dbviewer 0.8.1 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12d0c138efd718011eda36a79ea33a9e96f6609032b1160249e19876df86d00e
-  data.tar.gz: 11150deaa07278a6073f9977000fc4075ac0d24f671601a3525d19afd27b2e25
+  metadata.gz: da5b1e52cd18bd48043589666bfca92019afbf065b2b327d415aa2bacf85658b
+  data.tar.gz: d5061713ee1b8726289202bd77972c95cc1383ab9b30b859020ca76a8a8e186b
 SHA512:
-  metadata.gz: 0e0bfde143b99b1412a405d46eee0e13efb3711d7b33a297c0327f712dfb946acb808052b377df970dfae65e97656a826af3cab7896a0e544831ad9942a048a4
-  data.tar.gz: 342ee2c29f04c64d68272f843c45860bf60a51e61e338d1a9ff5ae579d85ec6a5684d4bbd12f95b46a1f452100eb01796d57a0caa2a96b0b5732aecb050a4896
+  metadata.gz: 8e75e627915d175150dc88030b11ea6ea961f832f24c7ab2144d90939b6ed76676db7994e2741acaec5e06a6541bbcd0eca8dd5752c0e21bac1f7288f0479234
+  data.tar.gz: d04158eaedb765a5b22af6e9ceec3b6817f5e11a6980affd47a1ace976c8f20d4a868dd93031cf463ae8f73462e6b79dd562356087090cbcc17c3b46092ca34d

data/README.md

@@ -1,5 +1,3 @@
-![dbviewer](https://github.com/user-attachments/assets/665c1a65-aab3-4a7e-aa54-b42e871cb3d0)
-
 # 👁️ DBViewer
 
 > **The fastest way to visualize and explore your database**
@@ -7,7 +5,7 @@
 DBViewer is a powerful Rails engine that provides a comprehensive interface to view and explore database tables, records, and schema.
 It's designed for development, debugging, and database analysis, offering a clean and intuitive way to interact with your application's database.
 
-<img width="1470" alt="image" src="https://github.com/user-attachments/assets/0d2719ad-f5b4-4818-891d-5bff7be6c5c3" />
+<img width="1470" alt="image" src="https://github.com/user-attachments/assets/6bc68cfa-903e-49fb-a450-425317d6cbc0" />
 
 ## ✨ Features
 
@@ -25,16 +23,6 @@ It's designed for development, debugging, and database analysis, offering a clea
 
 You can explore a live demo of DBViewer at [https://dbviewer-demo.wailantirajoh.tech/](https://dbviewer-demo.wailantirajoh.tech/). This demo showcases all the features of DBViewer on a sample database, allowing you to try out the tool before installing it in your own application.
 
-## 📸 Screenshots
-
-<details>
-  <summary>Click to see more screenshots</summary>
-
-  <img width="1470" alt="image" src="https://github.com/user-attachments/assets/7d708c14-5f78-42c4-b769-2167546b3aad" />
-  <img width="1470" alt="image" src="https://github.com/user-attachments/assets/f6d9a39a-a571-4328-908a-d96b3148f707" />
-
-</details>
-
 ## 📥 Installation
 
 Add this line to your application's Gemfile:
@@ -120,6 +108,15 @@ Dbviewer.configure do |config|
   # Authentication options
   # config.admin_credentials = { username: "admin", password: "your_secure_password" } # Basic HTTP auth credentials
 
+  # Table and Column Access Control
+  # config.access_control_mode = :whitelist  # :whitelist, :blacklist, or :none (default)
+  # config.allowed_tables = ['users', 'orders', 'products']  # Only these tables accessible (whitelist mode)
+  # config.blocked_tables = ['admin_users', 'sensitive_data']  # These tables blocked (blacklist mode)
+  # config.blocked_columns = {  # Hide sensitive columns from specific tables
+  #   'users' => ['password_digest', 'api_key', 'secret_token'],
+  #   'orders' => ['internal_notes']
+  # }
+
   # Disable DBViewer completely
   # config.disabled = Rails.env.production?  # Disable in production
 end
@@ -260,11 +257,11 @@ end
 
 When disabled, all DBViewer routes return 404 responses, making it appear as if the tool was never installed. This is the recommended approach for production systems where database admin tools should not be accessible.
 
-## 🔐 PII Data Masking
+### 🔐 PII Data Masking
 
 DBViewer includes built-in support for masking Personally Identifiable Information (PII) to protect sensitive data while allowing developers to browse database contents.
 
