Closed baenio closed 1 month ago
Many thanks for reporting this @baenio ! It's a tricky one. ZenStack internally has a "post-update" policy kind for rules involving future()
. If there's no future()
call, "post-update" check always passes.
The check(author)
call delegates all policy checks (including "post-update" to author
), and since User
doesn't have any future()
rule, "post-update" always passes.
I agree this is very unintuitive. I'm making a fix to stop delegating "post-update" through check()
calls.
Fixed in 2.5.0
Description and expected behavior After trying to implement the new check() function in the access control, I found out that when adding the future() function in another policy, it will kinda overwrite the delegated policies. After removing
@@allow('update', future().title == 'hello')
everything seems to be working normally.Example
Environment (please complete the following information):