Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update permission buggy when used in @@deny #1235

Closed
baenio opened this issue Apr 10, 2024 · 1 comment
Closed

Update permission buggy when used in @@deny #1235

baenio opened this issue Apr 10, 2024 · 1 comment
Labels
in-progress
Milestone
v1.13.0

Comments

@baenio
Copy link

baenio commented Apr 10, 2024
edited
Loading

Description and expected behavior
While writing the policies, I found out that the update permission in my @@deny is not working as expected. The following two policies will still update the id:

@@deny("update", future().id != id)
@@allow("update", true)

I also found out, that I can't run npx zenstack generate, when I write it like this:

@@deny("update", future().id != this.id)

// error
node_modules/.zenstack/policy.ts:1130:29 - error TS2304: Cannot find name 'id'.

Environment:

  • ZenStack version: 1.12.0
  • Prisma version: 5.12.1
  • Database type: Postgresql
@baenio
Copy link
Author

baenio commented Apr 10, 2024

There is of course a workaround for that, but I think, that it should still be possible to write it like initially. Especially the allow policy will be much longer, which will lead to unreadability.

// workaround, which will work
@@allow("update", future().id == id)

@ymc9 ymc9 added this to the v1.13.0 milestone Apr 11, 2024
@ymc9 ymc9 mentioned this issue Apr 11, 2024
Merged
@ymc9 ymc9 closed this as completed Apr 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in-progress
Projects
None yet
Milestone
v1.13.0
Development

No branches or pull requests
2 participants
@baenio @ymc9