Re: Thoughts on row-level security for webapps? - Mailing list pgsql-general

From Achilleas Mantzios
Subject Re: Thoughts on row-level security for webapps?
Date
Msg-id 75a43cb2-2e87-2628-ea69-c3b69ee997f5@matrix.gatewaynet.com
Whole thread Raw
In response to Thoughts on row-level security for webapps?  (Siegfried Bilstein <sbilstein@gmail.com>)
List pgsql-general
On 31/12/18 6:57 μ.μ., Siegfried Bilstein wrote:
Hi all, 

I'm evaluating using a tool called Postgraphile that generates a GraphSQL server from a postgres setup. The recommended way of handling security is to implement RLS within postgres and simply have the webserver take a cookie or similar and define which user is querying data. 

I've normally built webapps like this: pull out user id from a session cookie -> the API endpoint verifies the user and whether or not it has access to the given data -> app code mutates the data. 

With Postgraphile the request specifies the mutation and the server processes the request and relies on Postgres to determine if the user has correct access rights. 

It seems like I would need to create a ROLE for every single member that signs up for my website which I'm a little concerned about.

Why?

Is this a common usage pattern for SQL security? Any gotchas relying on RLS?

--
Siggy Bilstein


-- 
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt

pgsql-general by date:

Previous
From: Nguyễn Trần Quốc Vinh
Date:
Subject: Re: [GENERAL] Incremental refresh - Materialized view
Next
From: Mark
Date:
Subject: Re: Query planner / Analyse statistics bad estimate rows=1 withmaximum statistics 10000 on PostgreSQL 10.2