Enable filtering with custom roles #2117
Conversation
lionelschiepers
requested review from
Aniruddh25,
JelteF,
Mathos1432,
aaronburtle,
aaronpowell,
abhishekkumams,
ayush3797,
gledis69,
mbhaskar,
neeraj-sharma2592,
ravishetye,
rohkhann,
seantleonard,
severussundar,
sourabh1007 and
tarazou9
as code owners
|
Thank you for your contribution, I will take a look soon. But in the meantime, please add tests that exercise this scenario that you are fixing. |
|
@Aniruddh25 we should review this this semester. |
|
+1 |
This behavior described is by design, not a bug.Here’s the key: Data API builder does not perform role inheritance. Each role must be explicitly defined per entity in the configuration. So when you set The apparent inconsistency—being able to read fields but not filter—comes from how GraphQL and REST differ in execution paths. In the read operation, the engine evaluates “access to entity” (which passes through because of anonymous read permissions), but filtering checks column-level permission for the active role, which is undefined for |
While this is true, the same rule does not apply to custom roles this |
|
As discussed in the issue here: #2115 But really appreciate and thank you for your deep investigation and contributions, @lionelschiepers! Refer to this section of doc to add multiple permissions to the same entity, example: |
4 participants
Why make this change?
This pull request is related to issue 2115 (#2115) that reports that it's not
possible to filter entities anonymously accessible when the caller is using a custom role.
What is this change?
When filtering is disallowed for a custom role because the role is not defined for that entity, it is then checked for the authenticated role the custom role inherits from. Please note that when no authenticated role is defined for an entity, it is automatically defined using the definition of the anonymous role.
How was this tested?
I've tested in our live environment.