Open anotheri opened 17 hours ago
Hey! Thanks for the detailed issue. I want to setup a test case for this and then work from there - could you share the relevant parts of your Prisma schema (or a representative example)?
@alexolivier sure,
datasource db {
provider = "mysql"
url = env("DATABASE_URL")
}
generator client {
provider = "prisma-client-js"
// https://github.com/prisma/prisma-client-js/issues/616#issuecomment-616107821
binaryTargets = ["native", "darwin", "debian-openssl-3.0.x", "linux-musl", "linux-musl-openssl-3.0.x"]
previewFeatures = ["tracing"]
}
model User {
id Int @id @default(autoincrement()) @db.UnsignedInt
email String @unique @db.VarChar(50)
passwordHash String @map("password_hash") @db.VarChar(255)
// relation to many Roles
roles Role[]
@@map("users")
}
model Role {
id Int @id @default(autoincrement()) @map("ur_id") @db.UnsignedInt
name String @unique @map("ur_name") @db.VarChar(50)
// relation to many Users
users User[]
@@map("roles")
}
I use Prisma and I have a problem to make a consistent solution for the "is any related item" check with both
prisma-plan-adaptor
andcerbos.checkResources
implementations.So I have
N:M
relations betweenUser
andRole
models.And policy like this:
Option 1
hasUsers1: ({} in R.attr.users)
it works as expected with Prisma plan adapter and returnsKIND_CONDITIONAL
plan with{"NOT":{"users":{"some":{}}}}
filters, but when i check the resource fordelete
action permissions, it returnsEFFECT_ALLOW
. I populate and pass the list of users into thecheckResources
request (ideally, i'd like to avoid this population if possible):and i'm get back
results
as:Option 2
hasUsers2: size(R.attr.users) > 0
- i've tried to use it as alternative solution and it works as expected withcerbos.checkResources
and the same payload as I mentioned above but it seems that Prisma plan adapter doesn't supportsize
method and it throws the error with the following error stack:And the query plan i pass into
queryPlanToPrisma
looks like this:Option 3
hasUsers3: R.attr._count.users > 0
i've tried it as another approach (instead of actual population of the users, just to count the related users) and check this number, in this case it works as expected till the DB request. Prisma throws the error because Role model has no_count
field, which exists in plan-adapter filters:KIND_CONDITIONAL {"NOT":{"_count":{"users":{"gt":0}}}}
.The error says:
Solution?
I've tried to combine the options, like this
hasUsers1or3: ({} in R.attr.users) || (R.attr._count.users > 0)
which kind of makes sense to me, but i didn't find a way to sayqueryPlanToPrisma
via fieldMapper/relationMapper that_count
condition should be ignorred in this case. So I'm looking for advice on how to make it properly?