fix: nullify field instead of reject when an optional relation field is not readable (#588)

Author: ymc9

packages/plugins/swr/tests/swr.test.ts

@@ -50,10 +50,11 @@ plugin swr {
 
 ${sharedModel}
         `,
-            true,
-            false,
-            [`${origDir}/dist`, 'react', '@types/react', 'swr'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, 'react', '@types/react', 'swr'],
+                compile: true,
+            }
         );
     });
 });

packages/plugins/tanstack-query/tests/plugin.test.ts

@@ -51,10 +51,16 @@ plugin tanstack {
 
 ${sharedModel}
         `,
-            true,
-            false,
-            [`${origDir}/dist`, 'react@18.2.0', '@types/react@18.2.0', '@tanstack/react-query@4.29.7'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [
+                    `${origDir}/dist`,
+                    'react@18.2.0',
+                    '@types/react@18.2.0',
+                    '@tanstack/react-query@4.29.7',
+                ],
+                compile: true,
+            }
         );
     });
 
@@ -69,10 +75,11 @@ plugin tanstack {
 
 ${sharedModel}
         `,
-            true,
-            false,
-            [`${origDir}/dist`, 'svelte@^3.0.0', '@tanstack/svelte-query@4.29.7'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, 'svelte@^3.0.0', '@tanstack/svelte-query@4.29.7'],
+                compile: true,
+            }
         );
     });
 });

packages/plugins/trpc/tests/trpc.test.ts

@@ -48,10 +48,12 @@ model Foo {
     @@ignore
 }
         `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
+                compile: true,
+                fullZod: true,
+            }
         );
     });
 
@@ -88,10 +90,12 @@ model Foo {
     @@ignore
 }
         `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
+                compile: true,
+                fullZod: true,
+            }
         );
         expect(fs.existsSync(path.join(projectDir, 'trpc'))).toBe(true);
     });
@@ -116,11 +120,13 @@ model Post {
     authorId String?
 }
         `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
-            true,
-            'zenstack/schema.zmodel'
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
+                compile: true,
+                fullZod: true,
+                customSchemaFilePath: 'zenstack/schema.zmodel',
+            }
         );
         expect(fs.existsSync(path.join(projectDir, 'zenstack/trpc'))).toBe(true);
     });
@@ -139,11 +145,13 @@ model Post {
     title String
 }
         `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
-            true,
-            'zenstack/schema.zmodel'
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
+                compile: true,
+                fullZod: true,
+                customSchemaFilePath: 'zenstack/schema.zmodel',
+            }
         );
         const content = fs.readFileSync(path.join(projectDir, 'zenstack/trpc/routers/Post.router.ts'), 'utf-8');
         expect(content).toContain('findMany:');
@@ -167,11 +175,13 @@ model Post {
     title String
 }
         `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
-            true,
-            'zenstack/schema.zmodel'
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server'],
+                compile: true,
+                fullZod: true,
+                customSchemaFilePath: 'zenstack/schema.zmodel',
+            }
         );
         const content = fs.readFileSync(path.join(projectDir, 'zenstack/trpc/routers/Post.router.ts'), 'utf-8');
         expect(content).toContain('findMany:');
@@ -211,10 +221,12 @@ model Post {
 
             ${BLOG_BASE_SCHEMA}
             `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server', '@trpc/react-query'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server', '@trpc/react-query'],
+                compile: true,
+                fullZod: true,
+            }
         );
     });
 
@@ -229,10 +241,12 @@ model Post {
 
             ${BLOG_BASE_SCHEMA}
             `,
-            true,
-            false,
-            [`${origDir}/dist`, '@trpc/client', '@trpc/server', '@trpc/next'],
-            true
+            {
+                pushDb: false,
+                extraDependencies: [`${origDir}/dist`, '@trpc/client', '@trpc/server', '@trpc/next'],
+                compile: true,
+                fullZod: true,
+            }
         );
     });
 });

packages/runtime/src/constants.ts

@@ -19,11 +19,23 @@ export const GUARD_FIELD_NAME = 'zenstack_guard';
 export const AUXILIARY_FIELDS = [TRANSACTION_FIELD_NAME, GUARD_FIELD_NAME];
 
 /**
- * Reasons for a CRUD operation to fail.
+ * Reasons for a CRUD operation to fail
  */
 export enum CrudFailureReason {
     /**
      * CRUD suceeded but the result was not readable.
      */
     RESULT_NOT_READABLE = 'RESULT_NOT_READABLE',
+
+    /**
+     * CRUD failed because of a data validation rule violation.
+     */
+    DATA_VALIDATION_VIOLATION = 'DATA_VALIDATION_VIOLATION',
+}
+
+/**
+ * Prisma error codes used
+ */
+export enum PrismaErrorCode {
+    CONSTRAINED_FAILED = 'P2004',
 }

