wrapDatabaseWriter GRANTS access by default
Hey folks, we started to use wrapDatabaseWriter for auth checks and I was very surprised to see in the code that it GRANTS access if no rule is found... Why is that the case? That seems very dangerous for an auth helper...
6 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
like this
Agreed - there are two GitHub issue requests for it:
https://github.com/get-convex/convex-helpers/issues/42
https://github.com/get-convex/convex-helpers/issues/722
And one active PR I'm reviewing:
https://github.com/get-convex/convex-helpers/pull/720
GitHub
RLS: Option to give no access by default · Issue #42 · get-convex...
Similar to other concepts in Convex, like the schema, it's nice to start off open but end up restricted. An option to have no access for tables that don't have RLS entries would be great fo...
GitHub
Request: Row Level Security default deny · Issue #722 · get-conve...
Per the current RowLevelSecurity design: * * Tables with no rule default to full access. For obvious reasons, it would be nice to have an option to deny access by default. Are you opposed to me put...
GitHub
Add option for default deny behavior to RLS Helpers by ebg1223 · P...
Tl;dr- adds a config option to RLS helpers to specify default deny behavior, instead of current default allow behavior.
Prior to this PR, using row level security helpers would always allow a reque...
just released in
convex-helpers@0.1.104awesome, thanks!
Once you release a v1 of that package, you really should reverse this default though, to be secure by default