| From: | Achilleas Mantzios <achill(at)matrix(dot)gatewaynet(dot)com> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Thoughts on row-level security for webapps? |
| Date: | 2019-01-02 10:31:34 |
| Message-ID: | 75a43cb2-2e87-2628-ea69-c3b69ee997f5@matrix.gatewaynet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 31/12/18 6:57 μ.μ., Siegfried Bilstein wrote:
> Hi all,
>
> I'm evaluating using a tool called Postgraphile that generates a GraphSQL server from a postgres setup. The recommended way of handling security is to implement RLS within postgres and simply have
> the webserver take a cookie or similar and define which user is querying data.
>
> I've normally built webapps like this: pull out user id from a session cookie -> the API endpoint verifies the user and whether or not it has access to the given data -> app code mutates the data.
>
> With Postgraphile the request specifies the mutation and the server processes the request and relies on Postgres to determine if the user has correct access rights.
>
> It seems like I would need to create a ROLE for every single member that signs up for my website which I'm a little concerned about.
Why?
> Is this a common usage pattern for SQL security? Any gotchas relying on RLS?
>
> --
> Siggy Bilstein
> CTO ofAyuda Care <https://www.ayudacare.com>
> Book some time <https://calendly.com/siggy-cto> with me!
--
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark | 2019-01-02 12:15:24 | Re: Query planner / Analyse statistics bad estimate rows=1 with maximum statistics 10000 on PostgreSQL 10.2 |
| Previous Message | Nguyễn Trần Quốc Vinh | 2019-01-02 08:44:50 | Re: [GENERAL] Incremental refresh - Materialized view |