Editor is able to insert withou permissions.

[ghost]

Version Information

Server Version:
2.1.1

Environment

hasura:2.1.1/docker
postgres/docker

What is the expected behaviour?

Editor shouldn't be able to insert posts.

Keywords

permissions roles jwt x-hasura-allowed-roles

What is the current behaviour?

I can insert posts with the following JWT: Why?
"https://hasura.io/jwt/claims": {
"x-hasura-default-role": "user",
"x-hasura-role": "[editor]",
"x-hasura-user-id": "abc-123",
"x-hasura-allowed-roles": [
"user",
"editor"
]
}
This shouldn't be possible!

How to reproduce the issue?

1. Create a table posts
2. Go to Permissions and create two roles, user & editor
3. Editor should have no insert permission.
4. Create a JWT Token with x-hasura-claims like described before.
5. Use this token to insert a post into the table.

[robx]

Someone correct me if I'm wrong, but I believe, following https://hasura.io/docs/latest/graphql/core/auth/authentication/jwt.html#tl-dr:

• x-hasura-role within the JWT is probably not what you want, you'd want to pass it as a request header
• then, you probably intended editor instead of [editor]

That JWT (ignoring the x-hasura-role key) allows making requests as both user and editor. If no x-hasura-role header is passed, it will be made as user.

[ghost]

Thanks for the reply, it makes sense how you describe it, but when using JWT, i maybe don't want to use other request headers anymore. Why should hasura ignore the x-haura-role claim in the JWT? Maybe this should not be reported as a bug, but a change request..

Background: I am using keycloak as an auth-provider, mapping the real User Client Role (defined in keycloak) to the x-hasura-role JWT claim.

[robx]

If you want to have the client use a particular role, say 'editor' in this case, would the following not work?

• set "x-hasura-default-role": "editor"
• set "x-hasura-allowed-roles" : ["editor"]

both in the JWT.

[ghost]

Your first reply was very helpful. I found out, that the default role should be the role with the least privileges, meant as a fallback in case no x-hasura-role Header is sent. I can live with adding the x-hasura-role header by the application. I will just need to think about the role concept and add the default role to all the users in my keycloak realm or something.. and this will then be mapped to the x-hasura-allowed-roles claim and everything is fine. Thanks! I have learned something about how hasura works and should read the docs more carefully. ;-)