-### Quick Setup
+#### Quick Setup
 
 Configure PII masking in your Rails initializer (e.g., `config/initializers/dbviewer.rb`):
 
@@ -296,7 +293,7 @@ Dbviewer.configure_pii do |pii|
 end
 ```
 
-### Built-in Masking Types
+#### Built-in Masking Types
 
 - **`:email`** - Masks email addresses while preserving domain
 - **`:phone`** - Masks phone numbers keeping first and last digits
@@ -305,6 +302,22 @@ end
 - **`:full_redact`** - Completely redacts the value
 - **`:partial`** - Partial masking (default behavior)
 
+### Table and Column Access Control
+
+DBViewer includes granular access control features to restrict access to specific tables and columns, providing an additional layer of security beyond basic authentication.
+
+#### Access Control Modes
+
+DBViewer supports three access control modes:
+
+- **`:none`** (default) - All tables are accessible (current behavior)
+- **`:whitelist`** - Only explicitly allowed tables are accessible (most secure)
+- **`:blacklist`** - All tables except explicitly blocked ones are accessible
+
+#### Whitelist Mode (Recommended for Production)
+
+Whitelist mode is the most secure approach, where only explicitly allowed tables can be accessed:
+
 ### Generate Example Configuration
 
 Use the generator to create an example PII configuration:

data/app/controllers/concerns/dbviewer/access_control_validation.rb

@@ -0,0 +1,25 @@
+module Dbviewer
+  module AccessControlValidation
+    extend ActiveSupport::Concern
+
+    private
+
+    def validate_table_access(table_name)
+      return unless table_name.present?
+
+      unless access_control.table_accessible?(table_name)
+        Rails.logger.warn "DBViewer: Access denied for table '#{table_name}'"
+        flash[:alert] = access_control.access_violation_message(table_name)
+        redirect_to tables_path and return
+      else
+        Rails.logger.info "DBViewer: Access granted for table '#{table_name}'"
+      end
+    end
+
+    def validate_query_access(sql)
+      unless access_control.validate_query_table_access(sql)
+        raise SecurityError, "Query contains references to inaccessible tables"
+      end
+    end
+  end
+end

data/app/controllers/concerns/dbviewer/database_operations/table_operations.rb

@@ -6,7 +6,9 @@ module Dbviewer
       # Fetch all tables with their stats
       # By default, don't include record counts for better performance on sidebar
       def fetch_tables(include_record_counts = false)
-        database_manager.tables.map do |table_name|
+        all_table_names = database_manager.tables
+        filtered_table_names = filter_accessible_tables(all_table_names)
+        filtered_table_names.map do |table_name|
           table_stats = { name: table_name }
           table_stats[:record_count] = fetch_table_record_count(table_name) if include_record_counts
           table_stats

data/app/controllers/concerns/dbviewer/database_operations.rb

@@ -17,5 +17,17 @@ module Dbviewer
     def table_query_operations
       @table_query_operations ||= database_manager.table_query_operations
     end
+
+    def access_control
+      @access_control ||= Dbviewer::Security::AccessControl.new
+    end
+
+    def filter_accessible_tables(tables)
+      access_control.filter_accessible_tables(tables)
+    end
+
+    def filter_accessible_columns(table_name, columns)
+      access_control.filter_accessible_columns(table_name, columns)
+    end
   end
 end

data/app/controllers/dbviewer/api/entity_relationship_diagrams_controller.rb

@@ -37,20 +37,37 @@ module Dbviewer
       def extract_table_relationships(table_name)
         metadata = fetch_table_metadata(table_name)
         return [] unless metadata&.dig(:foreign_keys)&.present?
-
-        metadata[:foreign_keys].map do |fk|
-          {
-            from_table: table_name,
-            to_table: fk[:to_table],
-            from_column: fk[:column],
-            to_column: fk[:primary_key],
-            name: fk[:name]
-          }
+        table_names = @tables.map { |t| t[:name] }
+        metadata[:foreign_keys].filter_map do |fk|
+          # Only include relationship if target table is also accessible
+          if table_names.include?(fk[:to_table])
+            {
+              from_table: table_name,
+              to_table: fk[:to_table],
+              from_column: fk[:column],
+              to_column: fk[:primary_key],
+              name: fk[:name]
+            }
+          end
         end
       rescue => e
         Rails.logger.error("[DBViewer] Error fetching relationships for #{table_name}: #{e.message}")
         [] # Return empty array to continue processing other tables
       end
+
