Prismarls is a CLI tool designed to facilitate the integration of PostgreSQL Row-Level Security (RLS) with Prisma Migrations. After creating a migration using prisma migrate dev --create-only
, running prismarls
will automatically generate SQL to append RLS configurations to the latest migration file.
Here's an example of the SQL generated by Prisma Migrate:
-- CreateTable
CREATE TABLE "Company" (
"id" TEXT NOT NULL,
"name" TEXT NOT NULL,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
CONSTRAINT "Company_pkey" PRIMARY KEY ("id")
);
Prismarls will add the following RLS settings:
-- RLS Settings
ALTER TABLE "Company" ENABLE ROW LEVEL SECURITY;
ALTER TABLE "Company" FORCE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation_policy ON "Company" USING("id" = current_setting('app.company_id'));
CREATE POLICY bypass_rls_policy ON "Company" USING (current_setting('app.bypass_rls', TRUE)::text = 'on');
Create a migration with Prisma Migrate and then append RLS configurations using Prismarls:
# Create a migration with Prisma Migrate --create-only
npx prisma migrate dev --create-only --name migration
# Use Prismarls to add RLS settings and create policies for the specified tables
npx @shoito/prismarls --schema=./prisma/schema.prisma --migrations=./prisma/migrations --currentSettingIsolation=app.company_id --currentSettingBypass=app.bypass_rls
Add a /// @RLS
comment in your schema.prisma
to specify tables and columns for which RLS should be configured.
model Company {
id String @id @default(cuid()) /// @RLS
name String
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
}
If table or column names are specified using map
, include these in the @RLS
annotation:
model User {
id String @id @default(cuid())
email String @unique
company Company? @relation(fields: [companyId], references: [id])
companyId String? @map("company_id") /// @RLS(table: "users", column: "company_id")
@@map("users")
}
--schema
: Path to your Prisma schema.prisma
file. Default is ./prisma/schema.prisma
.--migrations
: Directory path containing migration files generated by Prisma Migrate. Default is ./prisma/migrations
.--currentSettingIsolation
: Specify the current setting for RLS isolation. Default is app.tenant_id
.--currentUser
: Specify if using current_user
with RLS. Default is false
.--currentSettingBypass
: Specify the current setting for RLS bypass. Default is app.bypass_rls
.prisma db pull
do not include RLS configurations.prisma db push
does not apply RLS settings.MIT