fix: should not reject "update" when there's only field-level override but no model-level policy

Fixes #1014

Author: ymc9

packages/runtime/src/enhancements/policy/policy-utils.ts

@@ -319,7 +319,7 @@ export class PolicyUtil {
     /**
      * Checks if the given model has a policy guard for the given operation.
      */
-    hasAuthGuard(model: string, operation: PolicyOperationKind): boolean {
+    hasAuthGuard(model: string, operation: PolicyOperationKind) {
         const guard = this.policy.guard[lowerCaseFirst(model)];
         if (!guard) {
             return false;
@@ -328,6 +328,21 @@ export class PolicyUtil {
         return typeof provider !== 'boolean' || provider !== true;
     }
 
+    /**
+     * Checks if the given model has any field-level override policy guard for the given operation.
+     */
+    hasOverrideAuthGuard(model: string, operation: PolicyOperationKind) {
+        const guard = this.requireGuard(model);
+        switch (operation) {
+            case 'read':
+                return Object.keys(guard).some((k) => k.startsWith(FIELD_LEVEL_OVERRIDE_READ_GUARD_PREFIX));
+            case 'update':
+                return Object.keys(guard).some((k) => k.startsWith(FIELD_LEVEL_OVERRIDE_UPDATE_GUARD_PREFIX));
+            default:
+                return false;
+        }
+    }
+
     /**
      * Checks model creation policy based on static analysis to the input args.
      *
@@ -731,7 +746,7 @@ export class PolicyUtil {
         preValue?: any
     ) {
         let guard = this.getAuthGuard(db, model, operation, preValue);
-        if (this.isFalse(guard)) {
+        if (this.isFalse(guard) && !this.hasOverrideAuthGuard(model, operation)) {
             throw this.deniedByPolicy(
                 model,
                 operation,
@@ -904,7 +919,7 @@ export class PolicyUtil {
      */
     tryReject(db: Record<string, DbOperations>, model: string, operation: PolicyOperationKind) {
         const guard = this.getAuthGuard(db, model, operation);
-        if (this.isFalse(guard)) {
+        if (this.isFalse(guard) && !this.hasOverrideAuthGuard(model, operation)) {
             throw this.deniedByPolicy(model, operation, undefined, CrudFailureReason.ACCESS_POLICY_VIOLATION);
         }
     }

tests/integration/tests/regression/issue-1014.test.ts

@@ -0,0 +1,53 @@
+import { loadSchema } from '@zenstackhq/testtools';
+
+describe('issue 1014', () => {
+    it('update', async () => {
+        const { prisma, enhance } = await loadSchema(
+            `
+            model User {
+                id Int @id() @default(autoincrement())
+                name String
+                posts Post[]
+            }
+
+            model Post {
+                id Int @id() @default(autoincrement())
+                title String
+                content String?
+                author User? @relation(fields: [authorId], references: [id])
+                authorId Int? @allow('update', true, true)
+            
+                @@allow('read', true)
+            }
+            `,
+            { logPrismaQuery: true }
+        );
+
+        const db = enhance();
+
+        const user = await prisma.user.create({ data: { name: 'User1' } });
+        const post = await prisma.post.create({ data: { title: 'Post1' } });
+        await expect(db.post.update({ where: { id: post.id }, data: { authorId: user.id } })).toResolveTruthy();
+    });
+
+    it('read', async () => {
+        const { prisma, enhance } = await loadSchema(
+            `
+            model Post {
+                id Int @id() @default(autoincrement())
+                title String @allow('read', true, true)
+                content String
+            }
+            `,
+            { logPrismaQuery: true }
+        );
+
+        const db = enhance();
+
+        const post = await prisma.post.create({ data: { title: 'Post1', content: 'Content' } });
+        await expect(db.post.findUnique({ where: { id: post.id } })).toResolveNull();
+        await expect(db.post.findUnique({ where: { id: post.id }, select: { title: true } })).resolves.toEqual({
+            title: 'Post1',
+        });
+    });
+});