search

zenstackhq / zenstack

Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.
https://zenstack.dev
MIT License
2.07k stars 88 forks source link

Update permission buggy when used in @@deny #1235

Closed baenio closed 6 months ago

baenio commented 6 months ago

Description and expected behavior While writing the policies, I found out that the update permission in my @@deny is not working as expected. The following two policies will still update the id:

@@deny("update", future().id != id)
@@allow("update", true)

I also found out, that I can't run npx zenstack generate, when I write it like this:

@@deny("update", future().id != this.id)

// error
node_modules/.zenstack/policy.ts:1130:29 - error TS2304: Cannot find name 'id'.

Environment:

baenio commented 6 months ago

There is of course a workaround for that, but I think, that it should still be possible to write it like initially. Especially the allow policy will be much longer, which will lead to unreadability.

// workaround, which will work
@@allow("update", future().id == id)