v2.45.3

Breaking Changes

📅 Jul 28, 2025📦 hasura-authView on GitHub →

⚠ 1 breaking✨ 1 features🐛 3 fixes🔧 3 symbols

Summary

This patch release fixes critical security issues related to nested inherited role permission propagation and resolves a bug in the Console's database editing interface. It also introduces an option to run SQL outside transactions via the server API.

⚠️ Breaking Changes

Permissions propagation through nested inherited roles is now strictly enforced for both queries and mutations. If your application relied on previously bypassed session variable requirements for mutations involving deeply nested inherited roles, those mutations might now fail or require explicit session variables (like X-Hasura-User-Id) to pass permission checks.

Migration Steps

If using nested inherited roles in mutations, ensure that necessary session variables (which might have been implicitly bypassed before) are explicitly provided in the mutation context to satisfy the now strictly enforced permission constraints.

✨ New Features

Added optional `no_transaction` flag (default `false`) to the Postgres `run_sql` API to allow executing SQL statements outside of transaction blocks, supporting multi-statement execution for operations like `CREATE INDEX CONCURRENTLY`.

🐛 Bug Fixes

Fixed an issue where connection template and Dynamic Routing settings were incorrectly reset when editing a database in the Connection Details page.
Fixed incorrect permission propagation through multiple levels of role inheritance for queries, ensuring row filters and column restrictions from ancestor roles are correctly applied to descendant roles.
Fixed incorrect enforcement of permission constraints for mutations using nested inherited roles.

🔧 Affected Symbols

run_sql API (Postgres)Connection Details page (Console)Nested Inherited Roles Permission Logic (Server)