back to permissions /// home
Every table has a permission code that controls what actions are allowed. These are set in the groups config (both core groups and toolkit groups). A compliant jsonderulo server must support all of these.
| Code |
Name |
Read |
Write |
Row Restriction |
rwa |
read write all |
yes |
yes |
none (can also write system columns) |
rw |
read write |
yes |
yes |
none |
rwg |
read write group |
yes |
yes |
only rows owned by users in your group |
rwo |
read write own |
yes |
yes |
only rows you own |
r |
read |
yes |
no |
none |
rg |
read group |
yes |
no |
only rows owned by users in your group |
ro |
read own |
yes |
no |
only rows you own |
rwa is the admin code. full read and write plus the ability to write system columns directly (like setting pinned_to to another user on insert). Only give this to trusted admin groups obviously.
rw is standard read write. You can read and write everything but system columns should be auto managed by the server, you cant override them.
rwg lets you read and write but only rows where pinned_to belongs to a user in the same core group as you. Good for team based access where a team can see and edit their own teams stuff.
rwo same but personal. you can only touch rows where pinned_to equals your own user id.
r read everything, write nothing.
rg read only rows belonging to your groups users.
ro read only your own rows.
Permission rules are stored as JSON arrays of "table:code" strings:
["*:rw", "jde_settings:r", "vfy_logs:r"]
* is the wildcard. It applies to every table that doesnt have its own explicit rule. So in the example above every table gets rw except jde_settings and vfy_logs which are read only.
Tables marked as read_only in the toolkit config should automatically have their writable codes downgraded:
| Original |
Downgraded to |
rwa |
r |
rw |
r |
rwg |
rg |
rwo |
ro |
So even if your group gives you rw on a read only table you effectively only get r.