packages/runtime/src/enhancements/policy/policy-utils.ts

@@ -6,7 +6,14 @@ import { lowerCaseFirst } from 'lower-case-first';
 import pluralize from 'pluralize';
 import { upperCaseFirst } from 'upper-case-first';
 import { fromZodError } from 'zod-validation-error';
-import { AUXILIARY_FIELDS, CrudFailureReason, GUARD_FIELD_NAME, TRANSACTION_FIELD_NAME } from '../../constants';
+import {
+    AUXILIARY_FIELDS,
+    CrudFailureReason,
+    GUARD_FIELD_NAME,
+    PrismaErrorCode,
+    TRANSACTION_FIELD_NAME,
+} from '../../constants';
+import { isPrismaClientKnownRequestError } from '../../error';
 import {
     AuthUser,
     DbClientContract,
@@ -402,7 +409,26 @@ export class PolicyUtil {
                             //         `Validating read of to-one relation: ${fieldInfo.type}#${formatObject(ids)}`
                             //     );
                             // }
-                            await this.checkPolicyForFilter(fieldInfo.type, ids, operation, this.db);
+                            try {
+                                await this.checkPolicyForFilter(fieldInfo.type, ids, operation, this.db);
+                            } catch (err) {
+                                if (
+                                    isPrismaClientKnownRequestError(err) &&
+                                    err.code === PrismaErrorCode.CONSTRAINED_FAILED
+                                ) {
+                                    // denied by policy
+                                    if (fieldInfo.isOptional) {
+                                        // if the relation is optional, just nullify it
+                                        entityData[field] = null;
+                                    } else {
+                                        // otherwise reject
+                                        throw err;
+                                    }
+                                } else {
+                                    // unknown error
+                                    throw err;
+                                }
+                            }
                         }
                     }
 
@@ -772,7 +798,7 @@ export class PolicyUtil {
         return prismaClientKnownRequestError(
             this.db,
             `denied by policy: ${model} entities failed '${operation}' check${extra ? ', ' + extra : ''}`,
-            { clientVersion: getVersion(), code: 'P2004', meta: { reason } }
+            { clientVersion: getVersion(), code: PrismaErrorCode.CONSTRAINED_FAILED, meta: { reason } }
         );
     }
 
@@ -864,7 +890,12 @@ export class PolicyUtil {
                 if (this.logger.enabled('info')) {
                     this.logger.info(`entity ${model} failed schema check for operation ${operation}: ${error}`);
                 }
-                throw this.deniedByPolicy(model, operation, `entities failed schema check: [${error}]`);
+                throw this.deniedByPolicy(
+                    model,
+                    operation,
+                    `entities failed schema check: [${error}]`,
+                    CrudFailureReason.DATA_VALIDATION_VIOLATION
+                );
             }
         } else {
             // count entities with policy injected and see if any of them are filtered out

packages/schema/src/cli/plugin-runner.ts

@@ -99,38 +99,49 @@ export class PluginRunner {
         }
 
         // make sure prerequisites are included
-        const corePlugins = ['@core/prisma', '@core/model-meta', '@core/access-policy'];
+        const corePlugins: Array<{ provider: string; options?: Record<string, unknown> }> = [
+            { provider: '@core/prisma' },
+            { provider: '@core/model-meta' },
+            { provider: '@core/access-policy' },
+        ];
 
         if (getDataModels(context.schema).some((model) => hasValidationAttributes(model))) {
             // '@core/zod' plugin is auto-enabled if there're validation rules
-            corePlugins.push('@core/zod');
+            corePlugins.push({ provider: '@core/zod', options: { modelOnly: true } });
         }
 
-        // core dependencies introduced by dependencies
+        // core plugins introduced by dependencies
         plugins
             .flatMap((p) => p.dependencies)
             .forEach((dep) => {
-                if (dep.startsWith('@core/') && !corePlugins.includes(dep)) {
-                    corePlugins.push(dep);
+                if (dep.startsWith('@core/')) {
+                    const existing = corePlugins.find((p) => p.provider === dep);
+                    if (existing) {
+                        // reset options to default
+                        existing.options = undefined;
+                    } else {
+                        // add core dependency
+                        corePlugins.push({ provider: dep });
+                    }
                 }
             });
 
         for (const corePlugin of corePlugins.reverse()) {
-            const existingIdx = plugins.findIndex((p) => p.provider === corePlugin);
+            const existingIdx = plugins.findIndex((p) => p.provider === corePlugin.provider);
             if (existingIdx >= 0) {
                 // shift the plugin to the front
                 const existing = plugins[existingIdx];
                 plugins.splice(existingIdx, 1);
                 plugins.unshift(existing);
             } else {
                 // synthesize a plugin and insert front
-                const pluginModule = require(this.getPluginModulePath(corePlugin));
-                const pluginName = this.getPluginName(pluginModule, corePlugin);
+                const pluginModule = require(this.getPluginModulePath(corePlugin.provider));
+                const pluginName = this.getPluginName(pluginModule, corePlugin.provider);
                 plugins.unshift({
                     name: pluginName,
-                    provider: corePlugin,
+                    provider: corePlugin.provider,
                     dependencies: [],
-                    options: { schemaPath: context.schemaPath, name: pluginName },
+                    options: { schemaPath: context.schemaPath, name: pluginName, ...corePlugin.options },
                     run: pluginModule.default,
                     module: pluginModule,
                 });
@@ -154,7 +165,9 @@ export class PluginRunner {
 
         let dmmf: DMMF.Document | undefined = undefined;
         for (const { name, provider, run, options } of plugins) {
+            // const start = Date.now();
             await this.runPlugin(name, run, context, options, dmmf, warnings);
+            // console.log(`✅ Plugin ${colors.bold(name)} (${provider}) completed in ${Date.now() - start}ms`);
             if (provider === '@core/prisma') {
                 // load prisma DMMF
                 dmmf = await getDMMF({

packages/schema/src/plugins/prisma/schema-generator.ts

@@ -23,6 +23,7 @@ import {
 import {
     analyzePolicies,
     getDataModels,
+    getDMMF,
     getLiteral,
     getLiteralArray,
     getPrismaVersion,
@@ -32,7 +33,6 @@ import {
     resolved,
     resolvePath,
     TRANSACTION_FIELD_NAME,
-    getDMMF
 } from '@zenstackhq/sdk';
 import fs from 'fs';
 import { writeFile } from 'fs/promises';