When allowing (or not allowing) permissions with a token, what's a good way to ensure roles or permissions are set accordingly if the token doesn't exist? #28
Labels
question
Further information is requested
An app has the ability to disable users. When a user is disabled, I update the JWT claims to contain "X-Hasura-Enabled": false. However it seems difficult to craft permissions expressions to accept access if this claim either doesn't exist, or is set to true, and deny otherwise. I could change the X-Hasura-Role claim instead and not touch the permissions logic, but that seems more like a hack than a proper solution, as the claimed role won't match the actual role (the user's role hasn't changed, she's just disabled).
IMO it would be easier to update the user table instead of the token. and use the _exists in the permission https://hasura.io/docs/latest/graphql/core/auth/authorization/permission-rules.html#using-unrelated-tables-views (per leoalves)
The text was updated successfully, but these errors were encountered: