add test with auth

ymc9 · ymc9 · commit 2ab0b6ff334b · 2024-06-01T23:16:18.000+08:00
diff --git a/packages/schema/src/plugins/enhancer/policy/utils.ts b/packages/schema/src/plugins/enhancer/policy/utils.ts
@@ -199,13 +199,15 @@ export function generateSelectForRules(rules: Expression[], forAuthContext = fal
             }
         } else if (isCollectionPredicate(expr)) {
             const path = visit(expr.left);
+            // recurse into RHS
+            const rhs = collectReferencePaths(expr.right);
             if (path) {
-                // recurse into RHS
-                const rhs = collectReferencePaths(expr.right);
                 // combine path of LHS and RHS
                 return rhs.map((r) => [...path, ...r]);
             } else {
-                return [];
+                // LHS is not rooted from the current model,
+                // only keep RHS items that contains '$this'
+                return rhs.filter((r) => r.includes('$this'));
             }
         } else if (isInvocationExpr(expr)) {
             // recurse into function arguments
diff --git a/tests/integration/tests/enhancements/with-policy/cross-model-field-comparison.test.ts b/tests/integration/tests/enhancements/with-policy/cross-model-field-comparison.test.ts
@@ -768,4 +768,56 @@ describe('Cross-model field comparison', () => {
         await prisma.user.update({ where: { id: 1 }, data: { age: 21 } });
         await expect(db.user.update({ where: { id: 1 }, data: { age: 25 } })).toResolveTruthy();
     });
+
+    it('with auth', async () => {
+        const { prisma, enhance } = await loadSchema(
+            `
+        model User {
+            id Int @id @default(autoincrement())
+            permissions Permission[]
+            @@allow('all', true)
+        }
+
+        model Permission {
+            id Int @id @default(autoincrement())
+            user User @relation(fields: [userId], references: [id])
+            userId Int
+            model String
+            level Int
+            @@allow('all', true)
+        }
+        
+        model Post {
+            id Int @id @default(autoincrement())
+            title String
+            permission PostPermission?
+
+            @@allow('read', true)
+            @@allow("create", auth().permissions?[model == 'Post' && level == this.permission.level])
+        }
+
+        model PostPermission {
+            id Int @id @default(autoincrement())
+            post Post @relation(fields: [postId], references: [id])
+            postId Int @unique
+            level Int
+            @@allow('all', true)
+        }
+        `,
+            { preserveTsFiles: true }
+        );
+
+        await expect(enhance().post.create({ data: { title: 'P1' } })).toBeRejectedByPolicy();
+        await expect(
+            enhance({ id: 1, permissions: [{ model: 'Foo', level: 1 }] }).post.create({ data: { title: 'P1' } })
+        ).toBeRejectedByPolicy();
+        await expect(
+            enhance({ id: 1, permissions: [{ model: 'Post', level: 1 }] }).post.create({ data: { title: 'P1' } })
+        ).toBeRejectedByPolicy();
+        await expect(
+            enhance({ id: 1, permissions: [{ model: 'Post', level: 1 }] }).post.create({
+                data: { title: 'P1', permission: { create: { level: 1 } } },
+            })
+        ).toResolveTruthy();
+    });
 });
