fix: check attribute function shouldn't delegate "postUpdate" rules (#1663)

ymc9 · web-flow · commit 62c624d55b2c · 2024-08-26T23:01:44.000-07:00
diff --git a/packages/schema/src/plugins/enhancer/policy/expression-writer.ts b/packages/schema/src/plugins/enhancer/policy/expression-writer.ts
@@ -815,8 +815,15 @@ export class ExpressionWriter {
         }
 
         this.block(() => {
-            const targetGuardFunc = getQueryGuardFunctionName(targetModel, undefined, false, operation);
-            this.writer.write(`${fieldRef.target.$refText}: ${targetGuardFunc}(context, db)`);
+            if (operation === 'postUpdate') {
+                // 'postUpdate' policies are not delegated to relations, just use constant `false` here
+                // e.g.:
+                //   @@allow('all', check(author)) should not delegate "postUpdate" to author
+                this.writer.write(`${fieldRef.target.$refText}: ${FALSE}`);
+            } else {
+                const targetGuardFunc = getQueryGuardFunctionName(targetModel, undefined, false, operation);
+                this.writer.write(`${fieldRef.target.$refText}: ${targetGuardFunc}(context, db)`);
+            }
         });
     }
 }
diff --git a/tests/regression/tests/issue-1642.test.ts b/tests/regression/tests/issue-1642.test.ts
@@ -0,0 +1,40 @@
+import { loadSchema } from '@zenstackhq/testtools';
+describe('issue 1642', () => {
+    it('regression', async () => {
+        const { prisma, enhance } = await loadSchema(
+            `
+            model User {
+                id Int @id
+                name String
+                posts Post[]
+
+                @@allow('read', true)
+                @@allow('all', auth().id == 1)
+            }
+
+            model Post {
+                id Int @id
+                title String
+                description String
+                author User @relation(fields: [authorId], references: [id])
+                authorId Int
+
+                // delegate all access policies to the author:
+                @@allow('all', check(author))
+
+                @@allow('update', future().title == 'hello')
+            }
+            `
+        );
+
+        await prisma.user.create({ data: { id: 1, name: 'User1' } });
+        await prisma.post.create({ data: { id: 1, title: 'hello', description: 'desc1', authorId: 1 } });
+
+        const db = enhance({ id: 2 });
+        await expect(
+            db.post.update({ where: { id: 1 }, data: { title: 'world', description: 'desc2' } })
+        ).toBeRejectedByPolicy();
+
+        await expect(db.post.update({ where: { id: 1 }, data: { description: 'desc2' } })).toResolveTruthy();
+    });
+});

Original file line number	Diff line number	Diff line change
`@@ -815,8 +815,15 @@ export class ExpressionWriter {`
`815`	`815`	`}`
`816`	`816`
`817`	`817`	`this.block(() => {`
`818`		`- const targetGuardFunc = getQueryGuardFunctionName(targetModel, undefined, false, operation);`
`819`		- this.writer.write(`${fieldRef.target.$refText}: ${targetGuardFunc}(context, db)`);
	`818`	`+ if (operation === 'postUpdate') {`
	`819`	+ // 'postUpdate' policies are not delegated to relations, just use constant `false` here
	`820`	`+ // e.g.:`
	`821`	`+ // @@allow('all', check(author)) should not delegate "postUpdate" to author`
	`822`	+ this.writer.write(`${fieldRef.target.$refText}: ${FALSE}`);
	`823`	`+ } else {`
	`824`	`+ const targetGuardFunc = getQueryGuardFunctionName(targetModel, undefined, false, operation);`
	`825`	+ this.writer.write(`${fieldRef.target.$refText}: ${targetGuardFunc}(context, db)`);
	`826`	`+ }`
`820`	`827`	`});`
`821`	`828`	`}`
`822`	`829`	`}`