Add accessor field to authorizer rules#216
Merged
penberg merged 1 commit intotursodatabase:mainfrom Apr 4, 2026
Merged
Conversation
Expose SQLite's 4th authorizer callback argument (the innermost trigger
or view that caused an authorization check) as an optional `accessor`
field on authorization rules.
This enables view-scoped authorization: a rule can allow reads from an
underlying table only when accessed through a specific view, while
blocking direct table access. For example:
{ action: Action.READ, table: "data", accessor: "my_view", policy: Authorization.ALLOW }
This rule allows reads from "data" only when the read is driven by
"my_view" (accessor = "my_view"), and blocks direct SELECT on "data"
(where accessor is null).
The accessor field supports the same pattern matching as other fields:
plain strings for exact match, or { glob: "pattern" } for wildcards.
glommer
approved these changes
Apr 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds an optional
accessorfield to authorization rules, exposing SQLite's 4th authorizer callback argument — the innermost trigger or view that caused the authorization check.When querying through a view, SQLite's authorizer fires READ callbacks with the underlying table name, not the view name. Without the accessor field, the only way to allow view-based access while blocking direct table access is to materialize the view into a temporary table.
With the accessor field, rules can scope reads by the view context:
This allows
SELECT * FROM my_view(accessor = "my_view") but blocksSELECT * FROM datadirectly (accessor = null). Theaccessorfield supports exact strings and{ glob: "pattern" }, same as other pattern fields.The
libsqlRust crate already exposes this asAuthContext.accessor: Option<&str>— this PR wires it through to the JS rule-matching system.How was this change tested?
Four integration tests added covering view-scoped access, direct access blocking, glob pattern matching on accessor, and subquery escape prevention.