Open Milan-Bhl opened 4 months ago
Hi @mbhele-xrdigital , thanks for bringing this up.
The current design of policy behavior is explained here: https://zenstack.dev/docs/the-complete-guide/part1/access-policy/model-level#evaluation-of-model-level-policies.
Basically, for relation connect/disconnect, the side that gets the foreign key field update is required to be "updatable". However, implicit many-to-many is a special case because there's an implied "join table" that connects both sides. Currently, ZenStack is conservative and requires both sides to be updatable.
There was a suggestion for utilizing the field-level policies to fine-tune this behavior: https://github.com/zenstackhq/zenstack/issues/856
It hasn't been implemented yet.
Is your feature request related to a problem? Please describe. I have zmodels structured like this:
This works fine for normal scenarios of editing/updating/creating roles or permissions or users. But this causes us issues when we are just trying to associate Permissions (connect/disconnect) to a Role OR connecting/disconnecting roles from users.
The issue here is that UPDATE is rejected with error of ACCESS_POLICY_VIOLATION for e.g. while trying to assign a role to a user with
will fail with error
The problem is being caused by post-update check on modifiedById on both sides of the relationship.
Describe the solution you'd like Stop the post update checks when the modification is just connecting/disconnecting and not actual update of the model
Describe alternatives you've considered ...
Additional context ...