search

zenstackhq / zenstack

Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.
https://zenstack.dev
MIT License
2.07k stars 88 forks source link

[Feature Request] Field-level access policies #278

Closed ymc9 closed 1 year ago

ymc9 commented 1 year ago

Suggestion from @keanugrievs:

hits  Int @default(1)  @override("update", auth().id == user_id && future() == current() + 1)

Other thoughts:

hits Int @allow('update', future().hits == hits + 1)
potion-cellar commented 1 year ago

+1 for this

Would like to have some protected fields, for instance we have

Organization {
    id                    Int                   @id @default(autoincrement())
    name                  String

    notes                 String?
}

where "notes" would be perhaps an internal, non-customer-facing field that only people with a certain role could view. Right now, to accomplish something similar using only zenstack middleware, we need to create a separate "OrganizationNotes" table with a 1-to-1 relationship and put access policies on that table.

I like the idea of being able to supply an @allow next to the column in question.

Organization {
    id                    Int                   @id @default(autoincrement())
    name                  String

    notes                 String?          @allow('all', auth().role >= 3)
}
deiucanta commented 1 year ago

+1 for this

My use case is for read control on certain fields. I have a model where some fields should be private - visible only by admins and the author.

ymc9 commented 1 year ago

Fixed by #638

https://zenstack.dev/docs/reference/zmodel-language#field-level-policy