Permission checks on 1:1 relations in prisma plugin

[m1212e]

Hi, I'm using CASL for my authorization rules and pothos for my queries. When I define a many relation like the one below I can easily inject the CASL rules into the query:

builder.prismaObject('Committee', {
	fields: (t) =>
		nations: t.relation('nations', {
			query: (_args, ctx) => ({
				where: ctx.permissions.allowDatabaseAccessTo('list').Nation // <-- This evaluates to a prisma WHERE condition object
			})
		})
	})
});

Now I would like to check if the user can read the conference:

builder.prismaObject('Committee', {
	fields: (t) =>
		conference: t.relation('conference'),
	})
});

I think I cannot inject a WHERE into the query, but I didn't manage to get anything working beyond this simple call. Can I somehow at least run some logic before including? Like just a true/false evaluation? What are good approaches to handle this?
Thanks!

[hayes]

I'm not sure I understand the question. What's preventing you from adding a query the same way as you did for the nations field?

[m1212e]

Ah sorry for my unprecise question, too much in the tunnel :D

I'll give some more info surrounding the whole thing. This is my object definition:

builder.prismaObject('Committee', {
	fields: (t) => ({
		id: t.field(CommitteeIdFieldObject),
		name: t.field(CommitteeNameFieldObject),
		abbreviation: t.field(CommitteeAbbreviationFieldObject),
		numOfSeatsPerDelegation: t.field(CommitteeNumOfSeatsPerDelegationFieldObject),
		conference: t.relation('conference', {
			query: (_args, ctx) => ({
				where: ctx.permissions.allowDatabaseAccessTo('list').Conference
			})
		}),
		nations: t.relation('nations', {
			query: (_args, ctx) => ({
				where: ctx.permissions.allowDatabaseAccessTo('list').Nation
			})
		})
	})
});

which results in this error with the conference query:

Type '(_args: any, ctx: any) => { where: any; }' is not assignable to type 'undefined'.ts(2322)

thats the model schema:

model Committee {
  id                      String @id @default(nanoid())
  name                    String
  abbreviation            String
  numOfSeatsPerDelegation Int    @default(1)

  conference   Conference @relation(fields: [conferenceId], references: [id], onDelete: Cascade)
  conferenceId String
  nations      Nation[]
}

the ctx.permissions.allowDatabaseAccessTo('list').Conference call resolves to a prisma where condition. Would be interchangeable with e.g. { id: "myId" } or similar query where restrictions.

When querying the committee the conference has a 1:n relation while a committee is always assigned to exactly one conference. So the vanilla prisma query would not even allow to specify a where condition in the query:

db.committee.findFirst({
	include: {
		conference: {
			include: ...,
			select: ...,
                       // no where available here
		}
	}
})

Nonetheless it may happen that a user is not allowed to see the conference details. I'd like to run some kind of permission check before blindly fetching that relation. What would be the correct way to do this?

[hayes]

I see. Unfortunately if it's not supported in Prisma there isn't anything we can do in Pothos in t.relation.

The queries are computed before data is resolved/queried from the db.

There are 2 options here, each with their own drawbacks:

You can use the auth plugin and add an auth check to the field. This would be enforced before the resolver runs, but the data will already be fetched from the db. It prevents it from being returned in the query, but not from being queried from the db

The other option is to replace t.relation with t.prismaField and load the conference with a prisma.conference.findUniqie call, and add your where clause there.

[m1212e]

Thanks a lot, I'll give that a shot!