forked from zenstackhq/sample-todo-nextjs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
schema.zmodel
183 lines (153 loc) · 5.08 KB
/
schema.zmodel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
/*
* Sample model for a collaborative Todo app
*/
datasource db {
provider = 'postgresql'
url = env("DATABASE_URL")
}
generator js {
provider = 'prisma-client-js'
}
plugin enhancer {
provider = '@core/enhancer'
generatePermissionChecker = true
}
plugin hooks {
provider = '@zenstackhq/swr'
output = 'lib/hooks'
}
/**
* Enum for user's role in a space
*/
enum SpaceUserRole {
USER
ADMIN
}
/**
* Model for a space in which users can collaborate on Lists and Todos
*/
model Space {
id String @id @default(uuid())
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
name String @length(4, 50)
slug String @unique @regex('^[0-9a-zA-Z]{4,16}$')
members SpaceUser[]
lists List[]
// require login
@@deny('all', auth() == null)
// everyone can create a space
@@allow('create', true)
// any user in the space can read the space
@@allow('read', members?[user == auth()])
// space admin can update and delete
@@allow('update,delete', members?[user == auth() && role == ADMIN])
}
/**
* Model representing membership of a user in a space
*/
model SpaceUser {
id String @id @default(uuid())
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
space Space @relation(fields: [spaceId], references: [id], onDelete: Cascade)
spaceId String
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
userId String
role SpaceUserRole
@@unique([userId, spaceId])
// require login
@@deny('all', auth() == null)
// space admin can create/update/delete
@@allow('create,update,delete', space.members?[user == auth() && role == ADMIN])
// user can read entries for spaces which he's a member of
@@allow('read', space.members?[user == auth()])
}
/**
* Model for a user
*/
model User {
id String @id @default(uuid())
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
email String @unique @email
emailVerified DateTime?
password String? @password @omit
name String?
spaces SpaceUser[]
image String? @url
lists List[]
todos Todo[]
// next-auth
accounts Account[]
// can be created by anyone, even not logged in
@@allow('create', true)
// can be read by users sharing any space
@@allow('read', spaces?[space.members?[user == auth()]])
// full access by oneself
@@allow('all', auth() == this)
}
abstract model BaseEntity {
id String @id @default(uuid())
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
space Space @relation(fields: [spaceId], references: [id], onDelete: Cascade)
spaceId String
owner User @relation(fields: [ownerId], references: [id], onDelete: Cascade)
ownerId String @default(auth().id)
// can be read by owner or space members
@@allow('read', owner == auth() || (space.members?[user == auth()]))
// when create, owner must be set to current user, and user must be in the space
@@allow('create', owner == auth() && space.members?[user == auth()])
// when create, owner must be set to current user, and user must be in the space
// update is not allowed to change owner
@@allow('update', owner == auth() && space.members?[user == auth()] && future().owner == owner)
// can be deleted by owner
@@allow('delete', owner == auth())
}
/**
* Model for a Todo list
*/
model List extends BaseEntity {
title String @length(1, 100)
private Boolean @default(false)
todos Todo[]
// can't be read by others if it's private
@@deny('read', private == true && owner != auth())
}
/**
* Model for a single Todo
*/
model Todo {
id String @id @default(uuid())
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
owner User @relation(fields: [ownerId], references: [id], onDelete: Cascade)
ownerId String @default(auth().id)
list List @relation(fields: [listId], references: [id], onDelete: Cascade)
listId String
title String @length(1, 100)
completedAt DateTime?
// full access if the parent list is readable
@@allow('all', check(list, 'read'))
}
/**
* Next-auth user account
*/
model Account {
id String @id @default(uuid())
userId String
type String
provider String
providerAccountId String
refresh_token String?
refresh_token_expires_in Int?
access_token String?
expires_at Int?
token_type String?
scope String?
id_token String?
session_state String?
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
@@unique([provider, providerAccountId])
}