Any idea how I can do RLS
Right now I use prisma + express + refine, was thinking to explore wasp. Curious how to solve RLS (Row Level Security). My use case is every user would belong to a customer, and all the records we save would need to have the customer_id. We will have to pull from the session context.
1 Reply
Hey @ramkumar9226 !
Hmmmm, so what I know about RLS is that for example in PostgreSQL you can apply RLS policies on certain tables and then based on which postgres db user is accessing it, you can limit their access.
However, if you are building a web application with multiple users that can each have their own data stored in the database, then we don't really talk about RLS, we just talk about assigning resources/data to specific users.
Is this what you are going for?
For example you might have two users, U1 and U2, and each user can have Tasks, so U1 might have tasks T1 and T2, while U2 might have tasks T3 and T4, and you want to make sure U1 can access/manipulate only T1 and T2, while U2 can access/manipulate only T3 and T4.
If this is what you are going for, then it is really the most common thing, and there are plenty examples of how to do it. The main idea is that you put user IDs in your resources and then when dealing with DB operations in your server (Express) you check those IDs to make sure you are dealing with correct resources.
If this is it, then I recommend checking the portion of our TodoApp tutorial where we show how to do authentication: there is a subsection of it where we exactly show how to link resources in db to specific user via id, and then also how to modify Queries / Actions to check those and enforce the restrictions based on those: https://wasp-lang.dev/docs/tutorials/todo-app/06-auth#defining-user-task-relation-in-entities .
Authentication | Wasp
Most of the apps today are multi-user, and Wasp has first-class support for it, so let's see how to add it to our Todo app!