We use OData as a query language from the browser to our database (with a direct OData -> psql compiler) and its kinda what you describe. Every model has a set of operations with rights defined (e.g. create, update, etc), as has every relation (e.g. link, unlink). That is what I think you want from your allowlist. Outside of that we also have the concept of permission filters that define things like 'an user can only update reactions that are reachable from it via the author relation'. This is way more powerful and covers most of the permission stuff you ever need.