+      # Override to filter relationships to only accessible tables
+      def fetch_table_relationships(tables)
+        table_names = tables.map { |t| t[:name] }
+
+        # Get all relationships from accessible tables
+        all_relationships = super(tables)
+
+        # Filter to only include relationships where both source and target tables are accessible
+        all_relationships.select do |relationship|
+          table_names.include?(relationship[:from_table]) &&
+          table_names.include?(relationship[:to_table])
+        end
+      end
     end
   end
 end

data/app/controllers/dbviewer/api/tables_controller.rb

@@ -2,18 +2,25 @@ module Dbviewer
   module Api
     class TablesController < BaseController
       def index
-        tables_count = fetch_tables_count
-        render_success(total_tables: tables_count)
+        render_success(total_tables: fetch_tables.length)
       end
 
       def show
-        table_stats = fetch_table_stats(params[:id])
+        table_name = params[:id]
+
+        # Check if table is accessible
+        unless access_control.table_accessible?(table_name)
+          render_error(access_control.access_violation_message(table_name), :forbidden)
+          return
+        end
+
+        table_stats = fetch_table_stats(table_name)
         render_success(**table_stats)
       end
 
       def records
-        tables_stats = fetch_tables_stats
-        render_success(tables_stats)
+        all_tables_stats = fetch_tables_stats
+        render_success(all_tables_stats)
       end
 
       def relationships_count
@@ -25,14 +32,23 @@ module Dbviewer
         table_name = params[:id]
         record_id = params[:record_id]
 
+        # Check if table is accessible
+        unless access_control.table_accessible?(table_name)
+          render_error("Access denied: Table '#{table_name}' is not accessible", :forbidden)
+          return
+        end
+
         reverse_foreign_keys = fetch_table_metadata(table_name).dig(:reverse_foreign_keys) || []
         relationship_counts = reverse_foreign_keys.map do |rel|
+          # Only include relationships to accessible tables
+          next unless access_control.table_accessible?(rel[:from_table])
+
           {
             table: rel[:from_table],
             foreign_key: rel[:column],
             count: database_manager.get_model_for(rel[:from_table]).where(rel[:column] => record_id).count
           }
-        end
+        end.compact
 
         render_success({
           table_name: table_name,

data/app/controllers/dbviewer/tables_controller.rb

@@ -1,11 +1,16 @@
 module Dbviewer
   class TablesController < ApplicationController
+    include Dbviewer::AccessControlValidation
+
     before_action :set_table_name, except: [ :index ]
+    before_action :validate_table, only: [ :show, :query, :export_csv ]
     before_action :set_query_filters, only: [ :show, :export_csv ]
     before_action :set_global_filters, only: [ :show, :export_csv ]
 
     def index
-      @tables = fetch_tables(:include_record_counts)
+      @tables = @tables.map do |table|
+        table.merge(record_count: fetch_table_record_count(table[:name]))
+      end
     end
 
     def show
@@ -21,13 +26,24 @@ module Dbviewer
       @total_count = datatable_data[:total_count]
       @records = datatable_data[:records]
       @total_pages = datatable_data[:total_pages]
-      @columns = datatable_data[:columns]
+      @columns = filter_accessible_columns(@table_name, datatable_data[:columns])
       @metadata = datatable_data[:metadata]
     end
 
     def query
-      @columns = fetch_table_columns(@table_name)
+      all_columns = fetch_table_columns(@table_name)
+      @columns = filter_accessible_columns(@table_name, all_columns)
       @query = prepare_query(@table_name, params[:query])
+
+      if @query.present?
+        begin
+          validate_query_access(@query)
+        rescue SecurityError => e
+          flash[:alert] = e.message
+          render :query and return
+        end
+      end
+
       @records = execute_query(@query)
 
       render :query
@@ -64,6 +80,10 @@ module Dbviewer
       @table_name = params[:id]
     end
 
+    def validate_table
+      validate_table_access(@table_name)
+    end
+
     def set_query_filters
       @current_page = [ 1, params[:page].to_i ].max
       @per_page = params[:per_page] ? params[:per_page].to_i : Dbviewer.configuration.default_per_page

data/lib/dbviewer/configuration.rb

@@ -77,6 +77,29 @@ module Dbviewer
     # }
     attr_accessor :custom_pii_masks
 
+    # Table access control - whitelist approach (more secure)
+    # Only tables listed here will be accessible
