[Bug] Access Policy: check() function is being ignored if future() is being used

[baenio]

Description and expected behavior
After trying to implement the new check() function in the access control, I found out that when adding the future() function in another policy, it will kinda overwrite the delegated policies. After removing @@allow('update', future().title == 'hello') everything seems to be working normally.

Example

// delegating all operations
model Post {
    id Int @id
    title String
    description String
    author User @relation(fields: [authorId], references: [id])
    authorId Int

    // delegate all access policies to the author:
    @@allow('all', check(author))

    @@allow('update', future().title == 'hello')
}

// imagine I have update permission in the author relation of a post.
// the following db query will fail
const updatedPost = db.post.update({
  where: {id: 'some_id'},
  data: {description: 'new_description'},
});

Environment (please complete the following information):

• ZenStack version: v2.4.1
• Prisma version: v5.17.0
• Database type: Postgresql

[ymc9]

Many thanks for reporting this @baenio ! It's a tricky one. ZenStack internally has a "post-update" policy kind for rules involving future(). If there's no future() call, "post-update" check always passes.

The check(author) call delegates all policy checks (including "post-update" to author), and since User doesn't have any future() rule, "post-update" always passes.

I agree this is very unintuitive. I'm making a fix to stop delegating "post-update" through check() calls.

[ymc9]

Fixed in 2.5.0