[BUG] Field level @deny generates function that denies access regardless whether true or false

[jasonmacdonald]

Description and expected behavior
The generated @ deny function will cause the policy to fail regardless of whether it evaluates to true or false, as the return object is always the same { OR: [] }.

Example:

...
role         Role     @deny('update', auth().role != 'ADMIN')
....
  @@allow('create,update,delete', auth().role == 'ADMIN')
  @@allow('update', auth() == this)
  @@allow('read', true)

Generated Function

function Membership$role_update(context, db) {
    const user = (0, runtime_1.hasAllFields)(context.user, ['id']) ? context.user : null;
    if (((user === null || user === void 0 ? void 0 : user.role) != 'ADMIN')) {
        return { OR: [] };
    }
    return { OR: [] };
}

Environment (please complete the following information):

• ZenStack version: 1.2.0
• Prisma version :5.2.2
• Database type: Postgresql

[ymc9]

 Thanks for filing this, @jasonmacdonald . Is it blocking you now? I'm scheduling it to V1.3 (around 11/15), but we can also make an earlier 1.2.1 release.

[jasonmacdonald]

I can work around it by adding an @allow on the same line. Not ideal, but fine for now. Unfortunately, I've hit another bug with buildReversedQuery where it seems to generate a malformed query, but I'm still trying to find the exact cause.

[ymc9]

Got it. If it's hard to track down you can put some code snippet here and I'll see if I can figure something out.

[jasonmacdonald]

I'll continue to look into it, but here is the error. As you can see, the membership part of the query is being inserted outside what I think should be the sibling some.

[API] UncaughtException [ExternalExceptionFilter] [+6m] 
{
  stack: 'Error calling enhanced Prisma method `update`: \n' +
    'Invalid `prisma.profile.findFirst()` invocation:\n' +
    '\n' +
    '{\n' +
    '  where: {\n' +
    '    users: {\n' +
    '      some: {},\n' +
    '      memberships: {\n' +
    '      ~~~~~~~~~~~\n' +
    '        some: {\n' +
    '          id: "c6522acb-0c93-4956-9bd0-9932a9897628"\n' +
    '        }\n' +
    '      },\n' +
    '?     every?: UserWhereInput,\n' +
    '?     none?: UserWhereInput\n' +
    '    }\n' +
    '  },\n' +
    '  select: {\n' +
    '    id: true\n' +
    '  }\n' +
    '}\n' +
    '\n' +
    'Unknown argument `memberships`. Available options are marked with ?.\n' +
    '    at MembershipService.update (/dist/apps/backend/api/webpack:/libs/api/identity/src/lib/membership/membership.service.ts:98:69),\n' +
    '    at target (/node_modules/@nestjs/core/helpers/external-context-creator.js:74:28),\n' +
    '    at Object.membershipUpdate (/node_modules/@nestjs/core/helpers/external-proxy.js:9:24)'
    ```

[jasonmacdonald]

@ymc9 Replacing the line at

zenstack/packages/runtime/src/enhancements/policy/policy-utils.ts

Line 557 in ac3206b

currQuery = currQuery[currField.backLink];

with the following appears to fix the issue. But I'm not 100% sure if it breaks anything else.

currQuery = backLinkField.isArray ? currQuery[currField.backLink].some : currQuery[currField.backLink];

Unfortunately, this one is a blocker for us :(

[ymc9]

Got it. Let me dig deeper into it and hopefully come up with a fix today. Do you mind sharing the query that triggered it @jasonmacdonald ?

[jasonmacdonald]

Got it. Let me dig deeper into it and hopefully come up with a fix today. Do you mind sharing the query that triggered it @jasonmacdonald ?

I'll DM you on Discord as I'd prefer not to post it here :)

[ymc9]

Got it. Let me dig deeper into it and hopefully come up with a fix today. Do you mind sharing the query that triggered it @jasonmacdonald ?

I'll DM you on Discord as I'd prefer not to post it here :)

I'm thinking about the same thing and just sent you a request 😄.