chore(policy): add auth guard injection for list operations in Policy…

…ProxyHandler and PolicyUtil
zenstackhq · Jan 7, 2025 · 6879548 · 6879548
1 parent 1ccc6ac
commit 6879548
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/packages/runtime/src/enhancements/node/policy/handler.ts b/packages/runtime/src/enhancements/node/policy/handler.ts
@@ -140,6 +140,14 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
             return handleRejection();
         }
 
+        if (isList && !this.policyUtils.injectForList(this.prisma, this.model, _args)) {
+            if (this.shouldLogQuery) {
+                this.logger.info(`[policy] \`${actionName}\` ${this.model}: unconditionally denied`);
+            }
+
+            return handleRejection();
+        }
+
         this.policyUtils.injectReadCheckSelect(this.model, _args);
 
         if (this.shouldLogQuery) {

diff --git a/packages/runtime/src/enhancements/node/policy/policy-utils.ts b/packages/runtime/src/enhancements/node/policy/policy-utils.ts
@@ -652,6 +652,14 @@ export class PolicyUtil extends QueryUtils {
         return true;
     }
 
+    /**
+     * Injects auth guard for read operations.
+     */
+    injectForList(_db: CrudContract, _model: string, _args: any) {
+        // make select and include visible to the injection
+        return true;
+    }
+
     //#endregion
 
     //#region Checker