+    # @example ['users', 'orders', 'products']
+    attr_accessor :allowed_tables
+
+    # Table access control - blacklist approach
+    # Tables listed here will be blocked from access
+    # @example ['admin_users', 'sensitive_data', 'audit_logs']
+    attr_accessor :blocked_tables
+
+    # Column access control - hide sensitive columns
+    # @example {
+    #   'users' => ['password_digest', 'api_key', 'secret_token'],
+    #   'orders' => ['internal_notes']
+    # }
+    attr_accessor :blocked_columns
+
+    # Access control mode: :whitelist, :blacklist, or :none
+    # :whitelist - only allowed_tables are accessible (most secure)
+    # :blacklist - all tables except blocked_tables are accessible
+    # :none - all tables accessible (current behavior)
+    attr_accessor :access_control_mode
+
     def initialize
       @per_page_options = [ 10, 20, 50, 100 ]
       @default_per_page = 20
@@ -103,6 +126,12 @@ module Dbviewer
       @pii_rules = {}
       @enable_pii_masking = true
       @custom_pii_masks = {}
+
+      # Initialize access control settings
+      @allowed_tables = []
+      @blocked_tables = []
+      @blocked_columns = {}
+      @access_control_mode = :none  # Default to current behavior
     end
   end
 end

data/lib/dbviewer/security/access_control.rb

@@ -0,0 +1,88 @@
+module Dbviewer
+  module Security
+    # Access control service to validate table and column access
+    class AccessControl
+      def initialize(config = nil)
+        @config = config || Dbviewer.configuration
+        @sql_parser = SqlParser.new
+      end
+
+      # Check if a table is accessible based on current access control mode
+      # @param table_name [String] Name of the table to check
+      # @return [Boolean] true if table is accessible, false otherwise
+      def table_accessible?(table_name)
+        return true if @config.access_control_mode == :none
+
+        case @config.access_control_mode
+        when :whitelist
+          @config.allowed_tables.include?(table_name.to_s)
+        when :blacklist
+          !@config.blocked_tables.include?(table_name.to_s)
+        else
+          true
+        end
+      end
+
+      # Get list of accessible tables based on access control settings
+      # @param all_tables [Array<String>] List of all available tables
+      # @return [Array<String>] Filtered list of accessible tables
+      def filter_accessible_tables(all_tables)
+        return all_tables if @config.access_control_mode == :none
+
+        all_tables.select { |table| table_accessible?(table) }
+      end
+
+      # Get list of accessible columns for a table
+      # @param table_name [String] Name of the table
+      # @param all_columns [Array<String>] List of all columns in the table
+      # @return [Array<String>] Filtered list of accessible columns
+      def filter_accessible_columns(table_name, all_columns)
+        blocked_columns = @config.blocked_columns[table_name.to_s] || []
+        all_columns.reject { |column| blocked_columns.include?(column.to_s) }
+      end
+
+      # Validate if a SQL query only accesses allowed tables
+      # @param sql [String] The SQL query to validate
+      # @return [Boolean] true if query only accesses allowed tables
+      def validate_query_table_access(sql)
+        return true if @config.access_control_mode == :none
+
+        # Extract table names from the SQL query using the SQL parser
+        extracted_tables = @sql_parser.extract_table_names(sql)
+
+        # Check if all extracted tables are accessible
+        extracted_tables.all? { |table| table_accessible?(table) }
+      end
+
+      # Get access control violation message
+      # @param table_name [String] Name of the table that was blocked
+      # @return [String] Error message explaining the access violation
+      def access_violation_message(table_name = nil)
+        case @config.access_control_mode
+        when :whitelist
+          if table_name
+            "Access denied: Table '#{table_name}' is not in the allowed tables list"
+          else
+            "Access denied: Only the following tables are accessible: #{@config.allowed_tables.join(', ')}"
+          end
+        when :blacklist
+          if table_name
+            "Access denied: Table '#{table_name}' is blocked from access"
+          else
+            "Access denied: The following tables are blocked: #{@config.blocked_tables.join(', ')}"
+          end
+        else
+          "Access denied: Table access is restricted"
+        end
+      end
+
+      private
+
+      # For backwards compatibility, we keep this method but delegate to SqlParser
