ymc9
commented
10 months ago A design challenge is how to provide the flexibility to allow permission checking given different granularity of conditions, from the weakest one (only giving model type and CRUD operation), to the strongest one (giving CRUD operation and its entire query/mutation input).
Moving some discussions on Discord here:
const db = enhance(prisma, { user: ... });
// check if the user can read any post, equivalent to `count > 0`
await db.post.check('read');
// check read with a filter, equivalent to `count > 0` with filter
await db.post.check('read', { where: ... });
// check if the user can possibly create, "possibly" means there exists at least one payload that can make the create succeed
await db.post.check('create');
// variation of the above, by requiring some payload field values but keep the rest "free"
await db.post.check('create', { data: ...});
// "delete" check is the same as "read", and "update" check is the same as "create"We can then expose the check API to the API layer (e.g., '/api/model/post/check'), and client hooks like:
const { data: canRead } = useCheckPost('read');
const { data: canCreate} = useCheckPost('create', { data: { published: true } });
gczh
Azzerty23
nahtnam
Is your feature request related to a problem? Please describe. I'd like to be able to check whether user has the permission to perform a create, update or delete operation so I could reflect it on the frontend.
Describe the solution you'd like A "simple" (ha ha) function on each record that optionally takes an input and returns a boolean that indicates whether the user has permission.
Describe alternatives you've considered Rewriting my zmodel permissions in an additional place as a separately callable function.
Additional context Brainstorming the structure, given the model
Foo: