djbalin
djbalin•3d ago

Granular RLS (e.g. oldDoc/newDoc)

Using rowLevelSecurity from convex-helpers, is it possible to set up granular permissions based on e.g. the kind of modification being made? Similarly to how triggers have change.oldDoc and change.newDoc For example, if you have role = "user" | "admin" on the users schema and write an RLS rule such that a user can only modify their own document - wouldn't a user be able to change their own role to admin? What's the best approach to granular RLS?
7 Replies
Convex Bot
Convex Bot•3d ago
Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!
erquhart
erquhart•3d ago
The stack article helps a lot, check out the modify function here: https://stack.convex.dev/row-level-security#authorization-via-row-level-security Here's how the role enforcement you're describing could look: 
async function rlsRules(ctx: QueryCtx) {
  return {
    messages: {
      modify: async ({ db, auth }, message) => {
        const viewer = await getCurrentUser(ctx)
        return viewer.role === "admin" || message.author === viewer._id
      },
    },
  }
}
async function rlsRules(ctx: QueryCtx) {
  return {
    messages: {
      modify: async ({ db, auth }, message) => {
        const viewer = await getCurrentUser(ctx)
        return viewer.role === "admin" || message.author === viewer._id
      },
    },
  }
}
And here's a setup with a customized context so rules already have the viewer handy: https://stack.convex.dev/row-level-security#customizing-the-rule-ctx
Row Level Security
Add row-level security to your database access by wrapping database reads and writes in your Convex serverless functions.
djbalin
djbalinOP•3d ago
Sorry maybe I wasn't clear enough: I am asking about controlling specifically which fields in a table can be modified. As far as I can tell, the example in the stack post also allows a user to patch their own role to admin (assuming that role is stored on the user schema). In pseudocode, I am asking if something like this is possible (similarly to trigger syntax, can't find it in docs or stack post): 
  users: {
    modify: async ({ viewer, permissions, change }, user): Promise<boolean> => {
      // If user is already admin, allow everything
      if (viewer.role === "admin") return true;

      // If user is not admin and is trying to change their own role to admin, disallow
      if (change.oldDoc.role !== "admin" && change.newDoc.role === "admin") return false;
      ...
    },
  },
  users: {
    modify: async ({ viewer, permissions, change }, user): Promise<boolean> => {
      // If user is already admin, allow everything
      if (viewer.role === "admin") return true;

      // If user is not admin and is trying to change their own role to admin, disallow
      if (change.oldDoc.role !== "admin" && change.newDoc.role === "admin") return false;
      ...
    },
  },
how do you format your code so nicely with colors and everything btw? 🌞
erquhart
erquhart•3d ago
“```ts” I see what you’re saying, you need the change itself or something
djbalin
djbalinOP•2d ago
Yeah exactly. I guess that these rules are applied at the entry point of the given function, so the change itself is not "known" at this point - contrary to triggers which run after a given function and therefore have access to the change. I think our solution for now is to normalize user roles completely out into its own table and then imposing strict rules for insertion and modification of that table
erquhart
erquhart•2d ago
They do have access to the change. The rls is a pretty small file, and you could easily pass the value from patch into authCheck to validate the change itself: https://github.com/get-convex/convex-helpers/blob/4d135d7711dcccf03cab43148b25e15faa71209c/packages/convex-helpers/server/rowLevelSecurity.ts#L317-L323
GitHub
convex-helpers/packages/convex-helpers/server/rowLevelSecurity.ts a...
A collection of useful code to complement the official packages. - get-convex/convex-helpers
erquhart
erquhart•2d ago
So you could make your own copy and have it do what you like.

Did you find this page helpful?