Column level access control? #1571

tomsharratt · 2023-01-11T15:10:31Z

tomsharratt
Jan 11, 2023

I have a couple different scenarios that require specific columns on a table have different access permissions.

Scenario 1: I have a table which contains a timestamp (start_at). I want to have some columns unable to be read/visible until the start_at time has passed. (The whole table is read only and only editable by admins, I just want some columns hidden until appropriate).

Scenario 2: I have a table which is editable but some columns are supposed to be read-only and updated by admins.

This seems to boil down to the concept of column level rules?

I am using pocketbase as a framework so I am willing to write custom code if needed. I just want to double check this isn't already possible (based on my searching I don't think it is?)

Answered by ganigeorgiev

Jan 11, 2023

There are no dedicated field/column level access/visibility rules. You'll have to implement it on your own depending on your use case.

At the moment the easiest way to hide/restrict access to fields is to move them to a new collection with their own API rules.

This eventually will be simplified in the future, since there are plans to add a "view" collection type per #311 (comment).

View full answer

ganigeorgiev · 2023-01-11T15:16:26Z

ganigeorgiev
Jan 11, 2023
Maintainer

There are no dedicated field/column level access/visibility rules. You'll have to implement it on your own depending on your use case.

At the moment the easiest way to hide/restrict access to fields is to move them to a new collection with their own API rules.

This eventually will be simplified in the future, since there are plans to add a "view" collection type per #311 (comment).

2 replies

tomsharratt Jan 11, 2023
Author

Thanks for the reply @ganigeorgiev.

So for the first scenario I listed would the suggested approach be to alter the response using record api hooks to remove certain columns if the start_at time is future? Or would you suggest having the conditional visibility fields in a separate table and control the access with a rule that compares now() > other_table.start_at ?

ganigeorgiev Jan 11, 2023
Maintainer

It depends on your use case.

Usually, there are 3 common options:

Move your fields in a separate collection and link them with a relation field (this will work with almost all cases).
"Lock" your collection for admin only access and create a new endpoint that will query and return only the record/fields you want.
Manually overwrite the List, View and realtime record responses (depending on your data, this could be more involving and error prone).

Personally, I'd go with the first option.
Although 1) may be a little verbose, it provides both read/write permissions control over your data without having to manually adjust the response(s) or create custom endpoint(s).

jimafisk · 2023-01-13T19:32:52Z

jimafisk
Jan 13, 2023

I have a couple of scenarios that I think are related, but don't require any computation so I'm not sure if these are currently possible:

Can you expose only one specific field in a View or List action? My understanding is when an API rule condition is met, the whole record (all fields) would be sent.
- For example if I had an "organizations" collection and I wanted users to be able to search through a list of "name" fields, could I do this while still protecting all the other information on the organization (without having to create a separate collection like "organization_name")?
Similarly is there a way to allow users to be able to edit only one specific field without being able to view or change other values on the record? I imagine you could do this if you manually set @request.data for all the other fields to what currently exists in the database, but is there a shortcut for saying that @request.data must be empty except for this one field that users of this type have permissions to edit?

I wasn't sure if #311 would solve these types of scenarios. Thank you!

6 replies

michael-schmid-wlw Nov 10, 2025

No, unfortunately both 2 described scenarios at the moment could be handled out of the box only if you move the fields in their own collection(s).

...is there a shortcut for saying that @request.data must be empty except for this one field that users of this type have permissions to edit?

I'm not sure if that's what you are looking for, but with v0.11.0 there is support for :isset field modifier that could be used to check if the user has submitted a data value or not, eg.:
// allow setting all other fields except the "role"
@request.data.role:isset = false
I wasn't sure if #311 would solve these types of scenarios.

#311 was initially created for computed/raw-sql fields, but as mentioned in #311 (comment), it may better to expand its scope and implement a "view" collection type instead since it will cover more use cases (including restricted/limited/hidden/etc. fields and aggregations).
I know this is an old issue but id like to add some thoughts to this:

The Isset operator might not be optimal in cases where some webapps send the unmodified field value to the backend. I can do something like this:

(@request.body.businessPartner:isset = false || @request.body.businessPartner=businessPartner) && (@request.body.companyName:isset = false || @request.body.companyName=companyName)

buuut this can get ugly real quickly.

Or how would you suggest solving this?
I've solved this with hooks for now

ganigeorgiev Nov 10, 2025
Maintainer

@michael-schmid-wlw changed modifier exists in my todo and could be added eventually in the future but for now remains a very low priority. If you want to allow user to either submit the same value or none at all then there are no other options at the moment.

This comment was marked as off-topic.

Sign in to view

This comment was marked as off-topic.

Sign in to view

ganigeorgiev Nov 22, 2025
Maintainer

Just for info in case someone stumble here: :changed modifier was prioritized and added as part of v0.34.0 release.

AxelRothe · 2023-10-27T21:58:23Z

AxelRothe
Oct 27, 2023

I'm writing a E-Commerce Rental shop web app for my business and have noticed that I'm often leaving a lot of the constraints to the client. Meaning, if a invoice is set to paid, I don't want to allow any API call to be able to change something. Right now this needs to be caught by the client, which works for my app now, but won't transfer my business logic to lets say a small serverless function I might run against the DB to onboard now suppliers in a different web app.

Now I can do this via the API Rule and that works. But lets say I want to make sure no Name of a Product starts with a Space or any non letter - well I'm not sure I could do that via the API rule or if yes, then only via very long and winded if statements.

It would be great to be able to declare constraints per column or maybe even functions that will run after a new item is added or one is changed. (I know this can be done via functions and listeners, but I would like my client to receive an error, if the write failed.)

I wanted to offer a real world example, hope this helps clarify a use case.

1 reply

tigawanna Jan 4, 2025

isset can help stop the client from modifying certain fields but for more expressive constraints consider the jvsm hooks

jagyas · 2025-01-03T04:26:48Z

jagyas
Jan 3, 2025

I can suggest if we can create a separate "view" in pocketbase with only selecting those columns which we need to show and call them instead of calling actual collection. we can create multiple "views" as per our different requirements. I hope this can help somebody.

0 replies

Column level access control? #1571

Uh oh!

tomsharratt Jan 11, 2023

Replies: 4 comments · 9 replies

Uh oh!

Uh oh!

ganigeorgiev Jan 11, 2023 Maintainer

Uh oh!

tomsharratt Jan 11, 2023 Author

Uh oh!

ganigeorgiev Jan 11, 2023 Maintainer

Uh oh!

jimafisk Jan 13, 2023

Uh oh!

Uh oh!

michael-schmid-wlw Nov 10, 2025

Uh oh!

ganigeorgiev Nov 10, 2025 Maintainer

This comment was marked as off-topic.

This comment was marked as off-topic.

Uh oh!

ganigeorgiev Nov 22, 2025 Maintainer

Uh oh!

Uh oh!

AxelRothe Oct 27, 2023

Uh oh!

tigawanna Jan 4, 2025

Uh oh!

jagyas Jan 3, 2025

tomsharratt
Jan 11, 2023

Replies: 4 comments 9 replies

ganigeorgiev
Jan 11, 2023
Maintainer

tomsharratt Jan 11, 2023
Author

ganigeorgiev Jan 11, 2023
Maintainer

jimafisk
Jan 13, 2023

ganigeorgiev Nov 10, 2025
Maintainer

ganigeorgiev Nov 22, 2025
Maintainer

AxelRothe
Oct 27, 2023

jagyas
Jan 3, 2025