Support JSON arrays in session variables

[nizar-m]

Description

Setting the permission

echo '
type: create_insert_permission
args:
  role: user
  permission:
    set: {}
    check:
      id:
        _in: X-Hasura-Allowed-Ids
    columns:
    - id
  table:
    schema: public
    name: foo
' | yaml2json - | curl  -H 'content-type: application/json' -d @- 'http://localhost:8080/v1/query'

The following query will fail (because id: 28 is NOT in X-Hasura-Allowed-Ids: [21,23,25,27])

echo '
query: |
  mutation f {
    insert_food(objects: [{id: 28}]) {
      affected_rows
    }
  }' | yaml2json - | curl -H 'x-hasura-allowed-ids: [21,23,25,27]' -H 'x-hasura-role: user'   -H 'content-type: application/json' -d @- 'http://localhost:8080/v1alpha1/graphql'  

with the following response

{
  "errors": [
    {
      "extensions": {
        "path": "$.selectionSet.insert_food.args.objects",
        "code": "permission-error"
      },
      "message": "Check constraint violation. insert check constraint failed"
    }
  ]
}

while the following query gets through (as id: 23 is in X-Hasura-Allowed-Ids: [21,23,25,27])

echo '
query: |
  mutation f {
    insert_food(objects: [{id: 23}]) {
      affected_rows
    }
  }' | yaml2json - | curl -H 'x-hasura-allowed-ids: [21,23,25,27]' -H 'x-hasura-role: user'   -H 'content-type: application/json' -d @- 'http://localhost:8080/v1alpha1/graphql'  

Affected components

• Server
• Console
• Docs
• Tests

Related Issues

#1452
#1333

Solution and Design

• @nizar-m: Make server handle JSON arrays in session variables
  • For array session variables as input for IN operator, use the following as the boolean expression
    column_value IN (SELECT json_array_elements_text(sessionVar))
• @rikinsk: Make console accept session variable name (string) also as input for _in and _nin boolean expressions
• @dsandip: Docs for JSON arrays in session variables

Steps to test and verify

Limitations, known bugs & workarounds

[coco98]

@nizar-m Can you share the permission rule you used to set this up as well?

[hasura-bot]

Review app for commit 9d61823 deployed to Heroku: https://hge-ci-pull-1799.herokuapp.com
Docker image for server: hasura/graphql-engine:pull1799-9d61823

[coco98]

@dsandip This should potentially also have an associated section in auth docs that talk about how and when to use this feature. Especially important in enterprise type scenarios when ownership information is outside the database.

Like:

• role: manager
• permission: select from this table if account_id in x-hasura-allowed-accounts

And the list of allowed accounts for the manager comes from an external database.

[netlify]

Deploy preview for hasura-docs ready!

Built with commit 06abe03

https://deploy-preview-1799--hasura-docs.netlify.com

[hasura-bot]

Review app for commit 00864a5 deployed to Heroku: https://hge-ci-pull-1799.herokuapp.com
Docker image for server: hasura/graphql-engine:pull1799-00864a5

[coco98]

@nizar-m @dsandip Has this been reviewed by @rakeshkky or @ecthiender ?

[dsandip]

@coco98 No, not yet

[rikinsk-zz]

Added console code to handle session variable value for array operators.

The UX seems slightly odd. Couldn't come up with something more intuitive. Please share feedback / suggestions if any.

[hasura-bot]

Review app for commit 20202f5 deployed to Heroku: https://hge-ci-pull-1799.herokuapp.com
Docker image for server: hasura/graphql-engine:pull1799-20202f5

[hasura-bot]

Review app for commit e362ee8 deployed to Heroku: https://hge-ci-pull-1799.herokuapp.com
Docker image for server: hasura/graphql-engine:pull1799-e362ee8

[thesems]

This is really nice! When will it be ready?

[valstu]

Great, this will solve many current workarounds 👍

[0x777]

added in #2475

[hasura-bot]

Review app https://hge-ci-pull-1799.herokuapp.com is deleted

[gugaevkirill]

Sorry, is somebody working on this?
We're waiting for that feature too