[Feature Request] Field-level access policies

[ymc9]

Suggestion from @keanugrievs:

hits  Int @default(1)  @override("update", auth().id == user_id && future() == current() + 1)

Other thoughts:

hits Int @allow('update', future().hits == hits + 1)

[potion-cellar]

+1 for this

Would like to have some protected fields, for instance we have

Organization {
    id                    Int                   @id @default(autoincrement())
    name                  String

    notes                 String?
}

where "notes" would be perhaps an internal, non-customer-facing field that only people with a certain role could view. Right now, to accomplish something similar using only zenstack middleware, we need to create a separate "OrganizationNotes" table with a 1-to-1 relationship and put access policies on that table.

I like the idea of being able to supply an @allow next to the column in question.

Organization {
    id                    Int                   @id @default(autoincrement())
    name                  String

    notes                 String?          @allow('all', auth().role >= 3)
}

[deiucanta]

+1 for this

My use case is for read control on certain fields. I have a model where some fields should be private - visible only by admins and the author.

[ymc9]

Fixed by #638

https://zenstack.dev/docs/reference/zmodel-language#field-level-policy