Changelog
Bug fixes and improvements
Server
- Don't attempt to
CREATE EXTENSION pgcryptoif it already exists, so users on Azure using an unprivileged Postgres user in Hasura can create the extension manually prior to startup. - Add new
HASURA_GRAPHQL_REDIS_NO_FAIL_ON_STARTUPoption, allowing the engine to start up normally, but with rate limiting and caching disabled, if there are errors with redis during startup. (Enterprise edition only)
Console
- Fix connection template and Dynamic Routing settings being reset when editing database in Connection Details page. (Cloud / Enterprise edition only)
CLI
- Add a flag
--no-transactiontomigrate applycommand.
Build
- Update
libpqversion in UBI9 base image.
Security fixes
Server
Fixed Nested Inherited Roles Permission Propagation
Fixed an issue where permissions were not properly propagated through multiple levels of role inheritance. This affects both queries and mutations:
-
For Queries: Previously, when Role D inherited from Role C, which inherited from Roles A and B, the row filters and column restrictions from Role A were not properly applied to Role D. This could allow Role D to access data that should have been restricted.
-
For Mutations: Mutations using nested inherited roles now correctly enforce permission constraints. For example:
If Role A restricts "salary" with
{"user_id": "X-Hasura-User-Id"}
Role D (inheriting from Role C, which inherits from Role A)
now requiresX-Hasura-User-Idwhen filtering on salary:mutation { delete_employees(where: {salary: {_gt: 100000}}) { affected_rows } }
Note: If you're using nested inherited roles in your application, you may need to update mutations to include the appropriate session variables that were previously bypassed.
For more details on how inherited roles work, see the documentation.