zenstack icon indicating copy to clipboard operation
zenstack copied to clipboard
verified publisher icon zenstackhq

[Bug] Access Policy: check() function is being ignored if future() is being used

Open baenio opened this issue 1 year ago • 0 comments

Description and expected behavior After trying to implement the new check() function in the access control, I found out that when adding the future() function in another policy, it will kinda overwrite the delegated policies. After removing @@allow('update', future().title == 'hello') everything seems to be working normally.

Example

// delegating all operations
model Post {
    id Int @id
    title String
    description String
    author User @relation(fields: [authorId], references: [id])
    authorId Int

    // delegate all access policies to the author:
    @@allow('all', check(author))

    @@allow('update', future().title == 'hello')
}

// imagine I have update permission in the author relation of a post.
// the following db query will fail
const updatedPost = db.post.update({
  where: {id: 'some_id'},
  data: {description: 'new_description'},
});

Environment (please complete the following information):

  • ZenStack version: v2.4.1
  • Prisma version: v5.17.0
  • Database type: Postgresql

baenio avatar Aug 09 '24 14:08 baenio