Grant

Grant = object

Defined in: packages/permissions/src/types.ts:252

A single permission grant: an action on a subject, optionally restricted by a where clause.

subject may be a Drizzle table object, a string table name (e.g. "projects"), or the literal "all" for grants that apply to every table. String and object subjects are normalized to the same key by getTableName during matching, so the two forms are interchangeable at runtime.

Properties

action

action: PermissionAction

Defined in: packages/permissions/src/types.ts:254

The permitted operation. "manage" is shorthand for all four CRUD actions.

---

subject

subject: DrizzleTable | string

Defined in: packages/permissions/src/types.ts:259

The subject of the grant: a Drizzle table object, a string table name, or "all" for every table.

---

where?

optional where: WhereClause

Defined in: packages/permissions/src/types.ts:292

Optional row-level filter that restricts which rows this grant covers.

---

with?

optional with: WithLookups

Defined in: packages/permissions/src/types.ts:290

Optional prerequisite lookups that resolve before the main query and are passed to the where clause as its third argument.

Each lookup receives the current user and an unsafe-mode db handle and may return any value (synchronously or as a promise). Results are cached per Db instance, so a single lookup runs at most once per request even when the same grant participates in multiple queries.

Example

grant("read", recipes, {
  with: {
    friendIds: async (user, db) => {
      const rows = await db
        .query(friendGrants)
        .findMany({ where: eq(friendGrants.grantee, user.id) })
        .run();
      return (rows as { target: string }[]).map((r) => r.target);
    },
  },
  where: (recipe, user, { friendIds }) =>
    or(
      eq(recipe.visibility, "public"),
      eq(recipe.authorId, user.id),
      inArray(recipe.authorId, friendIds as string[]),
    ),
});