Support row-level security

[zhibor]

It doesn't seem prest supports row-level security yet. Is it in the plan to utilize postgresql's row-level security to restrict visibility and access for the current user?

[fabriziomello]

For now I can't see a big win adding it to pREST level because IMHO the RLS (Row-Level Security) is a database engine feature and there are no problem to create your policies inside the PostgreSQL to reflect it on pREST.

The big problem I can see here is nowadays we connect to PostgreSQL using just one user and it cannot help to much if you want to create policies to restrict rows for different users. But there are an open issue about API redesign (#435) that the main goal is improve the interaction with multiple databases and schemas and one of the proposal is create several configurations and using this you can create connections with different users.

Anyway can you please explain more what problem are you want to solve?

[zhibor]

@fabriziomello thanks a lot for your prompt response!

say we have a todos table

create table todos (
	id    serial primary key,
	todo  text not null,
	private boolean default true,  
	owner_id int references "users"(id)
);

the following api call should return only the items "owned" by current_user except for public items.

GET /app/public/todos

any pointers on how to implement this feature would be greatly appreciated!

[fabriziomello]

You should use CREATE POLICY statement to create your own policies. Have a look at the official documentation:

https://www.postgresql.org/docs/current/ddl-rowsecurity.html
https://www.postgresql.org/docs/current/sql-createpolicy.html

[zhibor]

very much appreciated!