feat: field-level access control (#557)

* WIP

* WIP: implement read policies

* fix tests

* Update packages/plugins/policy/src/policy-handler.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix name mapper

* fix tests

* fix build

* implement update field-level policies

* update tests

* update tests

* add more tests

* add more tests

* simplify queries

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: ymc9

TODO.md

@@ -77,7 +77,6 @@
         - [x] JSDoc for CRUD methods
         - [x] Cache validation schemas
         - [x] Compound ID
-        - [ ] Cross field comparison
         - [x] Many-to-many relation
         - [x] Self relation
         - [ ] Empty AND/OR/NOT behavior
@@ -101,6 +100,7 @@
 - [x] Validation
 - [ ] Access Policy
     - [ ] Short-circuit pre-create check for scalar-field only policies
+    - [x] Field-level policies
     - [x] Inject "on conflict do update"
     - [x] `check` function
     - [ ] Custom functions

packages/language/src/utils.ts

@@ -149,6 +149,13 @@ export function isRelationshipField(field: DataField) {
     return isDataModel(field.type.reference?.ref);
 }
 
+/**
+ * Returns if the given field is a computed field.
+ */
+export function isComputedField(field: DataField) {
+    return hasAttribute(field, '@computed');
+}
+
 export function isDelegateModel(node: AstNode) {
     return isDataModel(node) && hasAttribute(node, '@@delegate');
 }

packages/language/src/validators/attribute-application-validator.ts

@@ -33,6 +33,7 @@ import {
     isAuthOrAuthMemberAccess,
     isBeforeInvocation,
     isCollectionPredicate,
+    isComputedField,
     isDataFieldReference,
     isDelegateModel,
     isRelationshipField,
@@ -261,23 +262,22 @@ export default class AttributeApplicationValidator implements AstValidator<Attri
             });
             return;
         }
-        const kindItems = this.validatePolicyKinds(kind, ['read', 'update', 'all'], attr, accept);
+        this.validatePolicyKinds(kind, ['read', 'update', 'all'], attr, accept);
 
         const expr = attr.args[1]?.value;
         if (expr && AstUtils.streamAst(expr).some((node) => isBeforeInvocation(node))) {
-            accept('error', `"before()" is not allowed in field-level policy rules`, { node: expr });
+            accept('error', `"before()" is not allowed in field-level policies`, { node: expr });
         }
 
-        // 'update' rules are not allowed for relation fields
-        if (kindItems.includes('update') || kindItems.includes('all')) {
-            const field = attr.$container as DataField;
-            if (isRelationshipField(field)) {
-                accept(
-                    'error',
-                    `Field-level policy rules with "update" or "all" kind are not allowed for relation fields. Put rules on foreign-key fields instead.`,
-                    { node: attr },
-                );
-            }
+        // relation fields are not allowed
+        const field = attr.$container as DataField;
+
+        if (isRelationshipField(field)) {
+            accept('error', `Field-level policies are not allowed for relation fields.`, { node: attr });
+        }
+
+        if (isComputedField(field)) {
+            accept('error', `Field-level policies are not allowed for computed fields.`, { node: attr });
         }
     }