Skip to main content
Version: 2.x

Expressions and Functions

In the previous chapters, we've informally introduced how policy expressions are written. This chapter will list all expression types supported and functions that help you construct complex rules.

Expressions

Literal Expression

  • String: both single or double quoted, "foo", 'bar'.
  • Number: 123, 3.14.
  • Boolean: true, false.
  • Null: null.

Array Expression

Array of expressions. E.g, [1, 2, 3], ['foo', 'bar'], [ADMIN, MEMBER].

Reference Expression

Used to reference a model field or an enum field.

model Post {
    ...
    published Boolean
    @@allow('read', published) // `published` is a Reference Expression
}

This Expression

Represented by this keyword. Used to address the value of the containing model.

model User {
    id Int @id
    @@allow('all', auth() == this) // `this` is a This Expression
}

Member Access Expression

Used to access a field from an expression.

model Post {
    id Int @id
    published Boolean
    @@allow('read', auth().role == 'READ') // `auth().role` is a Member Access Expression
}

Invocation Expression

Used to invoke a function. E.g, auth() is an Invocation Expression.

Unary Expression

  • ! Logical NOT, operand must be boolean

Binary Expression

  • == Equality, translated to id comparison when model types are compared
  • != Inequality, translated to id comparison when model types are compared
  • > Greater than, both operands must be number
  • >= Greater than or equal to, both operands must be number
  • < Less than, both operands must be number
  • <= Less than or equal to, both operands must be number
  • && Logical AND, both operands must be boolean
  • || Logical OR, both operands must be boolean
  • in Membership, with the left operand being an array and the right operand being a literal or a reference to an enum field

Functions

You can find the detailed signature of each function in the Predefined attribute functions document.

auth()

Returns the current user. The function call has the type of the auth model.

now()

Returns the current timestamp. The function call is typed DateTime.

@@allow('read', future().updatedAt < now())

future()

Represents the post-update model value. You'll learn more about it in the next chapter.

contains()

Returns if a string field contains a value.

model Post {
    id Int @id
    title String
    @@allow('read', contains(title, 'zenstack'))
}

The comparison is case-sensitive by default. You can also pass a third argument to make the comparison case insensitive:

@@allow('read', contains(title, 'zenstack', true))

Returns if a string field matches the search condition with full-text-search. Need to enable Prisma's "fullTextSearch" preview feature to use.

@@allow('read', contains(title, 'zenstack is awesome'))

startsWith()

Returns if a string field starts with a value.

@@allow('read', startsWith(title, 'zenstack'))

endsWith()

Returns if a string field ends with a value.

@@allow('read', endsWith(title, 'zenstack'))

has()

Returns if an array field contains a value.

model Post {
    id Int @id
    tags String[]
    @@allow('read', has(tags, 'zenstack'))
}

hasEvery()

Returns if an array field contains every value in the provided array.

model Post {
    id Int @id
    tags String[]
    @@allow('read', has(tags, ['zenstack', 'prisma']))
}

hasSome()

Returns if an array field contains some value in the provided array.

model Post {
    id Int @id
    tags String[]
    @@allow('read', hasSome(tags, ['zenstack', 'prisma']))
}

isEmpty()

Returns if an array field is empty.

model Post {
    id Int @id
    tags String[]
    @@allow('read', isEmpty(tags))
}
Comments
Feel free to ask questions, give feedback, or report issues.

Don't Spam

You can edit/delete your comments by going directly to the discussion, clicking on the 'comments' link below