Merge pull request #92 from aspen-cloud/matlin/cyclical-permissions

Support cyclical permissions
aspen-cloud · Jan 3, 2025 · 60e3078 · 60e3078
1 parent a23fcc9
commit 60e3078
Show file tree

Hide file tree

Showing 5 changed files with 378 additions and 9 deletions.
diff --git a/packages/db/src/collection-query.ts b/packages/db/src/collection-query.ts
@@ -1286,7 +1286,7 @@ export async function loadSubquery(
   } as CollectionQuery<any, any>;
 
   fullSubquery = prepareQuery(fullSubquery, schema, options.session, {
-    skipRules: options.skipRules,
+    skipRules: true,
   });
 
   // Push entity onto context stack
@@ -1475,6 +1475,7 @@ export async function loadQuery<
     executionContext,
     options
   );
+
   const { order, limit, after } = queryWithInsertedVars;
 
   // Load possible entity ids from indexes
@@ -2405,7 +2406,6 @@ export async function replaceVariablesInQuery<Q extends CollectionQuery<any>>(
   options: FetchFromStorageOptions
 ): Promise<Q> {
   const clauses = (query.where ?? []).filter(isFilterStatement);
-
   for (const clause of clauses) {
     const val = clause[2];
     if (isValueReferentialVariable(val)) {
@@ -2420,7 +2420,6 @@ export async function replaceVariablesInQuery<Q extends CollectionQuery<any>>(
   }
 
   const vars = getQueryVariables(query, executionContext, options);
-
   const where = query.where
     ? replaceVariablesInFilterStatements(query.where, vars)
     : undefined;

diff --git a/packages/db/src/db-helpers.ts b/packages/db/src/db-helpers.ts
@@ -84,11 +84,12 @@ export function replaceVariablesInFilterStatements<
   variables: Record<string, any>
 ): QueryWhere<M, CN> {
   return statements.map((filter) => {
-    if (isFilterGroup(filter))
+    if (isFilterGroup(filter)) {
       return {
         ...filter,
         filters: replaceVariablesInFilterStatements(filter.filters, variables),
       };
+    }
     if (isFilterStatement(filter)) {
       const replacedValue = replaceVariable(filter[2], variables);
       return [filter[0], filter[1], replacedValue];

diff --git a/packages/db/src/query/prepare.ts b/packages/db/src/query/prepare.ts
@@ -64,7 +64,9 @@ export function prepareQuery<M extends Models, Q extends CollectionQuery<M>>(
   query: Q,
   schema: M | undefined,
   session: Session,
-  options: QueryPreparationOptions = {
+  options: QueryPreparationOptions & {
+    collectionsPermissionsChecked?: Set<string>;
+  } = {
     skipRules: false,
     bindSessionVariables: false,
   }
@@ -79,7 +81,13 @@ export function prepareQuery<M extends Models, Q extends CollectionQuery<M>>(
   const include = getQueryInclude(fetchQuery, schema, session, options);
 
   // Determine filters
-  const where = getQueryFilters(fetchQuery, schema, session, options);
+  const isPermissionAlreadyChecked = options.collectionsPermissionsChecked?.has(
+    fetchQuery.collectionName
+  );
+  const where = getQueryFilters(fetchQuery, schema, session, {
+    ...options,
+    skipRules: isPermissionAlreadyChecked || options.skipRules,
+  });
 
   // Determine order
   const order = getQueryOrder(fetchQuery, schema, options);
@@ -353,7 +361,14 @@ function getQueryFilters<M extends Models, Q extends CollectionQuery<M>>(
       ];
 
       return {
-        exists: prepareQuery(subquery, schema, session, options),
+        exists: prepareQuery(subquery, schema, session, {
+          ...options,
+          collectionsPermissionsChecked: new Set([
+            // @ts-expect-error
+            ...(options.collectionsPermissionsChecked ?? []),
+            query.collectionName,
+          ]),
+        }),
       };
     }
     if (!Array.isArray(statement)) return statement;
@@ -376,7 +391,14 @@ function getQueryFilters<M extends Models, Q extends CollectionQuery<M>>(
         }
         subquery.where = [...subquery.where, [path.join('.'), op, val]];
         return {
-          exists: prepareQuery(subquery, schema, session, options),
+          exists: prepareQuery(subquery, schema, session, {
+            ...options,
+            collectionsPermissionsChecked: new Set([
+              // @ts-expect-error
+              ...(options.collectionsPermissionsChecked ?? []),
+              query.collectionName,
+            ]),
+          }),
         };
       }
     }

