Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Hasura SELECT permissions for table relationships

Tags:

permissions

graphql

hasura

I'm building a forum. I have a really simple database setup:

Users: id, display_name, email, profile

Posts: id, title, content, user_id

The user_id is a foreign key to the Users table.

Permissions:

For inserting/updating, X-Hasura-User-Id must equal id and user_id for inserting into the Users and Posts table. (so they can only modify their own posts)

For selecting, I have it so a user can read any post, but they can only select the row of the User if id = X-Hasura-User-Id. This is so a User can only read their profile data.

However, for selecting, I obviously need the user to be able to access display_name of the user's table, to display the post's author.

Now I can obviously make it so for select, they only have access to this field, and everything works fine. I can return a GQL query that displays the posts and the author.

But doesn't this also mean that a user can just run a query to the Users table and get a list of all the display_names, essentially showing how many users I have?

Is there a way to set it up so that a user can only select their own info from the User's table, but like, if the query is 'coming from' the server, it can access the display_name? I know there are Admin roles etc but I don't think this applies here.

like image 287
David Avatar asked Jan 29 '26 20:01

David

1 Answers

But doesn't this also mean that a user can just run a query to the Users table and get a list of all the display_names, essentially showing how many users I have?

Yes

Is there a way to set it up so that a user can only select their own info from the User's table, but like, if the query is 'coming from' the server, it can access the display_name?

No

It's a valid concern to worry about data leakage in terms of how many users you have. But in general I would not worry about it.

However, there are a few things you could do to prevent this problem.

What you can do is:

  • Limit the number of rows per request (https://hasura.io/docs/1.0/graphql/manual/deployment/production-checklist.html#limit-number-of-rows-returned)

  • Make sure users are not allowed to aggregation queries (https://hasura.io/docs/1.0/graphql/manual/queries/aggregation-queries.html#aggregate-fields)

Also what you can do is create a VIEW where the display_name is joined and added to the posts table.

like image 68
Johan Eliasson Avatar answered Feb 01 '26 01:02

Johan Eliasson

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!