Global Permission Checks

[browniefed]

Proposal

A single/multiple top level permission check that applies to one or more CRUD operations. The provided authorization data (JWT or other) could be applied for a top level select of table. Additionally an option to run one or more initial global permission checks.

Ideally you would be able to apply this permission check to only run on for a specific set of tables, actions, etc. This would solve for potential scenarios where the role might need partial access to some CRUD/actions, but want access prevented to others. However realistically only needs to apply table data, as any Action could do its own check.

Current Issue

If a user is disabled, and an existing JWT is still valid, the user can still get access to the system.

Current Solution

You can use permissions defined per-role.

Additionally you could use Auth Hook.

Needs/Scenarios

• For HIPAA compliance if we cut someone off, we need to know they no longer have access to any data immediately. This is harder to do w/ a JWT that may still be valid.
• A user might need partial access to a limited set of tables until they confirm their email, and gains more access once they confirm their email.

Rough Idea

So the permissions check system would then be split into two layers:

Layer 1: Check the global_permissions metadata that the role is allowed to perform specific kinds of CRUD actions for the specified set of tables. If table is not specified then move to Layer 2.
Layer 2: If layer 1 succeeds, then move on to granular per-table + per-role permissions

// Would ideally need to accommodate multiple databases/schemas, etc. 
global_permissions = [
  {
    tables: ["users", "posts"],
    role: "user",
    definitions: ["read","update"]
    permission: {
      users: {
        _and: [
          {
            active: {
              _eq: true,
            },
            id: {
              _eq: "X-Hasura-User-Id",
            },
          },
        ],
      },
    },
  },
];

table_permissions = {
  //
};