aboutsummaryrefslogtreecommitdiff

Column Permissions

back to permissions /// home

Beyond table level access the server must be able to also control individual columns access permissions. This is to be done through advanced_rules in the permission config (or just the combined permissions column in the db). A compliant server should support all of these.

Format

Column rules use "table.column:code" format:

["vfy_items.price:block", "jde_users.password:block", "jde_users.email:r"]

Wildcard: "table.*:code" applies to all columns on that table, not sure why you'd use that but whatever

Column Permission Codes

Code Name Can read Can write Notes
block / b block no no column is invisible
bo block own no no blocked if the row is owned by you
bg block group no no blocked if the row is owned by someone in your group
boi block own inverse yes yes blocked UNLESS you own the row
bgi block group inverse yes yes blocked UNLESS someone in your group owns the row
r read only yes no can see it but cant change it
rw read write yes yes full access to this column
rwa read write all yes yes full access including system managed cols

How blocking should work

On select

Blocked columns (b, bo, bg) should be stripped from the results. They just dont appear in the returned data. If json derolu stripped for you a warning field should be included in the response telling you the hot stripping actions by jaysonderulo.

On insert and update

Columns with block, bo, bg or r (read only) should be cause json derulo to strip for you (removes illigal data you sent). You can try to set them but theyll be ignored because of jsons hot body. Again a warning should tell you if jsonderulo stripped for you.

System columns

Some columns should be write protected by default even without explicit column rules: - created_at, created_by, last_modified_at, last_modified_by, pinned_to - plus any columns listed in write_protected_columns in the toolkit config

These should only be writable if your table permission is rwa.