+      # @deprecated Use SqlParser.extract_table_names directly
+      def extract_table_names_from_sql(sql)
+        @sql_parser.extract_table_names(sql)
+      end
+    end
+  end
+end

data/lib/dbviewer/security/sql_parser.rb

@@ -0,0 +1,465 @@
+module Dbviewer
+  module Security
+    # SQL parser for extracting table names from SQL queries
+    # Handles complex SQL including CTEs, subqueries, joins, and DML operations
+    class SqlParser
+      require "set"
+
+      # Parse SQL query and extract all table names
+      # @param sql [String] The SQL query to parse
+      # @return [Array<String>] List of table names found in the query
+      def self.extract_table_names(sql)
+        new.extract_table_names(sql)
+      end
+
+      # Parse SQL query and extract all table names
+      # @param sql [String] The SQL query to parse
+      # @return [Array<String>] List of table names found in the query
+      def extract_table_names(sql)
+        return [] if sql.nil? || sql.strip.empty?
+
+        # Remove comments and normalize whitespace
+        cleaned_sql = clean_sql(sql)
+
+        # Use a more sophisticated approach to handle complex queries
+        table_names = Set.new
+
+        # Split by semicolons to handle multiple statements
+        statements = cleaned_sql.split(";").map(&:strip).reject(&:empty?)
+
+        statements.each do |statement|
+          table_names.merge(extract_tables_from_statement(statement))
+        end
+
+        table_names.to_a.compact
+      end
+
+      private
+
+      # Clean SQL by removing comments and normalizing whitespace
+      # Properly handles string literals to avoid removing content inside strings
+      # @param sql [String] The SQL query to clean
+      # @return [String] Cleaned SQL
+      def clean_sql(sql)
+        result = []
+        i = 0
+        in_single_quote = false
+        in_double_quote = false
+        in_single_line_comment = false
+        in_multi_line_comment = false
+
+        while i < sql.length
+          char = sql[i]
+          next_char = i + 1 < sql.length ? sql[i + 1] : nil
+
+          # Handle string literals first (highest priority)
+          if !in_single_line_comment && !in_multi_line_comment
+            case char
+            when "'"
+              if !in_double_quote
+                # Handle escaped single quotes
+                if in_single_quote && next_char == "'"
+                  result << char << next_char
+                  i += 2
+                  next
+                else
+                  in_single_quote = !in_single_quote
+                  result << char
+                end
+              else
+                result << char
+              end
+            when '"'
+              if !in_single_quote
+                # Handle escaped double quotes
+                if in_double_quote && next_char == '"'
+                  result << char << next_char
+                  i += 2
+                  next
+                else
+                  in_double_quote = !in_double_quote
+                  result << char
+                end
+              else
+                result << char
+              end
+            when "-"
+              # Check for single-line comment start
+              if !in_single_quote && !in_double_quote && next_char == "-"
+                in_single_line_comment = true
+                i += 2
+                next
+              else
+                result << char
+              end
+            when "/"
+              # Check for multi-line comment start
+              if !in_single_quote && !in_double_quote && next_char == "*"
+                in_multi_line_comment = true
+                i += 2
+                next
+              else
+                result << char
+              end
+            when "*"
+              # Check for multi-line comment end
+              if in_multi_line_comment && next_char == "/"
+                in_multi_line_comment = false
+                i += 2
+                next
+              elsif !in_single_line_comment && !in_multi_line_comment
+                result << char
+              end
+            when "\n", "\r"
+              # End single-line comment
+              if in_single_line_comment
+                in_single_line_comment = false
+                result << char
+              elsif !in_multi_line_comment
+                result << char
+              end
+            else
+              # Regular character
+              if !in_single_line_comment && !in_multi_line_comment
+                result << char
+              end
+            end
+          else
+            # Inside comment - handle comment end conditions
