Incorrect identification of corss-model field comparison for `auth()` access

zenstackhq / zenstack

Fullstack TypeScript toolkit enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.

https://zenstack.dev

MIT License

1.83k stars 78 forks source link

Incorrect identification of corss-model field comparison for `auth()` access #1507

Closed ymc9 closed 2 weeks ago

ymc9 commented 2 weeks ago

model User {
    id Int @id @default(autoincrement())
    age Int
}

model Profile {
    id Int @id @default(autoincrement())
    age Int

    @@allow('read', auth().age == age)
}

await prisma.profile.create({ data: { age: 18 } });
await prisma.profile.create({ data: { age: 20 } });
const db = enhance({ id: 1, age: 18 });
await expect(db.profile.findMany()).resolves.toHaveLength(1);
await expect(db.profile.count()).resolves.toBe(1);

ymc9 commented 2 weeks ago

Fixed in v2.2.2