Access policies are ineffective for modifying abstract types, leading to the ability to directly modify entity types by altering abstract types.

[sdghf]

• EdgeDB Version:3.3+d5734dd
• EdgeDB CLI Version:EdgeDB CLI 3.5.0+e1ad387
• OS Version: macos 13.4.1

Steps to Reproduce:

module default {
    global current_user_id: uuid;

    global current_user := (
        select User filter .id = global current_user_id
    );
   abstract type User{
        required role: str

        access policy allow_all
            allow all
            using (global current_user.role ?= 'admin'){
              errmessage := 'forbid'
            };

        access policy only_read
            allow select
            using (global current_user.role ?= 'readonly'){
              errmessage := 'forbid'
            };
    }

     type Customer extending User{
       required mobile: str
    }

}

1. Set the current user's role to 'readonly'.

I was surprised that I could successfully modify the abstract type 'User' directly, which resulted in unintentional changes to 'Customer.' However, attempting to directly modify the 'Customer' entity type was unsuccessful. This has left me puzzled.

[msullivan]

I have no idea how I accidentally assigned Dave and Dijana to this issue; this one goes to me :(

[msullivan]

The bug is that parent access policies for updates and deletes are not properly applied to children if the children do not have any access policies of their own.
As a temporary workaround, you can add dummy access policies to the children type, like

access policy dummy allow select using (false)

And I'm working on a fix right now, and it'll be out in 3.4