+            case char
+            when "*"
+              if in_multi_line_comment && next_char == "/"
+                in_multi_line_comment = false
+                i += 2
+                next
+              end
+            when "\n", "\r"
+              if in_single_line_comment
+                in_single_line_comment = false
+                result << char
+              end
+            end
+          end
+
+          i += 1
+        end
+
+        # Normalize whitespace and strip
+        result.join.squeeze(" ").strip
+      end
+
+      # Extract table names from a single SQL statement
+      # @param sql [String] A single SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude (for recursive calls)
+      # @return [Array<String>] List of table names
+      def extract_tables_from_statement(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # Handle CTEs (WITH clauses) first and collect CTE names
+        cte_data = extract_cte_tables_and_names(sql)
+        table_names.merge(cte_data[:table_names])
+        current_cte_names = cte_names + cte_data[:cte_names]
+
+        # Handle main query tables
+        table_names.merge(extract_main_query_tables(sql, current_cte_names))
+
+        # Handle subqueries recursively
+        table_names.merge(extract_subquery_tables(sql, current_cte_names))
+
+        # Remove CTE names from the final result since they're not actual database tables
+        (table_names - current_cte_names).to_a
+      end
+
+      # Extract table names from CTEs (WITH clauses) and return both actual tables and CTE names
+      # @param sql [String] SQL statement
+      # @return [Hash] Hash with :table_names and :cte_names arrays
+      def extract_cte_tables_and_names(sql)
+        table_names = Set.new
+        cte_names = Set.new
+
+        # Find all CTE names first using an improved approach
+        # Look for pattern: [schema.]cte_name AS (
+        # Handles quoted identifiers, schema-qualified names, and backticks
+        # Pattern breakdown:
+        # (?:(?:\w+|"[^"]+"|`[^`]+`)\.)?  - Optional schema prefix (word, quoted, or backticked) followed by dot
+        # (\w+|"[^"]+"|`[^`]+`)           - CTE name (word, double-quoted, or backticked)
+        # \s+AS\s*\(                      - " AS ("
+        cte_name_pattern = /(?:(?:\w+|"[^"]+"|`[^`]+`)\.)?(\w+|"[^"]+"|`[^`]+`)\s+AS\s*\(/i
+
+        sql.scan(cte_name_pattern) do |match|
+          cte_name = match[0]
+          # Clean up the CTE name by removing quotes if present
+          clean_cte_name = cte_name.gsub(/^["'`](.+)["'`]$/, '\1')
+          cte_names.add(clean_cte_name)
+        end
+
+        # Then extract table names from the CTE definitions
+        # Match WITH clauses (including RECURSIVE)
+        cte_pattern = /\bWITH\s+(?:RECURSIVE\s+)?(.+?)(?=\s+SELECT\s+[^(]|\s+INSERT\s+|\s+UPDATE\s+|\s+DELETE\s+)/mi
+
+        cte_match = sql.match(cte_pattern)
+        if cte_match
+          cte_definitions = cte_match[1]
+
+          # Find all subqueries within the CTE definitions and extract tables from them
+          depth = 0
+          start_pos = nil
+          i = 0
+
+          while i < cte_definitions.length
+            char = cte_definitions[i]
+
+            if char == "(" && cte_definitions[i..-1] =~ /^\(\s*SELECT/i
+              if depth == 0
+                start_pos = i + 1
+              end
+              depth += 1
+            elsif char == ")" && depth > 0
+              depth -= 1
+              if depth == 0 && start_pos
+                subquery = cte_definitions[start_pos...i]
+                # Recursively extract tables from the CTE subquery
+                table_names.merge(extract_tables_from_statement(subquery, cte_names))
+                start_pos = nil
+              end
+            end
+
+            i += 1
+          end
+        end
+
+        {
+          table_names: table_names.to_a,
+          cte_names: cte_names.to_a
+        }
+      end
+
+      # Extract table names from main query operations
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_main_query_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # FROM clauses (including table-valued functions and subqueries)
+        table_names.merge(extract_from_tables(sql, cte_names))
+
+        # JOIN clauses
+        table_names.merge(extract_join_tables(sql, cte_names))
+
+        # INSERT INTO
+        table_names.merge(extract_insert_tables(sql, cte_names))
+
+        # UPDATE (including UPDATE ... FROM)
+        table_names.merge(extract_update_tables(sql, cte_names))
+
+        # DELETE FROM (including DELETE ... FROM ... JOIN)
+        table_names.merge(extract_delete_tables(sql, cte_names))
