERE admin.table_settings.user = current_user;
Is this a valid alternative or is there a vulnerability?
I'll work through 2ndQuadrant's blog post this weekend to contrast
from postgrest-docs.
Also @daurnimator poses another scenario we might want to model:
you can see all friends details; some friends of friends details; and anyone else visibility is determined by privacy settings
from postgrest-docs.
Planning to make this tutorial 2 (we've got 0 and 1 already written)
from postgrest-docs.
Hi, I'm trying to tackle authentication and I followed the example on the docs and it seems I have generated the mentioned functions and tables but:
- I can't reach the login function on /rpc/login
- The user registration part is not the clearest to me - I think it's accomplished by insertion to the user table, but the auth schema is not published so I'm not sure what is the best way to solve this.
If I could get some pointers on how to continue, I'd also be very happy to contribute to the docs.
Thanks :)
from postgrest-docs.
Sorry for the silence. Did you manage to make the login function work?
from postgrest-docs.
I too am struggling with this example. First I was getting
ERROR: type "basic_auth.jwt_token" does not exist
when trying to create the login
function. Then when I changed that to public.jwt_token
I can't seem to execute the login function with /rpc/login
as @lidorcg described.
It feels like I'm close but I'm pretty inexperienced with functions/stored procedures in Postgres. 😕
from postgrest-docs.
Sorry for not replying as well, I haven't been able to solve the problem myself (probably for lack of trying).
However, I have found the subzero project which has users and authentication procedures built-in.
from postgrest-docs.
I could be wrong, but it seems that row-level security policies are not enforced when a table is being accessed through a view. Instead, the table is accessed using the privilege of the view's owner, instead of the current role?
This is based on a small amount of experimentation and my poor reading of
https://www.postgresql.org/docs/10/static/sql-createpolicy.html
If this is the case, I suppose the thing to do is duplicate the security policy into the view's where clause (and maybe use with (security_barrier)
for good measure?). Can anyone confirm if my understanding is correct and if there isn't a better solution?
See also:
https://www.postgresql.org/docs/10/static/rules-privileges.html
Work:
aleatory=# \d+ api.player
View "api.player"
Column | Type | Modifiers | Storage | Description
------------+--------------------------+-----------+----------+-------------
id | uuid | | plain |
email | text | | extended |
password | text | | extended |
last_login | timestamp with time zone | | plain |
View definition:
SELECT player.id,
player.email,
player.password,
player.last_login
FROM impl.player;
Options: security_barrier=true
aleatory=# \d impl.player
Table "impl.player"
Column | Type | Modifiers
------------+--------------------------+-------------------------------------
id | uuid | not null default uuid_generate_v4()
email | text | not null
password | text | not null
last_login | timestamp with time zone |
...
Policies:
POLICY "player_policy" FOR ALL
USING ((("current_user"())::text = (id)::text))
WITH CHECK ((("current_user"())::text = (id)::text))
...
aleatory=# set role anonymous;
SET
aleatory=> select id from impl.player;
id
----
(0 rows)
aleatory=> select id from api.player;
id
--------------------------------------
cc2f1706-0df7-436d-a46e-4ada21c526ae
2fa79e43-cfc2-4452-9735-9e4495565837
(2 rows)
from postgrest-docs.
FYI, there's an RLS bug on VIEWs that @daurnimator reported in psql-bugs.
Basically, subqueries in the RLS policy are not checked against the privileges of the view owner but of the view caller.
I also bumped in to this bug when working on a example for the rls tutorial.
Edit: I think the most simple workaround for this would be wrapping the subquery in a security definer function.
from postgrest-docs.
The bug was fixed https://www.postgresql.org/message-id/CAEZATCV_yDYoptaxtjiVB4yLwxQ%3DN7OWu8Ls98rA5MvBL%2BjKiQ%40mail.gmail.com.
Haven't tried and see if it's available on pg recent releases though.
from postgrest-docs.
By now we have examples for app users + row level security!
from postgrest-docs.
Related Issues (20)
- How-to for dynamic schemas with `pre-config` HOT 1
- serve image with img tag HOT 1
- Readthedocs will stop working on September 25 with the current config file HOT 1
- Docker crashing on M1 HOT 3
- limiting HTTP verbs in openapi response HOT 3
- Link to Installation from tutorial
- Move binary installation from tut0.rst to install.rst and add install options to tabs
- Library not loaded on Mac HOT 4
- Rename admin page name to Observability
- Deprecated "External JWT Generation" section using Auth0 Rules
- Chocolatey doesn't add `postgrest` to the PATH
- Drop all plain HTTP snippets in favor of `curl` commands HOT 1
- Missing entries in Preferences section HOT 1
- Show a more prominent version number
- Having more than one internal schema on schema isolation is confusing HOT 4
- Use the term "secret" instead of "password" in Tutorial 1
- Avoid Globbing in Curl examples HOT 2
- Move from tailwind to PicoCSS in HTMX how-to
- Expand on Schema Isolation HOT 2
- Recommend using `row_security = off` for starting up with RLS HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from postgrest-docs.