Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: additional fixes and tests related to cross-model field comparison #1496

Merged
merged 2 commits into from
Jun 9, 2024
Merged

fix: additional fixes and tests related to cross-model field comparison #1496

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
55be22f
fix: additional fixes and tests related to cross-model field comparison
ymc9 Jun 9, 2024
d0c0e76
fix test
ymc9 Jun 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions packages/schema/src/plugins/enhancer/policy/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,9 @@ function hasCrossModelComparison(expr: Expression) {
}

function getSourceModelOfFieldAccess(expr: Expression) {
if (isDataModel(expr.$resolvedType?.decl)) {
// an expression that resolves to a data model and is part of a member access, return the model
// e.g.: profile.age => Profile
if (isDataModel(expr.$resolvedType?.decl) && isMemberAccessExpr(expr.$container)) {
return expr.$resolvedType?.decl;
}

Expand All @@ -497,7 +499,7 @@ function getSourceModelOfFieldAccess(expr: Expression) {
return getContainerOfType(expr, isDataModel);
}

// direct field reference
// direct field reference, return the model
if (isDataModelFieldReference(expr)) {
return (expr.target.ref as DataModelField).$container;
}
Expand Down
185 changes: 181 additions & 4 deletions tests/integration/tests/enhancements/with-policy/cross-model-field-comparison.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -769,8 +769,8 @@ describe('Cross-model field comparison', () => {
await expect(db.user.update({ where: { id: 1 }, data: { age: 25 } })).toResolveTruthy();
});

it('with auth', async () => {
const { prisma, enhance } = await loadSchema(
it('with auth case 1', async () => {
const { enhance } = await loadSchema(
`
model User {
id Int @id @default(autoincrement())
Expand Down Expand Up @@ -803,8 +803,7 @@ describe('Cross-model field comparison', () => {
level Int
@@allow('all', true)
}
`,
{ preserveTsFiles: true }
`
);

await expect(enhance().post.create({ data: { title: 'P1' } })).toBeRejectedByPolicy();
Expand All @@ -820,4 +819,182 @@ describe('Cross-model field comparison', () => {
})
).toResolveTruthy();
});

it('with auth case 2', async () => {
const { prisma, enhance } = await loadSchema(
`
model User {
id Int @id @default(autoincrement())
teamMembership TeamMembership[]
@@allow('all', true)
}

model Team {
id Int @id @default(autoincrement())
permissions Permission[]
assets Asset[]
@@allow('all', true)
}

model Asset {
id Int @id @default(autoincrement())
name String
team Team @relation(fields: [teamId], references: [id])
teamId Int
@@allow('all', auth().teamMembership?[role.permissions?[name == 'ManageTeam' && teamId == this.teamId]])
@@allow('read', true)
}

model TeamMembership {
id Int @id @default(autoincrement())
role TeamRole?
user User @relation(fields: [userId], references: [id])
userId Int
@@allow('all', true)
}

model TeamRole {
id Int @id @default(autoincrement())
permissions Permission[]
membership TeamMembership @relation(fields: [membershipId], references: [id])
membershipId Int @unique
@@allow('all', true)
}

model Permission {
id Int @id @default(autoincrement())
name String
team Team @relation(fields: [teamId], references: [id])
teamId Int
role TeamRole @relation(fields: [roleId], references: [id])
roleId Int
@@allow('all', true)
}
`
);

const team1 = await prisma.team.create({ data: {} });
const team2 = await prisma.team.create({ data: {} });

const user = await prisma.user.create({
data: {
teamMembership: {
create: {
role: {
create: {
permissions: { create: [{ name: 'ManageTeam', team: { connect: { id: team1.id } } }] },
},
},
},
},
},
});

const asset = await prisma.asset.create({
data: { name: 'Asset1', team: { connect: { id: team1.id } } },
});

const dbTeam1 = enhance({
id: user.id,
teamMembership: [{ role: { permissions: [{ name: 'ManageTeam', teamId: team1.id }] } }],
});
await expect(dbTeam1.asset.update({ where: { id: asset.id }, data: { name: 'Asset2' } })).toResolveTruthy();

const dbTeam2 = enhance({
id: user.id,
teamMembership: [{ role: { permissions: [{ name: 'ManageTeam', teamId: team2.id }] } }],
});
await expect(
dbTeam2.asset.update({ where: { id: asset.id }, data: { name: 'Asset2' } })
).toBeRejectedByPolicy();
});

it('with auth case 3', async () => {
const { prisma, enhance } = await loadSchema(
`
model User {
id Int @id @default(autoincrement())
teamMembership TeamMembership[]
@@allow('all', true)
}

model Team {
id Int @id @default(autoincrement())
permissions Permission[]
assets Asset[]
@@allow('all', true)
}

model Asset {
id Int @id @default(autoincrement())
name String
team Team @relation(fields: [teamId], references: [id])
teamId Int
@@allow('all', auth().teamMembership?[role.permissions?[name == 'ManageTeam' && team == this.team]])
@@allow('read', true)
}

model TeamMembership {
id Int @id @default(autoincrement())
role TeamRole?
user User @relation(fields: [userId], references: [id])
userId Int
@@allow('all', true)
}

model TeamRole {
id Int @id @default(autoincrement())
permissions Permission[]
membership TeamMembership @relation(fields: [membershipId], references: [id])
membershipId Int @unique
@@allow('all', true)
}

model Permission {
id Int @id @default(autoincrement())
name String
team Team @relation(fields: [teamId], references: [id])
teamId Int
role TeamRole @relation(fields: [roleId], references: [id])
roleId Int
@@allow('all', true)
}
`
);

const team1 = await prisma.team.create({ data: {} });
const team2 = await prisma.team.create({ data: {} });

const user = await prisma.user.create({
data: {
teamMembership: {
create: {
role: {
create: {
permissions: { create: [{ name: 'ManageTeam', team: { connect: { id: team1.id } } }] },
},
},
},
},
},
});

const asset = await prisma.asset.create({
data: { name: 'Asset1', team: { connect: { id: team1.id } } },
});

const dbTeam1 = enhance({
id: user.id,
teamMembership: [{ role: { permissions: [{ name: 'ManageTeam', team: { id: team1.id } }] } }],
});
await expect(dbTeam1.asset.update({ where: { id: asset.id }, data: { name: 'Asset2' } })).toResolveTruthy();

const dbTeam2 = enhance({
id: user.id,
teamMembership: [{ role: { permissions: [{ name: 'ManageTeam', teamId: team2.id }] } }],
});
await expect(
dbTeam2.asset.update({ where: { id: asset.id }, data: { name: 'Asset2' } })
).toBeRejectedByPolicy();
});
});
Loading