Postgres recently(ish)[1] got support for row level security, so with a bit of work, it's actually possible to be fairly strict on data access - but it requires at least the creation of "group level" postgres users in the db - while people will still happily allow the webserver to connect with super user privileges to the db, and write their own access controls (or use a framework that's also will be) that'll be much poorer than what's already in db, because using that is "complex".
Yeah, proper authorization is complex.
With that mindset, I'll not be surprised if people just send raw json to the client and "filter access" in javascript...
Yeah, proper authorization is complex.
With that mindset, I'll not be surprised if people just send raw json to the client and "filter access" in javascript...
[1] https://www.dbrnd.com/2016/08/postgresql-9-5-row-level-secur...
https://www.postgresql.org/docs/current/static/ddl-rowsecuri...
[ed: apparently there's some hope: https://www.graphile.org/ ]