@zenstackhq/plugin-policy 3.0.0-beta.9 → 3.1.0

package/package.json

@@ -1,13 +1,14 @@
 {
   "name": "@zenstackhq/plugin-policy",
-  "version": "3.0.0-beta.9",
+  "version": "3.1.0",
   "description": "ZenStack Policy Plugin",
   "type": "module",
   "keywords": [],
   "author": "ZenStack Team",
   "license": "MIT",
   "files": [
-    "dist"
+    "dist",
+    "plugin.zmodel"
   ],
   "exports": {
     ".": {
@@ -20,6 +21,10 @@
         "default": "./dist/index.cjs"
       }
     },
+    "./plugin.zmodel": {
+      "import": "./plugin.zmodel",
+      "require": "./plugin.zmodel"
+    },
     "./package.json": {
       "import": "./package.json",
       "require": "./package.json"
@@ -27,19 +32,18 @@
   },
   "dependencies": {
     "ts-pattern": "^5.7.1",
-    "@zenstackhq/common-helpers": "3.0.0-beta.9",
-    "@zenstackhq/sdk": "3.0.0-beta.9",
-    "@zenstackhq/runtime": "3.0.0-beta.9"
+    "@zenstackhq/common-helpers": "3.1.0",
+    "@zenstackhq/orm": "3.1.0"
   },
   "peerDependencies": {
-    "kysely": "^0.27.6"
+    "kysely": "~0.28.8"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",
     "@types/pg": "^8.0.0",
-    "@zenstackhq/typescript-config": "3.0.0-beta.9",
-    "@zenstackhq/eslint-config": "3.0.0-beta.9",
-    "@zenstackhq/vitest-config": "3.0.0-beta.9"
+    "@zenstackhq/eslint-config": "3.1.0",
+    "@zenstackhq/typescript-config": "3.1.0",
+    "@zenstackhq/vitest-config": "3.1.0"
   },
   "scripts": {
     "build": "tsc --noEmit && tsup-node",

package/plugin.zmodel

@@ -0,0 +1,72 @@
+/**
+ * Defines an access policy that allows a set of operations when the given condition is true.
+ *
+ * @param operation: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+ * @param condition: a boolean expression that controls if the operation should be allowed.
+ */
+attribute @@allow(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'post-update'","'delete'", "'all'"]), _ condition: Boolean)
+
+/**
+ * Defines an access policy that allows the annotated field to be read or updated.
+ * You can pass a third argument as `true` to make it override the model-level policies.
+ *
+ * @param operation: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+ * @param condition: a boolean expression that controls if the operation should be allowed.
+ * @param override: a boolean value that controls if the field-level policy should override the model-level policy.
+ */
+// attribute @allow(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'post-update'", "'delete'", "'all'"]), _ condition: Boolean, _ override: Boolean?)
+
+/**
+ * Defines an access policy that denies a set of operations when the given condition is true.
+ *
+ * @param operation: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+ * @param condition: a boolean expression that controls if the operation should be denied.
+ */
+attribute @@deny(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'post-update'","'delete'", "'all'"]), _ condition: Boolean)
+
+/**
+ * Defines an access policy that denies the annotated field to be read or updated.
+ *
+ * @param operation: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+ * @param condition: a boolean expression that controls if the operation should be denied.
+ */
+// attribute @deny(_ operation: String @@@completionHint(["'create'", "'read'", "'update'", "'delete'", "'all'"]), _ condition: Boolean)
+
+/**
+ * Delegates the access control decision to a relation. Only to-one relations are supported.
+ *
+ * @param field: The relation field to delegate to.
+ * @param operation: The operation to check access for. Can be "read", "create", "update", "post-update", or "delete". If the operation is not provided,
+ * it defaults the operation of the containing policy rule.
+ */
+function check(field: Any, operation: String?): Boolean {
+} @@@expressionContext([AccessPolicy])
+
+/**
+ * Gets entity's value before an update. Only valid when used in a "post-update" policy rule.
+ */
+function before(): Any {
+} @@@expressionContext([AccessPolicy])
+
+/**
+ * The name of the model for which the policy rule is defined. If the rule is
+ * inherited to a sub model, this function returns the name of the sub model.
+ *
+ * @param optional parameter to control the casing of the returned value. Valid
+ * values are "original", "upper", "lower", "capitalize", "uncapitalize". Defaults
+ * to "original".
+ */
+function currentModel(casing: String?): String {
+} @@@expressionContext([AccessPolicy])
+
+/**
+ * The operation for which the policy rule is defined for. Note that a rule with
+ * "all" operation is expanded to "create", "read", "update", and "delete" rules,
+ * and the function returns corresponding value for each expanded version.
+ *
+ * @param optional parameter to control the casing of the returned value. Valid
+ * values are "original", "upper", "lower", "capitalize", "uncapitalize". Defaults
+ * to "original".
+ */
+function currentOperation(casing: String?): String {
+} @@@expressionContext([AccessPolicy])