Postgraphile allows front-end code to use graphql to access data stored in a postgres database. So there's no traditional backend code to do the work of storing and enforcing user/role-based authorisation for certain data.
The recommended way to handle this is by the use of Row-Level Security (RLS), a database feature which ensures that only permitted data is updated or returned, based on the end user who generated the query. [0]
This sounds fine in principle but, because permissions are at row-level, you can't have different permissions for different columns in the same table. The solution is to split your tables into multiple, narrower tables. So, for example, if you don't want a user to be able to update their own username, the username column could be in a separate table from other demographic information.
I understand this in theory, and I know that RLS isn't new and isn't restricted to postgraphile. But I'd love to see a non-trivial example of it in use, for an app whose only backend is a database (ideally postgres and postgraphile, but really any relational database that supports RLS would be fine).
Can anyone point to a good repo or book that has a good example of schema design using RLS?
(I spent some time searching, but didn't find anything promising.)
[0] https://www.graphile.org/postgraphile/security/