studio
studio copied to clipboard
Published
1 month ago
•
outerbase
outerbase
Add fine granular permission table and column level
Each databases can have multiple roles. The role can be defined by owner. The role is stored in database_role
-
database_id: which database that the role is belonged to -
can_execute_query: role can execute query direct to database. That's the highest level of permission because if user can send SQL to database, they can basically do anything. -
is_owner: owner can grant other people permission.
However, if we want to define granular permission to table and column level, we will rely on database_role_permission. By default without can_execute_query, user has no permission to any table.
To grant permission to table, they can do
| role | access | table_name | column_name |
|---|---|---|---|
| table | read | users | NULL |
| table | write | blogs | NULL |
| table | write_delete | courses | NULL |
When user granted the table permission, they can read all columns. To limit the column permission, we can do
| role | access | table_name | column_name |
|---|---|---|---|
| table | write | blogs | NULL |
| table | column_deny | blogs | created_at |
| table | column_read | blogs | created_by |
We can implement this here
https://github.com/invisal/libsql-studio/blob/develop/src/app/api/database/%5Bdatabase_id%5D/ops/route.ts
You can propose on how the API look like. It should contain:
- List permission of the role
- Create the role
- Change permission of the role
