@sladkoff/kysely-access-control 0.0.6 → 0.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +19 -0
- package/dist/src/kyselyAccessControl.js +4 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -196,6 +196,25 @@ Unfortunately, even those you provide the column list to Kysely as a type, that
|
|
|
196
196
|
system (or at all by the runtime), and as a result we cannot do the sensible thing of replacing a `.selectAll()` with a
|
|
197
197
|
select of all columns.
|
|
198
198
|
|
|
199
|
+
## Table Aliases in Subqueries
|
|
200
|
+
|
|
201
|
+
Table aliases in subqueries (e.g., `selectFrom('table as t')`) are not currently supported. When using table aliases
|
|
202
|
+
in subqueries, the library may fail to properly enforce permissions or throw errors.
|
|
203
|
+
|
|
204
|
+
For example, the following pattern will not work:
|
|
205
|
+
```typescript
|
|
206
|
+
.select((qb) => {
|
|
207
|
+
const rsvps = qb
|
|
208
|
+
.selectFrom("rsvp as r")
|
|
209
|
+
.innerJoin("person", "person.id", "r.person_id")
|
|
210
|
+
.select("r.id");
|
|
211
|
+
|
|
212
|
+
return [jsonArrayFrom(rsvps).as("rsvps")];
|
|
213
|
+
})
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
Use the full table name without aliases in subqueries to ensure proper permission enforcement.
|
|
217
|
+
|
|
199
218
|
# Features
|
|
200
219
|
|
|
201
220
|
## Table/Column Statement Type + Context Controls
|
|
@@ -78,8 +78,9 @@ const createAccessControlPlugin = (guard) => {
|
|
|
78
78
|
}
|
|
79
79
|
}
|
|
80
80
|
}
|
|
81
|
-
//
|
|
82
|
-
|
|
81
|
+
// Apply RLS filter from grants to WHERE clause
|
|
82
|
+
const newNode = Object.assign(Object.assign({}, node), { where: this._transformWhere(guardResult, node.where) });
|
|
83
|
+
return super.transformUpdateQuery(newNode);
|
|
83
84
|
}
|
|
84
85
|
/**
|
|
85
86
|
* Enforce insert on a table
|
|
@@ -229,7 +230,7 @@ const createAccessControlPlugin = (guard) => {
|
|
|
229
230
|
// the internal SelectQueryNode
|
|
230
231
|
return from;
|
|
231
232
|
}
|
|
232
|
-
const guardResult = fullGuard.table(from.table, StatementType.
|
|
233
|
+
const guardResult = fullGuard.table(from.table, StatementType.Select, TableUsageContext.TableInJoin);
|
|
233
234
|
(0, exports.throwIfDenyWithReason)(guardResult, `JOIN denied on table ${((_a = from.table.schema) === null || _a === void 0 ? void 0 : _a.name) ? `${from.table.schema.name}.` : ""}${from.table.identifier.name}`);
|
|
234
235
|
if (guardResult === exports.Allow) {
|
|
235
236
|
return from;
|