undefined | Better HN

0 pointsmewpmewp24y ago0 comments

Out of curiosity, how is that enforcement usually done? I have usually just used some SQL database like MySQL/Postgres, and having application determine how to fetch data, so application has access to everything. I can see how this could be insecure due to some bug in application code fetching with wrong WHERE etc, how would one go about enforcing it on sql/database layer?

Would you have separate SQL credentials for each user, and configure SQL for each credential to have access to certain WHERE queries, or?

To simplify a use-case let's say I have "users" table and "tasks" table, where there's user_id in "tasks". Would I have separate sql credentials where they are configured in sql layer to have access to only rows where user_id corresponds to this certain credential? But even then how are credentials mapped to userId, as bug in application could easily cause retrieving false credentials?

Other way I can think of is to just have completely separate databases for each user, but let's in this case assume we must often do work with a mix of different users data.

0 comments

diveanon4y ago

So I think the best place to start is looking into row-level security in Postgres. Its a familiar place to start and gives a high return. Row level security can be used to implement the user / tasks use case you described.

j / k navigate · click thread line to collapse

0 pointsmewpmewp24y ago0 comments

Would you have separate SQL credentials for each user, and configure SQL for each credential to have access to certain WHERE queries, or?

Other way I can think of is to just have completely separate databases for each user, but let's in this case assume we must often do work with a mix of different users data.