docs: correct conditional row-level access & allow_all claims#11194
Open
AvilaJulio wants to merge 2 commits into
Open
docs: correct conditional row-level access & allow_all claims#11194AvilaJulio wants to merge 2 commits into
AvilaJulio wants to merge 2 commits into
Conversation
Fixes invalid claims in the conditional row-level access docs, validated
against Cube 1.6.65 (Docker + Postgres) and the schema-compiler source:
- YAML `{ ... }` expressions are parsed as Python and only support
and/or/not, parentheses, member access, and method calls. Replaced
`in` and `>=` (which throw "Unsupported Python multiple children node"
and can silently deny access) with `.includes(...)` and boolean
attributes; documented the unsupported operators.
- Removed the "make `row_level` a function of securityContext" guidance
(rejected by CubeValidator: rowLevel is object-only; the core change
was reverted in cube-js#10767). Replaced with the working pattern of computing
a filter's member/values from securityContext in JavaScript.
- Removed `allow_all: false` (invalid: allowAll only accepts `true`,
xor with filters); documented deny-by-default instead.
- Fixed broken link to the data-access-policies guide (dropped the
non-existent `/access-control/` path segment).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01T11gd3wgtSz7WGVnZ2ewPW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Corrects invalid claims in the conditional row-level access docs added in #10821 (which document #10767). Every change was validated against Cube 1.6.65 (Docker + Postgres, signed JWTs across multiple security contexts) and cross-checked against the
cubejs-schema-compiler/cubejs-server-coresource.What was wrong
in/>=/ ternaries don't work. Cube parses YAML{ ... }expressions as Python (PythonParser.ts); fix: Support not in access policy conditions #10767 added onlyand/or/not. Comparison operators (==,>=,in) and inlineif/elsethrowUnsupported Python multiple children node: Comp_opContext: …. Forconditions.ifthis surfaces as a silent deny (WHERE 1 = 0, empty results); for filtervaluesit's a compile error.row_levelas a function ofsecurityContextis not supported —CubeValidatoraccepts an object only (rowLevel: RowLevelPolicySchema), and the arrow-function core change was reverted during fix: Support not in access policy conditions #10767. Cube errors withsecurityContext is not defined.allow_all: falseis invalid —allowAll: Joi.boolean().valid(true), xor withfilters. Cube fails to compile:allowAll = false must be [true]./docs/data-modeling/access-control/data-access-policies— that page doesn't exist).Fixes
in/>=in YAML examples with.includes(...)and boolean attributes; documented the supported vs unsupported YAML operators.member/valuesfromsecurityContextin JavaScript).allow_all: trueand deny-by-default; removed theallow_all: falseexample.Validated behavior (Docker, Cube 1.6.65)
.includes()(YAML)allow_alloverride (OR across policies)conditions,not,orvaluesallow_all: falserow_levelas functionin/>=Relates to #10821, documents #10767.
🤖 Generated with Claude Code
https://claude.ai/code/session_01T11gd3wgtSz7WGVnZ2ewPW