+
+        # UNION, INTERSECT, EXCEPT
+        table_names.merge(extract_set_operation_tables(sql, cte_names))
+
+        table_names.to_a
+      end
+
+      # Extract table names from FROM clauses
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_from_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # Match FROM clause with various patterns
+        # Handle: FROM table, FROM schema.table, FROM "table", FROM (subquery), FROM function()
+        from_pattern = /\bFROM\s+(?![\(\s]*SELECT)((?:\w+\.)?(?:\\?"[^"\\]+\\?"|`[^`]+`|\w+)(?:\s*\([^)]*\))?)/i
+
+        sql.scan(from_pattern) do |match|
+          table_ref = match[0]
+          # Skip if it looks like a function call or subquery
+          unless table_ref.include?("(") && table_ref.include?(")")
+            table_name = extract_table_name_from_reference(table_ref)
+            # Only add if it's not a CTE name
+            table_names.add(table_name) if table_name && !cte_names.include?(table_name)
+          end
+        end
+
+        table_names.to_a
+      end
+
+      # Extract table names from JOIN clauses
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_join_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # Match all types of JOINs
+        join_pattern = /\b(?:INNER\s+|LEFT\s+(?:OUTER\s+)?|RIGHT\s+(?:OUTER\s+)?|FULL\s+(?:OUTER\s+)?|CROSS\s+)?JOIN\s+(?![\(\s]*SELECT)((?:\w+\.)?(?:\\?"[^"\\]+\\?"|`[^`]+`|\w+))/i
+
+        sql.scan(join_pattern) do |match|
+          table_ref = match[0]
+          table_name = extract_table_name_from_reference(table_ref)
+          # Only add if it's not a CTE name
+          table_names.add(table_name) if table_name && !cte_names.include?(table_name)
+        end
+
+        table_names.to_a
+      end
+
+      # Extract table names from INSERT statements
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_insert_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # INSERT INTO table
+        insert_pattern = /\bINSERT\s+INTO\s+((?:\w+\.)?(?:\\?"[^"\\]+\\?"|`[^`]+`|\w+))/i
+
+        sql.scan(insert_pattern) do |match|
+          table_ref = match[0]
+          table_name = extract_table_name_from_reference(table_ref)
+          # Only add if it's not a CTE name
+          table_names.add(table_name) if table_name && !cte_names.include?(table_name)
+        end
+
+        table_names.to_a
+      end
+
+      # Extract table names from UPDATE statements
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_update_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # UPDATE table SET ... or UPDATE table ... FROM other_table
+        update_pattern = /\bUPDATE\s+((?:\w+\.)?(?:\\?"[^"\\]+\\?"|`[^`]+`|\w+))/i
+
+        sql.scan(update_pattern) do |match|
+          table_ref = match[0]
+          table_name = extract_table_name_from_reference(table_ref)
+          # Only add if it's not a CTE name
+          table_names.add(table_name) if table_name && !cte_names.include?(table_name)
+        end
+
+        # UPDATE ... FROM (PostgreSQL style)
+        update_from_pattern = /\bUPDATE\s+\w+.*?\bFROM\s+((?:\w+\.)?(?:\\?"[^"\\]+\\?"|`[^`]+`|\w+))/i
+
+        sql.scan(update_from_pattern) do |match|
+          table_ref = match[0]
+          table_name = extract_table_name_from_reference(table_ref)
+          # Only add if it's not a CTE name
+          table_names.add(table_name) if table_name && !cte_names.include?(table_name)
+        end
+
+        table_names.to_a
+      end
+
+      # Extract table names from DELETE statements
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_delete_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # DELETE FROM table
+        delete_pattern = /\bDELETE\s+FROM\s+((?:\w+\.)?(?:\\?"[^"\\]+\\?"|`[^`]+`|\w+))/i
+
+        sql.scan(delete_pattern) do |match|
+          table_ref = match[0]
+          table_name = extract_table_name_from_reference(table_ref)
+          # Only add if it's not a CTE name
+          table_names.add(table_name) if table_name && !cte_names.include?(table_name)
+        end
+
+        table_names.to_a
+      end
+
+      # Extract table names from set operations (UNION, INTERSECT, EXCEPT)
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_set_operation_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # Split by set operations and process each part
+        parts = sql.split(/\b(?:UNION(?:\s+ALL)?|INTERSECT|EXCEPT)\b/i)
+
+        parts.each do |part|
+          table_names.merge(extract_from_tables(part, cte_names))
+          table_names.merge(extract_join_tables(part, cte_names))
+        end
+
+        table_names.to_a
+      end
+
