search

zenstackhq / zenstack

Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.
https://zenstack.dev
MIT License
2.07k stars 89 forks source link

[Feature Request] Automatically do a database fetch if the policy rules use fields not provided in the user context object #820

Open ymc9 opened 11 months ago

ymc9 commented 11 months ago

Background

One of the traps that ZenStack users frequently fall into is not providing all the fields needed in the user context object when calling enhance. Today, ZenStack doesn't do anything special when dealing with auth() expressions in access policy rules. It just translates it to the user context you provided.

const db = enhance(prisma, { user: { id: userId } });
model Post {
  ...
  @@allow('all', auth().role == 'ADMIN')  // <- this won't work
}

You're responsible for making sure all fields accessed from auth() are available.

It caused two problems:

  1. When you forget to do that, you get unexpected authorization results.
  2. There's no typing guarantee. The auth() call is resolved to the User model (or a model marked @@auth), which causes the illusion that it at least has all non-optional fields of the model. It's not the case if you don't provide those fields.

Proposed Solution

  1. Make enhance() automatically analyze what fields are accessed from auth() and do a database fetch for the missing ones.
  2. This means its signature needs to be changed to return a Promise.
  3. Or, we can make the feature opt-in and introduce an overloaded version of enhance() that enables the auto-fetching and returns a Promise, and keep the original one unchanged (thus no breaking changes).
ymc9 commented 11 months ago

Just realized to do that we need to change enhance to an async API. It'll be a breaking change. Punting to V2.