Skip to content

docs: correct conditional row-level access & allow_all claims#11194

Open
AvilaJulio wants to merge 2 commits into
cube-js:masterfrom
AvilaJulio:docs/conditional-row-level-access-fixes
Open

docs: correct conditional row-level access & allow_all claims#11194
AvilaJulio wants to merge 2 commits into
cube-js:masterfrom
AvilaJulio:docs/conditional-row-level-access-fixes

Conversation

@AvilaJulio

Copy link
Copy Markdown
Member

Corrects invalid claims in the conditional row-level access docs added in #10821 (which document #10767). Every change was validated against Cube 1.6.65 (Docker + Postgres, signed JWTs across multiple security contexts) and cross-checked against the cubejs-schema-compiler / cubejs-server-core source.

What was wrong

  • YAML in / >= / ternaries don't work. Cube parses YAML { ... } expressions as Python (PythonParser.ts); fix: Support not in access policy conditions #10767 added only and/or/not. Comparison operators (==, >=, in) and inline if/else throw Unsupported Python multiple children node: Comp_opContext: …. For conditions.if this surfaces as a silent deny (WHERE 1 = 0, empty results); for filter values it's a compile error.
  • row_level as a function of securityContext is not supported — CubeValidator accepts an object only (rowLevel: RowLevelPolicySchema), and the arrow-function core change was reverted during fix: Support not in access policy conditions #10767. Cube errors with securityContext is not defined.
  • allow_all: false is invalid — allowAll: Joi.boolean().valid(true), xor with filters. Cube fails to compile: allowAll = false must be [true].
  • Broken link to the guide (/docs/data-modeling/access-control/data-access-policies — that page doesn't exist).

Fixes

  • Replaced in/>= in YAML examples with .includes(...) and boolean attributes; documented the supported vs unsupported YAML operators.
  • Replaced the "row_level as a function" guidance with the working pattern (compute a filter's member/values from securityContext in JavaScript).
  • Documented only allow_all: true and deny-by-default; removed the allow_all: false example.
  • Fixed the guide link path.

Validated behavior (Docker, Cube 1.6.65)

Scenario Result
Region switching via .includes() (YAML) ✅ EMEA→EMEA, AMER→AMER
Admin allow_all override (OR across policies) ✅ admin sees all rows
AND across conditions, not, or ✅ all 5 cases correct
JS ternary in filter values ✅ dynamic per request
allow_all: false ❌ compile error (as now documented)
row_level as function ❌ compile error (as now documented)
YAML in / >= ❌ parse error / silent deny (as now documented)

Relates to #10821, documents #10767.

🤖 Generated with Claude Code

https://claude.ai/code/session_01T11gd3wgtSz7WGVnZ2ewPW

mintlify Bot and others added 2 commits May 5, 2026 16:05
Fixes invalid claims in the conditional row-level access docs, validated
against Cube 1.6.65 (Docker + Postgres) and the schema-compiler source:

- YAML `{ ... }` expressions are parsed as Python and only support
  and/or/not, parentheses, member access, and method calls. Replaced
  `in` and `>=` (which throw "Unsupported Python multiple children node"
  and can silently deny access) with `.includes(...)` and boolean
  attributes; documented the unsupported operators.
- Removed the "make `row_level` a function of securityContext" guidance
  (rejected by CubeValidator: rowLevel is object-only; the core change
  was reverted in cube-js#10767). Replaced with the working pattern of computing
  a filter's member/values from securityContext in JavaScript.
- Removed `allow_all: false` (invalid: allowAll only accepts `true`,
  xor with filters); documented deny-by-default instead.
- Fixed broken link to the data-access-policies guide (dropped the
  non-existent `/access-control/` path segment).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01T11gd3wgtSz7WGVnZ2ewPW
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant