[Feature Request] Access policy allow field to be created only with default value

zenstackhq / zenstack

Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.

https://zenstack.dev

MIT License

2.04k stars 85 forks source link

[Feature Request] Access policy allow field to be created only with default value #1587

Open jiashengguo opened 2 months ago

jiashengguo commented 2 months ago

For example, the Payment could be created by customer, but the isPaid field should not be changed by customer, it could only be updated by the backend service after receive the webhook callback.

model Payment {
   ...
   isPaid @default(false) @deny('create', true)
   @@allow('create, read', auth() == owner)
}

However, the current field level access policy doesn't allow control for 'create' policy.

genu commented 12 hours ago

Is there a workaround for this limitation at the moment?

jiashengguo commented 48 minutes ago

I think there are two workarounds you can use:

Use field access policy to deny update.
```
 isPaid @default(false) @deny('update', true)
```
But you need to make sure that isPaid is never provided when calling create function.
Use ignore
```
 isPaid @default(false) @ignore
```
The trade-off is that you have to use raw SQL to update it since it is excluded from prisma client.