[Feature Request] Access policy expressions should support querying arbitrary models

[ymc9]

Today policy expressions can use "Collection Predicate" to query relations, which is quite flexible:

model SpaceUser {
    id String @id @default(uuid())
    createdAt DateTime @default(now())
    updatedAt DateTime @updatedAt
    space Space @relation(fields:[spaceId], references: [id], onDelete: Cascade)
    spaceId String
    user User @relation(fields: [userId], references: [id], onDelete: Cascade)
    userId String
    role SpaceUserRole
    @@unique([userId, spaceId])

    // require login
    @@deny('all', auth() == null)

    // space admin can create/update/delete
    @@allow('create,update,delete', space.members?[user == auth() && role == ADMIN])

    // user can read entries for spaces which he's a member of
    @@allow('read', space.members?[user == auth()])
}

However, collection predicates can only be used on fields of the current model. There're cases when you want to break free from this limitation, e.g., you may want to check if the current user belongs to a certain group to determine its permission, like:

model Post {
    @@allow('all', $Group?[role=='ADMIN' && users?[auth() == user]])
}

The $Model?[...] syntax is a proposal for querying into an arbitrary model type. Similar to collection predicates, there're three variants:

1. $Model?[...]: any entity of Model matches the condition
2. $Model![...]: all entities of Model match the condition
3. $Model^[...]: no entity of Model matches the condition