Unauthenticated users can read from tables

[Adhil523]

Description and expected behavior

Given the below schema, running db.gymUser.findMany() without authentication in the repl returns all the user data.

model Gym extends Base {
  // ...
  members            GymUser[]

  @@allow('all', auth().admin.role == "ADMIN")
  @@allow('create,read', auth() != null)
  @@allow('update', members?[user == auth() && role == "ADMIN"])
}

model GymUser extends Base {
  userID                 String
  user                   User             @relation(fields: [userID], references: [id])
  gymID                  String?
  gym                    Gym?             @relation(fields: [gymID], references: [id])
  role                   Role

  @@allow('create', auth() != null)
  @@allow('read',gym.members?[user == auth() && (role == "ADMIN" || role == "TRAINER")])
  @@allow('read,update', user == auth())
  @@allow('update', gym.members?[user == auth() && role == "ADMIN"])
  @@deny('update', future().userID != userID)

  @@unique([userID, gymID])

}

Prisma Queries

Query as anonymous user

{
  "where": {
    "OR": [
      {
        "OR": [
          {
            "gym": {
              "members": {
                "some": {
                  "AND": [
                    {
                      "OR": []
                    },
                    {
                      "OR": [
                        {
                          "role": {
                            "equals": "ADMIN"
                          }
                        },
                        {
                          "role": {
                            "equals": "TRAINER"
                          }
                        }
                      ]
                    }
                  ]
                }
              }
            }
          }
        ]
      }
    ]
  }
}

Query as an authenticated user

{
  "where": {
    "OR": [
      {
        "OR": [
          {
            "gym": {
              "members": {
                "some": {
                  "AND": [
                    {
                      "user": {
                        "is": {
                          "id": "clymmldqa0000cd0svaueud8d"
                        }
                      }
                    },
                    {
                      "OR": [
                        {
                          "role": {
                            "equals": "ADMIN"
                          }
                        },
                        {
                          "role": {
                            "equals": "TRAINER"
                          }
                        }
                      ]
                    }
                  ]
                }
              }
            }
          }
        ]
      }
    ]
  }
}

It seems like this part is the problem when auth() is null in this @@allow('read',gym.members?[user == auth() && (role == "ADMIN" || role == "TRAINER")])

           "gym": {
              "members": {
                "some": {
                  "AND": [
                    {
                      "OR": []
                    },

Expected behavior is that user==auth() part will fail, as the query was based on the example provided in the docs.

Environment (please complete the following information):

• ZenStack version: 2.0.1
• Prisma version: 5.12.1

Additional context
Might be related to #397

[sidharthv96]

Although the reference doc mentions a check to require login, it's not obvious how big of an issue not having it is.

    // require login
    @@deny('all', auth() == null)

From my mental model, this policy is used to check the role of the current user. So that check should never pass if the user is undefined, as user == auth() will never match because user is not an optional field.

  // space admin can update and delete
  @@allow('update,delete', members?[user == auth() && role == 'ADMIN'])

But the policy seems to behave in a fail-open mode, which is not what we expect from a security perspective.

For now, the fix is to add @@deny('all', auth() == null) to the Base model. But this is a pretty big foot gun for teams who might not know about this.

[ymc9]

Thanks for reporting and commenting @Adhil523 @sidharthv96 .

I still need to confirm, but I tend to believe this is related to this Prisma issue I reported quite a while ago:

prisma/prisma#21856

The background is that ZenStack internally uses an empty OR (OR: []) to represent a false condition, and Prisma doesn't behave consistently in different combinations.

[sidharthv96]

This seems like a prisma issue then. What are your thoughts on zenstack optimising queries? Is it out of scope?

{"where":{"OR":[{"OR":[{"gym":{"members":{"some":{"AND":[{"OR":[]},{"OR":[{"role":{"equals":"ADMIN"}},{"role":{"equals":"TRAINER"}}]}]}}}}]}]}}
{"where":{"OR":[{"OR":[{"gym":{"members":{"some":{"AND":[false,{"OR":[{"role":{"equals":"ADMIN"}},{"role":{"equals":"TRAINER"}}]}]}}}}]}]}}
{"where":{"OR":[{"OR":[{"gym":{"members":{"some":false}}}]}]}}
{"where":{"OR":[{"OR":[false]}]}}
{"where":false}
return [] or throw;

[ymc9]

This seems like a prisma issue then. What are your thoughts on zenstack optimising queries? Is it out of scope?

{"where":{"OR":[{"OR":[{"gym":{"members":{"some":{"AND":[{"OR":[]},{"OR":[{"role":{"equals":"ADMIN"}},{"role":{"equals":"TRAINER"}}]}]}}}}]}]}}
{"where":{"OR":[{"OR":[{"gym":{"members":{"some":{"AND":[false,{"OR":[{"role":{"equals":"ADMIN"}},{"role":{"equals":"TRAINER"}}]}]}}}}]}]}}
{"where":{"OR":[{"OR":[{"gym":{"members":{"some":false}}}]}]}}
{"where":{"OR":[{"OR":[false]}]}}
{"where":false}
return [] or throw;

Yes, I agree reduction is the way to go. And it's more than an optimization, but rather for correctness ... Will add it soon.