Closed CollinKempkes closed 4 months ago
Hi @CollinKempkes , thanks for reporting this. I'll look into it and let you know my findings.
Hi @CollinKempkes , I think this is related to how Postgres deals with NULL values.
For the "post-update" rule
@@deny("update",
deleted_at != null ||
future().deleted_at > now()
)
At the "post-update" check time, the deleted_at != null
is a constant false, so there's the future().deleted_at > now()
part to evaluate. ZenStack translate it to see if it can find the updated record with the following filter (the NOT is there because it's a deny rule):
{
NOT: {
deleted_at: { gt: new Date() }
}
}
This is translated to SQL by Prisma like:
SELECT "public"."test"."id" FROM "public"."test" WHERE (NOT "public"."test"."deleted_at" > ...)
In Postgres, because comparing anything with a NULL field results in NULL, the filter eventually evaluates to false, so the post-update rule check failed.
I think you can update the rule to be the following and it should work:
@@deny("update",
future().deleted_at != null &&
future().deleted_at > now()
)
It seems to work that way, good to know that data == null is not working well with this combination! :)
Thank you very much!
Description and expected behavior It seems that there is some kind of bug which breaks futures which date fields.
To reproduce do this:
test.spec
Result of the Test:
If I turn it to a positive permission (
allow
instead ofdeny
):then this happens inside the suite:
So the positive case (allow) is leading to an ignorance of the rule, while the negative case (deny) leads to unexpected errors. As on the deny it fails even though the
deleted_at
wasn't updated.Environment (please complete the following information):