Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.
Description and expected behavior
After trying to create a deny access policy in a schema, I found out, that the policy is not behaving the right way. This issue seems to be related to a one-to-one relation in the schema.
Example
model User {
id Int @id @default(autoincrement())
profile Profile?
posts Post[]
}
model Profile {
id Int @id @default(autoincrement())
someText String
user User @relation(fields: [userId], references: [id])
userId Int @unique
}
model Post {
id Int @id @default(autoincrement())
title String
userId String
user User @relation(fields: [userId], references: [id])
// this will always be true, even if the someText field is "canUpdate"
@@deny("update", future().user.profile.someText != "canUpdate")
@@allow("all", true)
}
Description and expected behavior After trying to create a deny access policy in a schema, I found out, that the policy is not behaving the right way. This issue seems to be related to a one-to-one relation in the schema.
Example
Environment:
Additional context Related Discord thread: https://discord.com/channels/1035538056146595961/1273290058933469225