Implement authorizer and add ability to run dynamic SQL statements #7
Conversation
|
Use case : I'm experimenting with a web API where the javascript client would send SQL statements to the server, the server would need them filtered and will provide SQL views in the authorized namespace to only give access to allowed objects and columns. it's there: https://github.com/mildred/disputatio.nim/blob/master/src/controllers/api.nim |
|
It is a good idea, however, I think the current authorizer API is a little low level, it could be much better if it could take the advantages of nim's template to generate zero-cost and type-safe authorizer function |
This is required to run highly dynamic SQL statements where the number of parameters and the structure of results is only known dynamically. Also fix typo s/SqliteDateType/SqliteDataType/
|
Sorry for the delay, I updated the API as you requested. The authorizer is a nice part of SQLite that allows to grant or deny some parts of the SQL language. It calls a callback for each language feature in use and the callback can authorize or deny. I created an object with conditional fields to make it easier to use. Example use: var db = initDatabase(":memory:")
db.setAuthorizer do (req: AuthorizerRequest) -> AuthorizerResult:
result = deny
case req.action_code
of select:
result = ok
of function:
case req.function_name
of "count":
result = ok
else:
result = deny
else:
discard
echo &"authorize {req.repr} = {result}" |
|
LGTM |
|
nim-lang/RFCs#19 (comment) |
|
Thank you |
I added some features to easy_sqlite3 but I don't know if it belongs there. My use case is that I need to run dynamic SQL statements and filter them using the authorizer callback as provided by the
sqlite3_set_authorizerAPI. I don't want to link twice to SQLite and that's why I included it in easy_sqlite3.Please tell me how you think it should be best made available and if I should put these things in a separate library and only open a PR with the necessary low-level bindings to SQLite to be imported from the outside. If you are ready all of this included to easy_sqlite3 then I should probably add tests.