diff --git a/packages/db/test/db.spec.ts b/packages/db/test/db.spec.ts
@@ -5892,3 +5892,130 @@ describe('variable conflicts', () => {
     });
   });
 });
+
+describe('cyclical permissions', () => {
+  const schema: Models = {
+    users: {
+      schema: S.Schema({
+        id: S.Id(),
+      }),
+    },
+    events: {
+      schema: S.Schema({
+        id: S.Id(),
+        attendees: S.RelationMany('eventAttendees', {
+          where: [['eventId', '=', '$id']],
+        }),
+      }),
+      permissions: {
+        user: {
+          read: {
+            // Can see events that they are attending
+            filter: [['attendees.userId', '=', '$role.user_id']],
+          },
+        },
+      },
+    },
+    eventAttendees: {
+      schema: S.Schema({
+        id: S.Id(),
+        eventId: S.String(),
+        event: S.RelationById('events', '$eventId'),
+        userId: S.String(),
+        user: S.RelationById('users', '$userId'),
+      }),
+      permissions: {
+        user: {
+          read: {
+            // Can see event attendees of events that they are attending
+            filter: [['event.attendees.userId', '=', '$role.user_id']],
+          },
+        },
+      },
+    },
+  };
+
+  const db = new DB({
+    schema: {
+      roles: {
+        user: {
+          match: {
+            role: 'user',
+            userId: '$user_id',
+          },
+        },
+      },
+      collections: schema,
+      version: 0,
+    },
+  });
+
+  beforeAll(async () => {
+    await db.insert('users', { id: '1' }, { skipRules: true });
+    await db.insert('users', { id: '2' }, { skipRules: true });
+    await db.insert('users', { id: '3' }, { skipRules: true });
+    await db.insert('users', { id: '4' }, { skipRules: true });
+    await db.insert('events', { id: '1' }, { skipRules: true });
+    await db.insert('events', { id: '2' }, { skipRules: true });
+    await db.insert(
+      'eventAttendees',
+      { id: '1', eventId: '1', userId: '1' },
+      { skipRules: true }
+    );
+    await db.insert(
+      'eventAttendees',
+      { id: '2', eventId: '1', userId: '2' },
+      { skipRules: true }
+    );
+    await db.insert(
+      'eventAttendees',
+      { id: '3', eventId: '2', userId: '1' },
+      { skipRules: true }
+    );
+    await db.insert(
+      'eventAttendees',
+      { id: '4', eventId: '2', userId: '3' },
+      { skipRules: true }
+    );
+    await db.insert(
+      'eventAttendees',
+      { id: '5', eventId: '2', userId: '4' },
+      { skipRules: true }
+    );
+  });
+  const user1Session = db.withSessionVars({
+    role: 'user',
+    userId: '1',
+  });
+  const user2Session = db.withSessionVars({
+    role: 'user',
+    userId: '2',
+  });
+
+  it('can query events that a user is attending', async () => {
+    {
+      const result = await user1Session.fetch(db.query('events').build());
+      expect(result.length).toBe(2);
+      expect(result).toEqual([{ id: '1' }, { id: '2' }]);
+    }
+    {
+      const result = await user2Session.fetch(db.query('events').build());
+      expect(result.length).toBe(1);
+      expect(result).toEqual([{ id: '1' }]);
+    }
+  });
+  it('can query mutual attendees', async () => {
+    {
+      const result = await user1Session.fetch(
+        db.query('eventAttendees').build()
+      );
+      expect(result.length).toBe(5);
+    }
+    {
+      const result = await user2Session.fetch(
+        db.query('eventAttendees').build()
+      );
+      expect(result.length).toBe(2);
+    }
+  });
+});