Restrict mutation input when inserting/updating entries

[rkeulemans]

Scenario

Say we have a database with four entities, Company, User, UserCompany (linking table between User and Company), Group (which has an id, company_id (foreign key) and a name) and finally a UserGroup (linking table between User and Group). Now we expose this database using Hasura.

Questions

• How can we make sure that in the insert_user_group_one(..) mutation, only ids of users can be inserted that are actually in the Company that the user that tries to insert this belongs to? If we use Postgres triggers, how can we access the id of the user executing the mutation? Preferably we don't use Postgres triggers, since then we are implementing authentication in two places (in Hasura itself and on database level).
• How can we make sure that users can only create groups with company_id equal to the company he is in?
• Similar question for update mutations.

[adas98012]

You can use role-based access control, to restrict users to only insert/update their own records.
You can use "X-Hasura-User-Id" to send the User Id in the request.
Here is the link to the docs:

https://hasura.io/docs/latest/auth/authorization/roles-variables/