zenstackhq · ymc9 · Nov 23, 2023 · Nov 23, 2023
diff --git a/packages/schema/src/cli/cli-util.ts b/packages/schema/src/cli/cli-util.ts
@@ -103,7 +103,7 @@ function validationAfterMerge(model: Model) {
     }
 
     // at most one `@@auth` model
-    const dataModels = getDataModels(model);
+    const dataModels = getDataModels(model, true);
     const authModels = dataModels.filter((d) => hasAttribute(d, '@@auth'));
     if (authModels.length > 1) {
         console.error(colors.red('Validation error: Multiple `@@auth` models are not allowed'));

diff --git a/packages/schema/src/plugins/access-policy/policy-guard-generator.ts b/packages/schema/src/plugins/access-policy/policy-guard-generator.ts
@@ -817,7 +817,7 @@ export default class PolicyGenerator {
         );
 
         if (hasAuthRef) {
-            const authModel = getAuthModel(getDataModels(model.$container));
+            const authModel = getAuthModel(getDataModels(model.$container, true));
             if (!authModel) {
                 throw new PluginError(name, 'Auth model not found');
             }

diff --git a/packages/sdk/src/utils.ts b/packages/sdk/src/utils.ts
@@ -34,8 +34,13 @@ import { PluginError, PluginOptions } from './types';
 /**
  * Gets data models that are not ignored
  */
-export function getDataModels(model: Model) {
-    return model.declarations.filter((d): d is DataModel => isDataModel(d) && !hasAttribute(d, '@@ignore'));
+export function getDataModels(model: Model, includeIgnored = false) {
+    const r = model.declarations.filter((d): d is DataModel => isDataModel(d));
+    if (includeIgnored) {
+        return r;
+    } else {
+        return r.filter((model) => !hasAttribute(model, '@@ignore'));
+    }
 }
 
 export function resolved<T extends AstNode>(ref: Reference<T>): T {

diff --git a/tests/integration/tests/enhancements/with-policy/auth.test.ts b/tests/integration/tests/enhancements/with-policy/auth.test.ts
@@ -213,6 +213,61 @@ describe('With Policy: auth() test', () => {
         await expect(adminDb.post.create({ data: { title: 'abc' } })).toResolveTruthy();
     });
 
+    it('User model ignored', async () => {
+        const { withPolicy } = await loadSchema(
+            `
+        model User {
+            id String @id @default(uuid())
+            role String
+
+            @@ignore
+        }
+
+        model Post {
+            id String @id @default(uuid())
+            title String
+
+            @@allow('read', true)
+            @@allow('create', auth().role == 'ADMIN')
+        }
+        `
+        );
+
+        const userDb = withPolicy({ id: 'user1', role: 'USER' });
+        await expect(userDb.post.create({ data: { title: 'abc' } })).toBeRejectedByPolicy();
+
+        const adminDb = withPolicy({ id: 'user1', role: 'ADMIN' });
+        await expect(adminDb.post.create({ data: { title: 'abc' } })).toResolveTruthy();
+    });
+
+    it('Auth model ignored', async () => {
+        const { withPolicy } = await loadSchema(
+            `
+        model Foo {
+            id String @id @default(uuid())
+            role String
+
+            @@auth()
+            @@ignore
+        }
+
+        model Post {
+            id String @id @default(uuid())
+            title String
+
+            @@allow('read', true)
+            @@allow('create', auth().role == 'ADMIN')
+        }
+        `
+        );
+
+        const userDb = withPolicy({ id: 'user1', role: 'USER' });
+        await expect(userDb.post.create({ data: { title: 'abc' } })).toBeRejectedByPolicy();
+
+        const adminDb = withPolicy({ id: 'user1', role: 'ADMIN' });
+        await expect(adminDb.post.create({ data: { title: 'abc' } })).toResolveTruthy();
+    });
+
     it('collection predicate', async () => {
         const { enhance, prisma } = await loadSchema(
             `