zenstack icon indicating copy to clipboard operation
zenstack copied to clipboard
verified publisher icon zenstackhq

[ZModel] Insufficient type checking for "in" operator

Open ymc9 opened this issue 1 year ago • 1 comments 

model User {
  id Int @id @default(autoincrement())
  email String @unique
  name String?
  posts Post[]
  teamMemberships TeamMembership[]

  @@allow('all', true)
}

model TeamMembership {
  id Int @id @default(autoincrement())
  teamId Int
  user User @relation(fields: [userId], references: [id])
  userId Int

  @@allow('all', true)
}

model Post {
  id Int @id @default(autoincrement())
  title String

  owner User? @relation(fields: [ownerId], references: [id])
  ownerId Int?
  teamId Int

  @@allow('all', true)
  @@deny('all', teamId in auth().teamMemberships)
}

Inside the @@deny rule, the "in" expression should result in a type-checker error.

ymc9 avatar Apr 11 '24 01:04 ymc9

I hit this same bug, assuming I understand it correctly. When you say "type-checker error," do you mean it should fail, or are you not allowed to use the "in" operator?

I have a case where using the in operator does not add the proper check to the generated policy for using the check function, but it blocks it properly on actual calls.

 // this still passes even if role is STANDARD or Null when called using enhancedClient.model.check('create');
 @@allow('all', auth().role in ['SYSTEM', 'ADMIN']) 
 
 // But using the following works properly
 @@allow('all', auth().role == 'SYSTEM' || auth().role == 'ADMIN'])

jasonmacdonald avatar Jul 24 '24 20:07 jasonmacdonald