feat: add list rule

genu · genu · commit 1eb735ced964 · 2025-01-01T21:17:25.000-05:00
diff --git a/packages/runtime/src/enhancements/node/policy/policy-utils.ts b/packages/runtime/src/enhancements/node/policy/policy-utils.ts
@@ -277,6 +277,7 @@ export class PolicyUtil extends QueryUtils {
             create: { guard: true, inputChecker: true },
             update: { guard: true },
             delete: { guard: true },
+            list: { guard: true },
             postUpdate: { guard: true },
         },
     };
diff --git a/packages/runtime/src/enhancements/node/types.ts b/packages/runtime/src/enhancements/node/types.ts
@@ -140,6 +140,7 @@ export type ModelCrudDef = {
     create: ModelCreateDef;
     update: ModelUpdateDef;
     delete: ModelDeleteDef;
+    list: ModelListDef;
     postUpdate: ModelPostUpdateDef;
 };
 
@@ -207,6 +208,11 @@ type ModelUpdateDef = ModelCrudCommon;
  */
 type ModelDeleteDef = ModelCrudCommon;
 
+/**
+ * Policy definition for listing a model
+ */
+type ModelListDef = ModelCrudCommon;
+
 /**
  * Policy definition for post-update checking a model
  */
diff --git a/packages/runtime/src/types.ts b/packages/runtime/src/types.ts
@@ -36,7 +36,7 @@ export interface DbOperations {
  */
 export type PolicyKind = 'allow' | 'deny';
 
-export type PolicyCrudKind = 'read' | 'create' | 'update' | 'delete';
+export type PolicyCrudKind = 'read' | 'create' | 'update' | 'delete' | 'list';
 
 /**
  * Kinds of operations controlled by access policies
diff --git a/packages/schema/src/res/stdlib.zmodel b/packages/schema/src/res/stdlib.zmodel
@@ -527,7 +527,7 @@ attribute @@schema(_ name: String) @@@prisma
  * @param operation: comma-separated list of "create", "read", "update", "delete". Use "all" to denote all operations.
  * @param condition: a boolean expression that controls if the operation should be allowed.
  */
-attribute @@allow(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'delete'", "'all'"]), _ condition: Boolean)
+attribute @@allow(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'delete'", "'list'", "'all'"]), _ condition: Boolean)
 
 /**
  * Defines an access policy that allows the annotated field to be read or updated.
@@ -545,7 +545,7 @@ attribute @allow(_ operation: String @@@completionHint(["'create'", "'read'", "'
  * @param operation: comma-separated list of "create", "read", "update", "delete". Use "all" to denote all operations.
  * @param condition: a boolean expression that controls if the operation should be denied.
  */
-attribute @@deny(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'delete'", "'all'"]), _ condition: Boolean)
+attribute @@deny(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'delete'", "'list'", "'all'"]), _ condition: Boolean)
 
 /**
  * Defines an access policy that denies the annotated field to be read or updated.
diff --git a/packages/sdk/src/policy.ts b/packages/sdk/src/policy.ts
@@ -12,6 +12,7 @@ export function analyzePolicies(dataModel: DataModel) {
     const read = toStaticPolicy('read', allows, denies);
     const update = toStaticPolicy('update', allows, denies);
     const del = toStaticPolicy('delete', allows, denies);
+    const list = toStaticPolicy('list', allows, denies);
     const hasFieldValidation = hasValidationAttributes(dataModel);
 
     return {
@@ -21,6 +22,7 @@ export function analyzePolicies(dataModel: DataModel) {
         read,
         update,
         delete: del,
+        list,
         allowAll: create === true && read === true && update === true && del === true,
         denyAll: create === false && read === false && update === false && del === false,
         hasFieldValidation,
