fix(policy): currentModel and currentOperation inside of collection predicates (#2537)

Author: wolflu05

packages/plugins/policy/src/expression-evaluator.ts

@@ -1,4 +1,5 @@
 import { invariant } from '@zenstackhq/common-helpers';
+import type { CRUD_EXT } from '@zenstackhq/orm';
 import {
     ExpressionUtils,
     type ArrayExpression,
@@ -18,6 +19,8 @@ type ExpressionEvaluatorContext = {
     thisValue?: any;
     // scope for resolving references to collection predicate bindings
     bindingScope?: Record<string, any>;
+    operation: CRUD_EXT;
+    thisType: string;
 };
 
 /**
@@ -44,6 +47,10 @@ export class ExpressionEvaluator {
     private evaluateCall(expr: CallExpression, context: ExpressionEvaluatorContext): any {
         if (expr.function === 'auth') {
             return context.auth;
+        } else if (expr.function === 'currentModel') {
+            return context.thisType;
+        } else if (expr.function === 'currentOperation') {
+            return context.operation;
         } else {
             throw new Error(`Unsupported call expression function: ${expr.function}`);
         }

packages/plugins/policy/src/expression-transformer.ts

@@ -337,6 +337,8 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
                 thisValue: context.contextValue,
                 auth: this.auth,
                 bindingScope: this.getEvaluationBindingScope(context.bindingScope),
+                operation: context.operation,
+                thisType: context.thisType,
             });
 
             // get LHS's type
@@ -436,6 +438,8 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
                 auth: this.auth,
                 thisValue: context.contextValue,
                 bindingScope: this.getEvaluationBindingScope(context.bindingScope),
+                operation: context.operation,
+                thisType: context.thisType,
             });
             return this.transformValue(value, 'Boolean');
         } else {

tests/regression/test/issue-2536.test.ts

@@ -0,0 +1,50 @@
+import { createPolicyTestClient } from '@zenstackhq/testtools';
+import { describe, expect, it } from 'vitest';
+
+describe('Regression for issue #2536', () => {
+    it('supports currentModel and currentOperation in nested expressions', async () => {
+        const db = await createPolicyTestClient(
+            `
+            model User {
+                id String @id
+                groups Group[] @relation("UserGroups")
+            }
+
+            model Group {
+                id String @id
+                modelName String
+                modelOperation String
+                users User[] @relation("UserGroups")
+            }
+
+            // define a mixin to also check that currentModel correctly resolves to the model where the mixin is applied
+            type AuthPolicyMixin {
+                @@allow('all', auth().groups?[modelName == currentModel() && modelOperation == currentOperation()])
+            }
+
+            model Foo with AuthPolicyMixin {
+                id String @id @default(cuid())
+            }
+            `,
+        );
+
+        const readGroup = { modelName: 'Foo', modelOperation: 'read' };
+
+        await expect(db.$setAuth({ id: 'user1', groups: [readGroup] }).foo.create({ data: {} })).toBeRejectedByPolicy();
+        await expect(
+            db
+                .$setAuth({ id: 'user1', groups: [{ modelName: 'FooBar', modelOperation: 'create' }, readGroup] })
+                .foo.create({ data: {} }),
+        ).toBeRejectedByPolicy();
+        await expect(
+            db
+                .$setAuth({ id: 'user1', groups: [{ modelName: 'Foo', modelOperation: 'read' }, readGroup] })
+                .foo.create({ data: {} }),
+        ).toBeRejectedByPolicy();
+        await expect(
+            db
+                .$setAuth({ id: 'user1', groups: [{ modelName: 'Foo', modelOperation: 'create' }, readGroup] })
+                .foo.create({ data: {} }),
+        ).toResolveTruthy();
+    });
+});