fix: validate partial bodies at definition time#3115
Draft
ivanauth wants to merge 3 commits into
Draft
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
d3a795c to
792c896
Compare
Errors in a partial body (e.g. an allowedDirectRelation pointing at an undefined object type or caveat) used to surface only when the partial was inlined into a real definition. That deferred and misattributed the problem: an LSP user editing the partial's file would see no error, and once a consumer was added the diagnostic would appear in the consumer rather than in the partial. A pre-pass in pkg/development now walks each partial's relations and validates the lookups it can resolve in isolation. To attribute errors correctly across `...other_partial` splat composition, the compiler records each *core.Relation's origin partial in a new PartialRelationOrigins map on CompiledSchema; the validator iterates relations by origin so each is checked exactly once against the partial that actually declared it. Relations already inlined into an object definition are skipped, so consumed partials don't double-report. Partials are not runtime types, so a partial name (including the partial's own name) is rejected as the subject type of an allowedDirectRelation. Computed-userset / TTU checks that depend on consumer-supplied relations remain deferred to consumer validation. Closes authzed#2982.
- Assert Path, Line, and Column on the developer error so a regression to "error emitted but attributed to the wrong file" would fail loudly. - Document the intentional scope of validateCompiledPartials by pinning that computed-userset and arrow references in partial permission bodies are not flagged at definition time (they depend on consumer-supplied relations and are caught at inlining).
afb74b3 to
7146e28
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2982.