yahoo · justin-tay · Jun 16, 2023 · Aug 26, 2023
diff --git a/elide-core/src/main/java/com/yahoo/elide/core/RequestScope.java b/elide-core/src/main/java/com/yahoo/elide/core/RequestScope.java
@@ -83,6 +83,11 @@ public class RequestScope implements com.yahoo.elide.core.security.RequestScope
     /* Used to filter across heterogeneous types during the first load */
     private FilterExpression globalFilterExpression;
 
+    /**
+     * Used to defer inline checks for the {@link PermissionExecutor}.
+     */
+    @Getter @Setter private boolean deferInlineChecks;
+
     /**
      * Create a new RequestScope with specified update status code.
      *

diff --git a/...-core/src/main/java/com/yahoo/elide/core/security/executors/ActivePermissionExecutor.java b/...-core/src/main/java/com/yahoo/elide/core/security/executors/ActivePermissionExecutor.java
@@ -103,7 +103,7 @@ public <A extends Annotation> ExpressionResult checkPermission(
 
         Function<Expression, ExpressionResult> expressionExecutor = (expression) -> {
             // for newly created object in PatchRequest limit to User checks
-            if (resource.isNewlyCreated()) {
+            if (resource.isNewlyCreated() || requestScope.isDeferInlineChecks()) {
                 return executeUserChecksDeferInline(annotationClass, expression);
             }
             return executeExpressions(expression, annotationClass, Expression.EvaluationMode.INLINE_CHECKS_ONLY);
@@ -189,7 +189,7 @@ public <A extends Annotation> ExpressionResult checkSpecificFieldPermissionsDefe
                         changeSpec);
 
         Function<Expression, ExpressionResult> expressionExecutor = (expression) -> {
-            if (requestScope.getNewPersistentResources().contains(resource)) {
+            if (requestScope.getNewPersistentResources().contains(resource) || requestScope.isDeferInlineChecks()) {
                 return executeUserChecksDeferInline(expressionAnnotation, expression);
             }
             return executeExpressions(expression, expressionAnnotation, Expression.EvaluationMode.INLINE_CHECKS_ONLY);

diff --git a/elide-core/src/main/java/com/yahoo/elide/jsonapi/extensions/JsonApiAtomicOperations.java b/elide-core/src/main/java/com/yahoo/elide/jsonapi/extensions/JsonApiAtomicOperations.java
@@ -456,6 +456,7 @@ private Supplier<Pair<Integer, JsonApiDocument>> handleRemoveOp(String path,
      * @param requestScope request scope
      */
     private void postProcessRelationships(JsonApiAtomicOperationsRequestScope requestScope) {
+        requestScope.setDeferInlineChecks(true);
         actions.forEach(action -> action.postProcess(requestScope));
     }
 

diff --git a/elide-core/src/main/java/com/yahoo/elide/jsonapi/extensions/JsonApiJsonPatch.java b/elide-core/src/main/java/com/yahoo/elide/jsonapi/extensions/JsonApiJsonPatch.java
@@ -307,6 +307,7 @@ private Supplier<Pair<Integer, JsonApiDocument>> handleRemoveOp(String path,
      * @param requestScope request scope
      */
     private void postProcessRelationships(JsonApiJsonPatchRequestScope requestScope) {
+        requestScope.setDeferInlineChecks(true);
         actions.forEach(action -> action.postProcess(requestScope));
     }
 

