Trigger causes misapplication of access policies

[tomnz]

Overview

After adding triggers to a couple of types, we started observing errors relating to access policies, with entities being hidden that should not be. Removing the trigger causes the issue to resolve. This is not ideal, as we have started needing to re-implement trigger behavior in business logic instead.

Example

Schema looks something like:

# In a non-default module
  type ResourceIdentifier extending default::Owned {
    required resourceId: uuid {
      default := uuid_generate_v4();
    }

    required resourceType: ResourceType;
    required hash: str;
    required hashVersion: int32;

    # We allow multiple hashes to be associated with the same resourceId, in
    # order to handle merges of duplicate resources.
    trigger validate_resource_identifier after insert, update for each do (
      assert(
        not exists (
          select ResourceIdentifier
          filter
            .owner = __new__.owner
            and .resourceType = __new__.resourceType
            and .hashVersion = __new__.hashVersion
            and .hash = __new__.hash
            and .id != __new__.id
        ),
        message := 'ResourceIdentifier with the same key already exists'
      )
    );
  }

# In the default module
  abstract type Owned {
    # This is the field being set
    required single link owner: default::User {
      on target delete delete source;
    }

    access policy ownerHasFullAccess
      allow all
      using (global default::currentUserId ?= .owner.id);
  }

  type User {
    # ... other fields

    access policy ownerHasFullAccess
      allow all
      using (global currentUserId ?= .id);
    # ... Other access policies
  }

We do an insert using the TS query builder:

const result = await e.select(
  e.insert(e.fhirext.ResourceIdentifier, {
    resourceType,
    hash,
    hashInput,
    hashVersion,
    owner: e.cast(e.User, e.cast(e.uuid, userId)),
  }),
  () => ({ resourceId: true }),
).run(client.withGlobals({ currentUserId: userId }));

userId is given for a User that exists, and the currentUserId global is set to the same value. We observe an error: required link 'owner' of object type 'fhirext::ResourceIdentifier' is hidden by access policy

This is just one concrete example, but it has occurred for other types too. It's unclear whether the access policy is being mis-evaluated in the trigger evaluation or the insert evaluation.

Version

• EdgeDB Version: 5.6
• EdgeDB CLI Version: 7.1
• OS Version: Debian Bullseye

Note that we are planning to upgrade to v6 within the next month, but are still pinned to an older version for now. So it's unclear whether this is still a problem or not.

[scotttrinh]

I wonder if this has a similar cause as #8522

[tomnz]

Possibly? If triggers are using the assert_exists but not applying the same access policies / globals perhaps? This is out of my depth, though.

[msullivan]

This isn't enough information to reproduce the error, unfortunately, since the schema doesn't compile.

Could you share a standalone reduced schema that reproduces the issue or else your full schema? (You can email it to me at [email protected] if you wish.)