Lotus.Preflight (Lotus v0.16.4)

Copy Markdown View Source

SQL preflight authorization for Lotus.

Uses EXPLAIN to extract which tables/relations a query will access, then checks those relations against visibility rules before execution.

This provides defense-in-depth by blocking queries that would access denied tables, even if they're accessed through views or complex subqueries.

Summary

Functions

authorize(repo, repo_name, sql, params, search_path \\ nil)

Authorizes a SQL query by checking all relations it would access.

Functions

authorize(repo, repo_name, sql, params, search_path \\ nil)

@spec authorize(module(), String.t(), String.t(), list(), String.t() | nil) ::
  :ok | {:error, String.t()}

Authorizes a SQL query by checking all relations it would access.

Uses EXPLAIN (without executing) to discover which tables the query would touch, then validates each against the visibility rules.

Examples

authorize(MyRepo, "postgres", "SELECT * FROM users", [], nil)
#=> :ok

authorize(MyRepo, "postgres", "SELECT * FROM schema_migrations", [], "reporting, public")
#=> {:error, "Query touches a blocked table"}