diff --git a/...-spring-boot-autoconfigure/src/test/java/example/checks/AuthorHasUserAccessibleBooks.java b/...-spring-boot-autoconfigure/src/test/java/example/checks/AuthorHasUserAccessibleBooks.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2023, the original author or authors.
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file in project root for terms.
+ */
+package example.checks;
+
+import com.yahoo.elide.annotation.SecurityCheck;
+import com.yahoo.elide.core.Path;
+import com.yahoo.elide.core.filter.Operator;
+import com.yahoo.elide.core.filter.expression.FilterExpression;
+import com.yahoo.elide.core.filter.predicates.FilterPredicate;
+import com.yahoo.elide.core.security.RequestScope;
+import com.yahoo.elide.core.security.checks.FilterExpressionCheck;
+import com.yahoo.elide.core.type.Type;
+
+import example.models.jpa.PermissionAuthor;
+import example.models.jpa.PermissionAuthorBook;
+import example.models.jpa.PermissionBook;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Check to test that relationship updates have inline checks deferred.
+ */
+@SecurityCheck("author has user accessible books")
+public class AuthorHasUserAccessibleBooks extends FilterExpressionCheck<PermissionAuthor> {
+
+    @Override
+    public FilterExpression getFilterExpression(Type<?> entityClass, RequestScope requestScope) {
+        Path.PathElement author = new Path.PathElement(PermissionAuthor.class, PermissionAuthorBook.class, "authorBooks");
+        Path.PathElement book = new Path.PathElement(PermissionAuthorBook.class, PermissionBook.class, "book");
+        Path.PathElement id = new Path.PathElement(PermissionBook.class, Long.class, "id");
+
+        List<Path.PathElement> pathList = new ArrayList<>();
+        pathList.add(author);
+        pathList.add(book);
+        pathList.add(id);
+        Path paths = new Path(pathList);
+
+        // For simplicity this hard codes the book id to 1 and 2 instead of retrieving from the principal
+        return new FilterPredicate(paths, Operator.IN, Arrays.asList(1, 2));
+    }
+}
diff --git a/...ng/elide-spring-boot-autoconfigure/src/test/java/example/models/jpa/PermissionAuthor.java b/...ng/elide-spring-boot-autoconfigure/src/test/java/example/models/jpa/PermissionAuthor.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021, Yahoo Inc.
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file in project root for terms.
+ */
+package example.models.jpa;
+
+
+import com.yahoo.elide.annotation.Include;
+import com.yahoo.elide.annotation.ReadPermission;
+
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Table;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import java.util.List;
+
+/**
+ * Model for author.
+ * <p>
+ * Used for testing deferred inline checks for
+ * {@link example.checks.AuthorHasUserAccessibleBooks}.
+ */
+@Entity
+@Table(name = "permissionauthor")
+@Include(name = "permissionauthor", description = "Author")
+@Getter
+@Setter
+@ReadPermission(expression = "author has user accessible books")
+public class PermissionAuthor {
+    @Id
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    private long id;
+    private String name;
+
+    @OneToMany(mappedBy = "author")
+    private List<PermissionAuthorBook> authorBooks;
+}
diff --git a/...lide-spring-boot-autoconfigure/src/test/java/example/models/jpa/PermissionAuthorBook.java b/...lide-spring-boot-autoconfigure/src/test/java/example/models/jpa/PermissionAuthorBook.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2021, Yahoo Inc.
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file in project root for terms.
+ */
+package example.models.jpa;
+
+import com.yahoo.elide.annotation.Include;
+
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+
+import lombok.Getter;
+import lombok.Setter;
+
+/**
+ * Model for author book.
+ */
+@Entity
+@Table(name = "permissionauthorbook")
+@Include(name = "permissionauthorBook", description = "Author Book")
+@Getter
+@Setter
+public class PermissionAuthorBook {
+    @Id
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    private long id;
+
+    @ManyToOne
+    @JoinColumn(name = "AUTHOR_ID")
+    private PermissionAuthor author;
+
+    @ManyToOne
+    @JoinColumn(name = "BOOK_ID")
+    private PermissionBook book;
+}
diff --git a/...ring/elide-spring-boot-autoconfigure/src/test/java/example/models/jpa/PermissionBook.java b/...ring/elide-spring-boot-autoconfigure/src/test/java/example/models/jpa/PermissionBook.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2021, Yahoo Inc.
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file in project root for terms.
+ */
+package example.models.jpa;
+
+import com.yahoo.elide.annotation.Include;
+
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Table;
+import lombok.Getter;
+import lombok.Setter;
+
+import java.util.List;
+
+/**
+ * Model for books.
+ */
+@Entity
+@Table(name = "permissionbook")
+@Include(name = "permissionbook", description = "A Book")
+@Getter
+@Setter
+public class PermissionBook {
+    @Id
+    private long id;
+    private String title;
+
+    @OneToMany(mappedBy = "book")
+    private List<PermissionAuthorBook> authorBooks;
+}
diff --git a/elide-spring/elide-spring-boot-autoconfigure/src/test/java/example/tests/AsyncTest.java b/elide-spring/elide-spring-boot-autoconfigure/src/test/java/example/tests/AsyncTest.java
@@ -289,6 +289,7 @@ public void apiDocsDocumentTest() {
                 .body("tags.name", containsInAnyOrder("group", "argument", "metric",
                         "dimension", "column", "table", "asyncQuery",
                         "timeDimensionGrain", "timeDimension", "product", "playerCountry", "version", "playerStats",
-                        "stats", "tableExport", "namespace", "tableSource", "maintainer", "book", "publisher", "person"));
+                        "stats", "tableExport", "namespace", "tableSource", "maintainer", "book", "publisher", "person",
+                        "permissionauthor", "permissionbook", "permissionauthorBook"));
     }
 }