+      # Extract table names from subqueries
+      # @param sql [String] SQL statement
+      # @param cte_names [Set] Set of CTE names to exclude
+      # @return [Array<String>] List of table names
+      def extract_subquery_tables(sql, cte_names = Set.new)
+        table_names = Set.new
+
+        # Find subqueries in parentheses
+        # This is a simplified approach - nested parentheses are complex to handle with regex
+
+        # Track parentheses depth to handle nested subqueries
+        depth = 0
+        start_pos = nil
+        i = 0
+
+        while i < sql.length
+          char = sql[i]
+
+          if char == "(" && sql[i..-1] =~ /^\(\s*SELECT/i
+            if depth == 0
+              start_pos = i + 1
+            end
+            depth += 1
+          elsif char == ")" && depth > 0
+            depth -= 1
+            if depth == 0 && start_pos
+              subquery = sql[start_pos...i]
+              # Recursively process subquery
+              table_names.merge(extract_tables_from_statement(subquery, cte_names))
+              start_pos = nil
+            end
+          end
+
+          i += 1
+        end
+
+        table_names.to_a
+      end
+
+      # Extract clean table name from a table reference
+      # @param table_ref [String] Table reference (e.g., "schema.table", "table", "\"table\"")
+      # @return [String, nil] Clean table name or nil if invalid
+      def extract_table_name_from_reference(table_ref)
+        return nil if table_ref.nil? || table_ref.strip.empty?
+
+        # Remove schema prefix (schema.table -> table)
+        if table_ref.include?(".")
+          parts = table_ref.split(".")
+          table_part = parts.last
+        else
+          table_part = table_ref
+        end
+
+        # Remove quotes and clean up
+        table_name = table_part.gsub(/^\\?"([^"\\]+)\\?"$/, '\1')  # Remove escaped quotes
+                              .gsub(/^"([^"]+)"$/, '\1')          # Remove double quotes
+                              .gsub(/^`([^`]+)`$/, '\1')          # Remove backticks
+                              .strip
+
+        # Validate table name (basic identifier rules)
+        if table_name =~ /^[a-zA-Z_][a-zA-Z0-9_]*$/
+          table_name
+        else
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/dbviewer/version.rb

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.8.1"
+  VERSION = "0.9.0"
 end

data/lib/dbviewer.rb

@@ -2,6 +2,8 @@ require "dbviewer/version"
 require "dbviewer/configuration"
 require "dbviewer/engine"
 require "dbviewer/validator/sql"
+require "dbviewer/security/sql_parser"
+require "dbviewer/security/access_control"
 
 require "dbviewer/storage/base"
 require "dbviewer/storage/in_memory_storage"

data/lib/generators/dbviewer/templates/initializer.rb

@@ -19,6 +19,31 @@ Dbviewer.configure do |config|
   #   password: "your_secure_password"
   # }
 
+  # Table and Column Access Control (Security Feature)
+  # Access control mode: :whitelist (most secure), :blacklist, or :none (default)
+  # config.access_control_mode = :whitelist
+
+  # Whitelist mode: Only these tables will be accessible
+  # config.allowed_tables = [
+  #   'users',
+  #   'orders',
+  #   'products',
+  #   'categories'
+  # ]
+
+  # Blacklist mode: All tables except these will be accessible
+  # config.blocked_tables = [
+  #   'admin_users',
+  #   'sensitive_data',
+  #   'audit_logs'
+  # ]
+
+  # Hide sensitive columns from specific tables
+  # config.blocked_columns = {
+  #   'users' => ['password_digest', 'api_key', 'secret_token'],
+  #   'orders' => ['internal_notes', 'admin_comments']
+  # }
+
   # Multiple database connections configuration
   # config.database_connections = {
   #   primary: {

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dbviewer
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.9.0
 platform: ruby
 authors:
 - Wailan Tirajoh
@@ -95,6 +95,7 @@ files:
 - app/assets/stylesheets/dbviewer/logs.css
 - app/assets/stylesheets/dbviewer/query.css
 - app/assets/stylesheets/dbviewer/table.css
+- app/controllers/concerns/dbviewer/access_control_validation.rb
 - app/controllers/concerns/dbviewer/database_operations.rb
 - app/controllers/concerns/dbviewer/database_operations/connection_management.rb
 - app/controllers/concerns/dbviewer/database_operations/data_export.rb
@@ -156,6 +157,8 @@ files:
 - lib/dbviewer/query/logger.rb
 - lib/dbviewer/query/notification_subscriber.rb
 - lib/dbviewer/query/parser.rb
+- lib/dbviewer/security/access_control.rb
+- lib/dbviewer/security/sql_parser.rb
 - lib/dbviewer/storage/base.rb
 - lib/dbviewer/storage/file_storage.rb
 - lib/dbviewer/storage/in_memory_storage.rb