zenstack icon indicating copy to clipboard operation
zenstack copied to clipboard
verified publisher icon zenstackhq

[Feature Request] Access policy allow field to be created only with default value

Open jiashengguo opened this issue 1 year ago • 2 comments

For example, the Payment could be created by customer, but the isPaid field should not be changed by customer, it could only be updated by the backend service after receive the webhook callback.

model Payment {
   ...
   isPaid @default(false) @deny('create', true)
   @@allow('create, read', auth() == owner)
}

However, the current field level access policy doesn't allow control for 'create' policy.

jiashengguo avatar Jul 14 '24 12:07 jiashengguo

Is there a workaround for this limitation at the moment?

genu avatar Sep 23 '24 13:09 genu

I think there are two workarounds you can use:

  1. Use field access policy to deny update.

     isPaid @default(false) @deny('update', true)

    But you need to make sure that isPaid is never provided when calling create function.

  2. Use ignore

    isPaid @default(false) @ignore

    The trade-off is that you have to use raw SQL to update it since it is excluded from prisma client.

jiashengguo avatar Sep 24 '24 01:09 jiashengguo