ignore fields

README.md

@@ -148,6 +148,7 @@ const opts = {
   unauthenticatedErrorCode: 401,
   unauthorizedErrorCode: 403,
   castDiffToModelClass: true,
+  ignoreFields: [],
   casl: {
     useInputItemAsResourceForRelation: false
   }
@@ -190,6 +191,15 @@ If you want to disable it, just set `opts.castDiffToModelClass` to false and the
 
 </details>
 
+<details>
+<summary>ignoreFields</summary>
+
+When you automatically modify/include some fields (e.g. automatic timestamps) in your Objection models, as objection-authorize is typically the "last" hook to run before execution, the policies will check for those fields as well.
+
+These allow you to ignore those fields in authorization decisions. Note that you can specify the fields in dot notation as well (e.g. `timestamp.updatedAt`).
+
+</details>
+
 <details>
 <summary>casl.useInputItemAsResourceForRelation</summary>
 

src/adapters/base.js

@@ -1,6 +1,7 @@
 const httpError = require('http-errors')
 const objectDiff = require('../utils/object-diff')
 const merge = require('lodash/merge')
+const unset = require('lodash/unset')
 
 class ACLInterface {
   constructor(acl, args, defaultAction) {
@@ -67,6 +68,11 @@ class ACLInterface {
             })
         }
 
+        // Remove fields that we want to exclude - `delete` allows us to preserve the class information!
+        this.opts.ignoreFields.forEach(field => {
+          unset(inputItem, field)
+        })
+
         if (!this._checkIndividualAccess(item, inputItem))
           throw httpError(
             this.user.role === this.opts.defaultRole

src/index.js

@@ -25,7 +25,8 @@ module.exports = (acl, library = 'role-acl', opts) => {
     castDiffToModelClass: true,
     casl: {
       useInputItemAsResourceForRelation: false
-    }
+    },
+    ignoreFields: []
   }
   opts = merge({}, defaultOpts, opts)
 

tests/insert.test.js

@@ -5,7 +5,9 @@ const BaseUser = require('./models/user')
 const authorizePlugin = require('../src')
 
 describe.each(ACLs)('Insert queries (%s)', (library, acl) => {
-  class User extends authorizePlugin(acl, library)(BaseUser) {}
+  class User extends authorizePlugin(acl, library, {
+    ignoreFields: ['created_at', 'updated_at']
+  })(BaseUser) {}
 
   test('restrict insert query based on their create access', async () => {
     // create user while anonymous

tests/migrations/20200807001632_users.js

@@ -7,6 +7,8 @@ exports.up = function (knex) {
     table.text('password')
     table.text('role')
     table.jsonb('metadata')
+
+    table.timestamps()
   })
 }
 

tests/models/user.js

@@ -17,6 +17,14 @@ class User extends BaseModel {
       }
     }
   }
+
+  $beforeInsert() {
+    this.created_at = new Date().toISOString()
+  }
+
+  $beforeUpdate() {
+    this.updated_at = new Date().toISOString()
+  }
 }
 
 module.exports = User

tests/patch.test.js

@@ -5,7 +5,9 @@ const BaseUser = require('./models/user')
 const authorizePlugin = require('../src')
 
 describe.each(ACLs)('Patch queries (%s)', (library, acl) => {
-  class User extends authorizePlugin(acl, library)(BaseUser) {}
+  class User extends authorizePlugin(acl, library, {
+    ignoreFields: ['created_at', 'updated_at']
+  })(BaseUser) {}
 
   test('restrict access with automatically fetched context', async () => {
     // you shouldn't be able to delete a user as someone else...

tests/update.test.js

@@ -5,7 +5,9 @@ const BaseUser = require('./models/user')
 const authorizePlugin = require('../src')
 
 describe.each(ACLs)('Update queries (%s)', (library, acl) => {
-  class User extends authorizePlugin(acl, library)(BaseUser) {}
+  class User extends authorizePlugin(acl, library, {
+    ignoreFields: ['created_at', 'updated_at']
+  })(BaseUser) {}
 
   test('restrict access with automatically fetched context', async () => {
     // you shouldn't be able to change a user as someone else...