Changelog

This is a patch release for v2.45.

Bug fixes and improvements

Server

• Add optional no_transaction flag (default false) to run_sql API (Postgres) to execute SQL statements outside transaction blocks, with support for splitting multiple statements. Useful for operations like CREATE INDEX CONCURRENTLY.

Console

• Fix connection template and Dynamic Routing settings being reset when editing database in Connection Details page.

Security fixes

Server

Fixed Nested Inherited Roles Permission Propagation

Fixed an issue where permissions were not properly propagated through multiple levels of role inheritance. This affects both queries and mutations:

• For Queries: Previously, when Role D inherited from Role C, which inherited from Roles A and B, the row filters and column restrictions from Role A were not properly applied to Role D. This could allow Role D to access data that should have been restricted.

• For Mutations: Mutations using nested inherited roles now correctly enforce permission constraints. For example:

  If Role A restricts "salary" with {"user_id": "X-Hasura-User-Id"}
  Role D (inheriting from Role C, which inherits from Role A)
  now requires X-Hasura-User-Id when filtering on salary:

  mutation {
    delete_employees(where: {salary: {_gt: 100000}}) {
      affected_rows
    }
  }

Note: If you're using nested inherited roles in your application, you may need to update mutations to include the appropriate session variables that were previously bypassed.

For more details on how inherited roles work, see the documentation.