Open benjollymore opened 3 months ago
Looking at this for a bit longer (without a real understanding of Zenstack's inner machinations), is the following case where this is seen to be working actually cross model?
model CompanyAdmin extends Base {
userId String @unique
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
companyId String
company Company @relation(fields: [companyId], references: [id])
@@allow('all', auth().superAdmin != null)
@@allow('all', auth().companyAdmin.companyId == companyId) // no error for cross model read here
}
I suppose we are comparing the companyAdmin
related to auth()
to other members of the CompanyAdmin
model, so this may not really be a cross model comparison and the fact that it is related to auth()
may be a red herring.
There is no problem referring cross models. But its your responsibility to pass the right auth context to the getPrisma function. If you want to use nested related models (like in your example companyAdmin is a relation) you should query your db with unenhanced prisma client each request and pass it as auth context to the getPrisma function
@Eliav2 Thank you for the response and sorry for taking so long to get back to you myself.
I am making a query that picks up all the nested relations for the user and passes that to enhance
.
That code looks something like this and is executed every request:
const getPrisma() => {
const user: TUserWithRelations = getSessionUser(); // user based on jwt with all relations fetched using vanilla prisma client
return enhance(prisma, { user })
}
The error that I was referring to gets picked up by the Zenstack VSCode plugin and also prevents pnpm zenstack generate
from succeeding.
When running pnpm zenstack generate
:
VSCode plugin:
The names of the following vary slightly from the example above but the structure is virtually identical.
The above is on v2.3.2.
Description and expected behavior Cross model comparison on models for 'read' checks works for models with a direct relation to the model backing
auth()
(User in the following example).It does not, however, work on models that do not have a direct relation to auth, and an error is thrown. The following behaviour can be observed with the schema below.
Reproducable Schema
Environment (please complete the following information):
Additional context Add any other context about the problem here.