Hide sensitive columns

[seven1240]

Environment

• PostgreSQL version: postgres:10.7-alpine
• PostgREST version: postgrest/postgrest:v10.2.0.20230203
• Operating system: macOS and Docker

Description of issue

This is more like a feature request other than a bug. I'm new to PostgREST but used PostgreSQL for many years, I looked all the docs trying to find out if it's possible to hide sensitive columns like password etc. Such columns should never return with REST API but should still be updatable (e.g. change password). I could add a "updateble view" to hide the column, but view has no foreign key info. Is it possible to add some configuration blacklist for this? or is there some other way to play with the PostgreSQL roles manually?

Thanks. PostgREST looks very interesting and powerful, I'd like to use it in my next project.

[steve-chavez]

I could add a "updateble view" to hide the column, but view has no foreign key info.

We infer the FKs of a view, see https://postgrest.org/en/stable/api.html#embedding-views, so you can use an auto-updatable view for that.

or is there some other way to play with the PostgreSQL roles manually?

Additionally you could GRANT SELECT(col1, col2) ON tbl TO role and not include the password column. Then only make the UPDATE available through a SECURITY DEFINER function.