-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configurable query grammar #2805
Comments
This comment was marked as outdated.
This comment was marked as outdated.
Hi @steve-chavez ,
i was not able to get a restriction on ordering. |
@mitch-lbw No, this is not implemented. There's no consensus on the feature design yet. |
A related discussion. User asking about restricting operand values #3355. |
Want to simply re-iterate how important this kind of a feature is to a lot of users in my opinion, at least bigger production setups using PostgREST would benefit from more hardening than is currently available. Just a tiny quick-fix-suggestion that might not be "great", but still a first step solution while a final one is discussed and decided: publishing just the raw query in request.query (no need to store it parsed or anything on the postgREST end, raw is fine I believe) would be a first step. It would allow making functions on our own which look for certain things in the query string in order to stop the query using RLS. For example, if the query string is exposed as a simple string in settings, we could write a function which returns true if a certain regex pattern matches request.query ... for example We then simply setup a RLS policy like this, which would automatically filter out all results and return nothing if id filter is missing in the request.
Of course, this would use the db however it should optimize most of the query away if the match is false. At least it is better than nothing and seems a very easy thing to add to expose as a variable in settings just like you do for path right now. |
@gc-ft Right, I think that's the simplest solution, this PR had a similar idea #1710 Now I wouldn't recommend doing that in RLS since it can get really complicated as it is. But doing the filtering on a pre-request should work fine. |
Some thoughts about exposing the HTTP query string as a transactional variable.
|
Problem
Solution
Make the query grammar configurable. This can be paired up with pre-config.
Say I want to only allow
eq
operators and only on primary keys:A similar config can be used for
order
too:Notes
The text was updated successfully, but these errors were encountered: