Security plugin for ObjectStack — RBAC, Row-Level Security (RLS), and Field-Level Masking enforced transparently through the ObjectQL middleware chain.
plugin-security hooks into the ObjectQL pipeline and applies authorization on every read and write:
- Resolve permission sets — match user roles against
SysPermissionSetmetadata. - Check object CRUD —
allowRead,allowCreate,allowEdit,allowDelete. - Inject RLS — compile row-level policy expressions into query filters.
- Mask fields — remove non-readable fields from results; flag non-editable fields on writes.
System-context operations bypass checks so internal jobs, migrations, and seed scripts work unobstructed.
pnpm add @objectstack/plugin-securityimport { ObjectKernel } from '@objectstack/core';
import { SecurityPlugin } from '@objectstack/plugin-security';
const kernel = new ObjectKernel();
kernel.use(new SecurityPlugin());
await kernel.bootstrap();| Export | Kind | Description |
|---|---|---|
SecurityPlugin |
class | Kernel plugin that installs the four-step security chain. |
PermissionEvaluator |
class | Evaluates object-level CRUD permissions across roles (most-permissive merge). |
RLSCompiler |
class | Compiles RLS expressions into ObjectQL filter AST. |
FieldMasker |
class | Strips non-readable fields and identifies non-editable ones. |
SysRole, SysPermissionSet |
objects | Metadata objects registered by the plugin. |
The plugin contributes these system objects to the kernel:
| Object | Purpose |
|---|---|
sys_role |
User role definitions. |
sys_permission_set |
Bundles object and field permissions; can include RLS expressions. |
Assignment tables (role ↔ user, role ↔ permission_set) are provided by @objectstack/plugin-auth when used together.
RLS policies are authored in the same expression language as object validations. Example:
{
"object": "project_task",
"read": "owner_id = $user.id OR team_id in $user.team_ids"
}Compilation output is a filter AST merged into every query's where clause, so drivers see it as a normal filter.
- ✅ Any multi-user deployment.
- ✅ Enforcing tenant isolation (combine with
@objectstack/service-tenant).
- ❌ Trusted single-user CLI scripts — disable per-request via the system context.
@objectstack/plugin-auth— authentication and user resolution.@objectstack/plugin-audit— pairs with security for full compliance trails.@objectstack/objectql— query engine.
- 📖 Docs: https://objectstack.ai/docs
- 📚 API Reference: https://objectstack.ai/docs/references/security
Apache-2.0 © ObjectStack