API-level, row-level authorization

What are the Redwood best practices when it comes to row-level permissions?

It seems like requireAuth() RBAC is the best we’ve got, but it doesn’t cover use cases where, say, a given Author should be able to view and edit some Posts but not others. As another example, unauthenticated users should probably have access to Posts where post.isPublished==true but not where post.isPublished==false. I can attempt to limit this on the client-side but that leaves the API layer unsecured.

I see there have been a few previous discussions on using postgres RLS, but there doesn’t seem to be a settled best practice for Redwood. Even with GraphQL Trusted Documents enabled, malicious users with access to some data could just swap out primary keys and access whatever rows they want to.

This seems like a super common type of requirement - how are people addressing their row-level authorization needs?

Hi - I already replied to you in Redwood’s Discord but in short there’s no one way or one best way. Redwood gives you all the tools and structure to determine the most effective way to enforce the rules that you need to and when. You have Prisma and GraphQL options. If you use Postgres you have those options. RedwoodJS provides a way to access the current user and then use that info in various ways to filter data or allow or deny access.

I’ll keep the thread in Discord as other community people have added info like FLS directives and others

1 Like