rls.ts — drizzle-orm Source File

Architecture documentation for rls.ts, a typescript file in the drizzle-orm codebase. 4 imports, 0 dependents.

File typescript DrizzleORM RelationalQuery 4 imports 2 functions

Entity Profile

DrizzleORM→ RelationalQuery→ rls.ts — drizzle-orm Source File

Dependency Diagram

graph LR
  5fa43d48_28a9_faeb_d727_27d04b78971a["rls.ts"]
  27705a9d_afe9_57dd_8c97_e52d8a67d426["entity.ts"]
  5fa43d48_28a9_faeb_d727_27d04b78971a --> 27705a9d_afe9_57dd_8c97_e52d8a67d426
  fa14e9c0_b73d_4bcb_463b_adf18df8a285["index.ts"]
  5fa43d48_28a9_faeb_d727_27d04b78971a --> fa14e9c0_b73d_4bcb_463b_adf18df8a285
  fd46616a_1f86_f019_eb0a_9c87f4d363a8["roles.ts"]
  5fa43d48_28a9_faeb_d727_27d04b78971a --> fd46616a_1f86_f019_eb0a_9c87f4d363a8
  be483a7f_d5d7_7a9b_9a13_44a4a6aafbbd["sql.ts"]
  5fa43d48_28a9_faeb_d727_27d04b78971a --> be483a7f_d5d7_7a9b_9a13_44a4a6aafbbd
  style 5fa43d48_28a9_faeb_d727_27d04b78971a fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

import { is } from '~/entity.ts';
import { type AnyPgColumn, pgPolicy, type PgPolicyToOption } from '~/pg-core/index.ts';
import { PgRole, pgRole } from '~/pg-core/roles.ts';
import { type SQL, sql } from '~/sql/sql.ts';

/**
 * Generates a set of PostgreSQL row-level security (RLS) policies for CRUD operations based on the provided options.
 *
 * @param options - An object containing the policy configuration.
 * @param options.role - The PostgreSQL role(s) to apply the policy to. Can be a single `PgRole` instance or an array of `PgRole` instances or role names.
 * @param options.read - The SQL expression or boolean value that defines the read policy. Set to `true` to allow all reads, `false` to deny all reads, or provide a custom SQL expression. Set to `null` to prevent the policy from being generated.
 * @param options.modify - The SQL expression or boolean value that defines the modify (insert, update, delete) policies. Set to `true` to allow all modifications, `false` to deny all modifications, or provide a custom SQL expression. Set to `null` to prevent policies from being generated.
 * @returns An array of PostgreSQL policy definitions, one for each CRUD operation.
 */
export const crudPolicy = (options: {
	role: PgPolicyToOption;
	read: SQL | boolean | null;
	modify: SQL | boolean | null;
}) => {
	if (options.read === undefined) {
		throw new Error('crudPolicy requires a read policy');
	}

	if (options.modify === undefined) {
		throw new Error('crudPolicy requires a modify policy');
	}

	let read: SQL | undefined;
	if (options.read === true) {
		read = sql`true`;
	} else if (options.read === false) {
		read = sql`false`;
	} else if (options.read !== null) {
		read = options.read;
	}

	let modify: SQL | undefined;
	if (options.modify === true) {
		modify = sql`true`;
	} else if (options.modify === false) {
		modify = sql`false`;
	} else if (options.modify !== null) {
		modify = options.modify;
	}

	let rolesName = '';
	if (Array.isArray(options.role)) {
		rolesName = options.role
			.map((it) => {
				return is(it, PgRole) ? it.name : (it as string);
			})
			.join('-');
	} else {
		rolesName = is(options.role, PgRole)
			? options.role.name
			: (options.role as string);
	}

	return [
		read
		&& pgPolicy(`crud-${rolesName}-policy-select`, {
			for: 'select',
			to: options.role,
			using: read,
		}),

		modify
		&& pgPolicy(`crud-${rolesName}-policy-insert`, {
			for: 'insert',
			to: options.role,
			withCheck: modify,
		}),
		modify
		&& pgPolicy(`crud-${rolesName}-policy-update`, {
			for: 'update',
			to: options.role,
			using: modify,
			withCheck: modify,
		}),
		modify
		&& pgPolicy(`crud-${rolesName}-policy-delete`, {
			for: 'delete',
			to: options.role,
			using: modify,
		}),
	].filter(Boolean);
};

// These are default roles that Neon will set up.
export const authenticatedRole = pgRole('authenticated').existing();
export const anonymousRole = pgRole('anonymous').existing();

export const authUid = (userIdColumn: AnyPgColumn) => sql`(select auth.user_id() = ${userIdColumn})`;