Expand description
Row-level multi-tenancy via automatic tenantId injection.
Pairs with OrganizationsPlugin: orgs answer “who belongs to what”,
TenantScopePlugin answers “which rows belong to what” by stamping every
insert with the active tenant id.
How it works:
- Configure which entities are tenant-scoped, plus the column name
(default
tenantId). Untouched entities behave normally. - Before insert, the plugin sets
data.tenantId = auth.tenant_idif the field is missing or empty. - Before update/delete, the plugin checks the existing row’s tenant
matches the caller’s tenant — cross-tenant writes are rejected by
returning an
Errfrom the hook (the runtime translates this to a 403 response).
This plugin does NOT enforce reads. Use pylon-policy expressions for
that — they have access to auth.tenantId and can scope query and
lookup calls. The asymmetry is intentional: writes need the tenant id
anyway (to stamp the row), so enforcing them here is free; reads need
the user-defined policy expression engine because filtering rules can
get arbitrarily complex.
Structs§
- Tenant
Scope Config - Per-entity tenant scoping configuration.
- Tenant
Scope Plugin