Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy filtering should respect field-level access policies #1454

Closed
ymc9 opened this issue May 17, 2024 · 1 comment
Closed

Policy filtering should respect field-level access policies #1454

ymc9 opened this issue May 17, 2024 · 1 comment
Labels
in-progress
Milestone
v2.2.0

Comments

@ymc9
Copy link
Member

ymc9 commented May 17, 2024
edited
Loading

When you use relation fields in query filters, ZenStack automatically injects the policies for the related model, so that the policies are still effective even if you're only filtering but not retrieving data.

E.g., for model:

model User {
  ...
  role String
  posts Post[]
  @@allow('read', auth() == this)
}

model Post {
  ...
  author User? @relation(...)
  authorId Int?
}

If you query with:

db.post.findMany({ where: { author: { role: 'Author' } } })

The result will be filtered to exclude posts whose author field (User) is not readable. The reasoning is since you can't read the author field, you can't access its role field, so the role: 'Author' filter will evaluate to false.

However, the automatic relation filtering doesn't respect field-level access policies yet. There are two aspects about this problem:

  1. If the related model is readable but some of the fields used to filter are not (due to field-level policies), ZenStack should behave as if the model were not readable.
model User {
  ...
  role String @deny('read', true)
  posts Post[]
  @@allow('read', true)
}
  1. If the related model is NOT readable but all of the fields used to filter are readable (due to field-level override policies), ZenStack should behave as if the model were readable.
model User {
  ...
  role String @allow('read', true, true)
  posts Post[]
  @@allow('read', false)
}
@ymc9 ymc9 added this to the v2.2.0 milestone May 17, 2024
ymc9 added a commit that referenced this issue Jun 9, 2024
@ymc9
fix(policy): relation filter should respect field-level policies
9dc3314 
Fixes #1454
@ymc9 ymc9 mentioned this issue Jun 9, 2024
Merged
@ymc9
Copy link
Member Author

ymc9 commented Jun 10, 2024

Fixed in v2.2.0

@ymc9 ymc9 closed this as completed Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in-progress
Projects
None yet
Milestone
v2.2.0
Development

No branches or pull requests
1 participant
@ymc9