Feature request: Protecting nested fields with fine-grained access control

[maoosi]

Problem

• The current implementation of Fine-grained access control doesn't protect nested fields.
• Working with large schemas is quite cumbersome, as rules become hard to visualise.

Suggested solution

Refactor the access-control entirely, so that it live into its own file (currently part of src/client/_resolver.ts). Then adapt the current implementation, so that all nested fields are also protected.

getPosts {
    # author refers to the User model
    author {
        secret # should deny access
    }
}

To avoid any security pitfall and keep a good DX, I suggest that applying allow OR deny on a given subject should automatically deny all nested fields operations. From there, allowing access to nested fields would require to be explicitly defined:

// allow access to author > secret
app.allow({ action: AuthActions.access, subject: 'Post', fields: ['author.secret'] })

// allow access to all author fields
app.allow({ action: AuthActions.access, subject: 'Post', fields: ['author.*'] })

// allow access to all author fields and nested fields
app.allow({ action: AuthActions.access, subject: 'Post', fields: ['author.**'] })

Additional context

• Current fine-grained access control implementation is built upon stalniy/casl, which already offers ways to protect nested fields. The new solution should leverage this.
• To deny all nested fields operations by default, it would probably require enforcing app.deny({ action: AuthActions.access, subject: 'XXX', fields: ['*.**'] }) (assuming this is working) - as soon as any rule gets applied on a given subject.
• There is a new CASL Prisma library in preview.