Field-Level Policies
Field-level policies allow you to define access control rules at the individual field level within a model. This provides fine-grained control over who can read or write specific fields in your data models. To define field-level policies, use the @allow and @deny attributes directly on model fields (note the single @).
model User {
id Int @id
// email can be updated only by the user themselves
email String @allow('update', auth() == this)
// name cannot be read by anonymous users
name String @deny('read', auth() == null)
}
Field-level policies are similar to model-level ones, with the following key restrictions:
- Only "read" and "update" operations are supported. You can use "all" to denote both.
- They cannot be defined on relation fields or computed fields.
Read Behavior
When reading a row, fields that violates "read" policies will be nullified in the result. Conceptually, the following form of SQL is generated to guard the fields:
SELECT
CASE WHEN <read_policy_for_field_1> THEN field_1 ELSE NULL END AS field_1,
...
FROM table
WHERE <model_level_policies> and <other_conditions>;
If read policies are defined on foreign key fields, they will also control the readability of the corresponding relations.
Setting unreadable fields null brings a caveat that you cannot tell whether a field is actually NULL in the database or just unreadable due to access control. So why don't we instead omit the fields from the result?
The concern is that a non-readable field should still have a valid SQL value, because it can be used to compute other data (computed columns, joins, etc.). With null values, the computation remain valid in SQL (e.g., NULL + 1 results in NULL), so the fields remain usable everywhere even though their actual values cannot be seen.
Update Behavior
When updating data, if an update involves setting fields that violate "update" policies, the entire update operation will be rejected with an ORMError with reason set to REJECTED_BY_POLICY.
Samples
datasource db {
provider = 'sqlite'
}
plugin policy {
provider = '@zenstackhq/plugin-policy'
}
model User {
id Int @id @default(autoincrement())
email String @unique
posts Post[]
@@allow('all', true)
}
model Post {
id Int @id @default(autoincrement())
title String @allow('read', published) @allow('update', auth() == author)
published Boolean @default(false)
author User? @relation(fields: [authorId], references: [id])
authorId Int?
@@allow('all', true)
}
import { PolicyPlugin } from '@zenstackhq/plugin-policy';
import { createClient } from '../db';
import { schema } from './zenstack/schema';
async function main() {
const db = await createClient(schema);
// create users and posts with raw client
const alice = await db.user.create({
data: {
email: 'alice@example.com',
posts: {
create: [
{ id: 1, title: 'Alice Published Post', published: true },
{ id: 2, title: 'Alice Draft Post', published: false }
]
}
}
});
const bob = await db.user.create({
data: {
email: 'bob@example.com'
}
});
// install policy plugin
const authDb = db.$use(new PolicyPlugin());
// create user-bound clients
const aliceDb = authDb.$setAuth(alice);
const bobDb = authDb.$setAuth(bob);
// query posts as Alice, only published posts' titles are visible
console.log('Alice sees posts:');
console.table(await aliceDb.post.findMany());
// updating title with Bob should fail
try {
await bobDb.post.update({
where: { id: 1 },
data: { title: 'Hacked Title' }
});
} catch (err) {
console.log(`Bob failed to update post title as expected, ${err}`);
}
// updating title with Alice should succeed
const updated = await aliceDb.post.update({
where: { id: 1 },
data: { title: 'Alice Updated Post' }
});
console.log('Alice successfully updated her post title.');
console.table(updated);
}
main();