fix(core): allow the RLAC condition invoke the hidden columns

[goldmedal]

Description

isHidden is used to avoid a column from being used by SQL directly. However, the column should be available to used by internal usage (e.g. expression, rlac, clac, ...). This PR fixed the issue about rlac using a hidden column.

Summary by CodeRabbit

• New Features
  • More consistent column visibility: queries and generated schemas respect hidden columns, and SELECT * only returns visible fields.
• Bug Fixes
  • Prevented accidental exposure of hidden columns in row-level access control scenarios.
  • Improved error feedback when querying hidden fields, clearly indicating they’re unavailable.
  • Stabilized field/primary key resolution to use only visible columns where appropriate.
  • Access control validation now gracefully handles empty required properties.
• Tests
  • Added tests ensuring hidden columns remain concealed and RLAC behaves correctly.

[coderabbitai]

Walkthrough

Adds visibility-aware APIs for column access. Model::get_physical_columns now takes a show_visible_only flag. New Model::get_visible_column is introduced; get_column now returns from all columns. Dataset::to_qualified_schema now accepts a visibility flag. Call sites updated across analysis, planning, and utils. New RLAC test validates hidden column behavior.

Changes

Cohort / File(s)	Summary
Model column visibility API wren-core-base/src/mdl/manifest.rs	Parameterizes get_physical_columns(show_visible_only). Adds get_visible_column; redefines get_column to search all columns.
Access control logic updates wren-core/core/src/logical_plan/analyze/access_control.rs	build_filter_expression uses to_qualified_schema(false). validate_rule short-circuits on empty required_properties. CLAC validation uses get_visible_column.
Planner call-site adjustments wren-core/core/src/logical_plan/analyze/plan.rs	Replaces get_physical_columns() with get_physical_columns(false). Primary key lookups use get_visible_column.
Context datasource setup wren-core/core/src/mdl/context.rs	WrenDataSource::new now uses model.get_physical_columns(true).
Dataset schema API wren-core/core/src/mdl/dataset.rs	Changes to_qualified_schema(show_visible_only: bool); internally calls get_physical_columns(show_visible_only). Remote schema path uses get_physical_columns(true).
Utils schema lookups wren-core/core/src/mdl/utils.rs	Updates calls to to_qualified_schema(true) in expression builders.
Tests wren-core/core/src/mdl/mod.rs	Adds test_ralc_condition_contain_hidden to assert hidden columns excluded from SELECT * and not directly selectable under RLAC.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Q as Query
  participant A as Analyzer
  participant DS as Dataset::Model
  participant M as Model

  Q->>A: Analyze SQL
  A->>DS: to_qualified_schema(show_visible_only=true)
  DS->>M: get_physical_columns(true)
  M-->>DS: Visible non-relationship columns
  DS-->>A: DFSchema (visible only)
  A-->>Q: Planned query (hidden cols excluded)

Loading

sequenceDiagram
  autonumber
  participant A as Analyzer
  participant AC as AccessControl
  participant DS as Dataset::Model
  participant M as Model

  A->>AC: build_filter_expression
  AC->>DS: to_qualified_schema(false)
  DS->>M: get_physical_columns(false)
  M-->>DS: All non-relationship columns
  DS-->>AC: DFSchema (includes hidden)
  AC-->>A: RLAC filter expression
  note over A: Final projection still uses visible columns

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix(core): ensure that the RLAC can be applied when the relationship access #1190 — Refactors plan construction for RLAC on relationships; overlaps with planner and RLAC behavior touched here.
• feat(core): enhance the error message for CLAC failure #1250 — Adjusts column visibility and CLAC validation; aligns with get_visible_column and validation changes.
• fix(core): fix access controls case-insensitive issue and disable fallback for the query with access control #1295 — Modifies access control handling in analyze/access_control.rs; intersects with RLAC/CLAC logic updated here.

Suggested labels

core, rust

Suggested reviewers

• douenergy
• wwwy3y3

Poem

A whisk of ears, I tweak the scheme,
Hidey-holes for columns gleam.
Filters sniff the burrow’s deep,
Yet only sunny fields we keep.
Hop, compile, and tests all pass—
Carrots mapped, with perfect class. 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title accurately summarizes the primary change in the PR—enabling RLAC conditions to access hidden columns—and aligns with the PR objectives and code modifications that adjust column visibility handling; it is concise and focused despite a minor grammatical issue.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

wren-core/core/src/logical_plan/analyze/access_control.rs (1)

344-351: Don’t block calculated-field validation on column visibility.

Using get_visible_column will fail when a calculated field depends on a hidden column (which is a supported pattern elsewhere), causing false “Column not found” errors. Use get_column instead to validate CLAC recursively regardless of visibility.

-                let Some(ref_column) = ref_model.get_visible_column(field.name()) else {
+                let Some(ref_column) = ref_model.get_column(field.name()) else {
                     return plan_err!(
                         "Column {}.{} not found",
                         model_name.table(),
                         field.name()
                     );
                 };

🧹 Nitpick comments (3)

wren-core/core/src/mdl/mod.rs (1)

2647-2694: Fix test name typo and normalize SQL casing.

• Rename ralc → rlac in the test name for consistency.
• Prefer consistent "FROM" casing in SQL literals.

Apply this diff:

-    async fn test_ralc_condition_contain_hidden() -> Result<()> {
+    async fn test_rlac_condition_contains_hidden() -> Result<()> {
@@
-        let sql = "SELECT c_name FROm customer";
+        let sql = "SELECT c_name FROM customer";

wren-core/core/src/mdl/dataset.rs (1)

31-44: API change looks good; consider clarifying param intent.

Signature change and usage are correct. Consider renaming show_visible_only to visible_only and adding a brief rustdoc to avoid ambiguity.

wren-core/core/src/logical_plan/analyze/access_control.rs (1)

201-206: Typo in comment.

Fix “shcmea” → “schema”.

-    // The condition could contains the hidden columns, so we need to build the shcmea with hidden columns
+    // The condition may contain hidden columns, so we need to build the schema with hidden columns

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d38820 and 2a68f2d.

📒 Files selected for processing (7)

• wren-core-base/src/mdl/manifest.rs (2 hunks)
• wren-core/core/src/logical_plan/analyze/access_control.rs (3 hunks)
• wren-core/core/src/logical_plan/analyze/plan.rs (5 hunks)
• wren-core/core/src/mdl/context.rs (1 hunks)
• wren-core/core/src/mdl/dataset.rs (2 hunks)
• wren-core/core/src/mdl/mod.rs (1 hunks)
• wren-core/core/src/mdl/utils.rs (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (4)

wren-core/core/src/mdl/dataset.rs (2)

wren-core/core/src/mdl/context.rs (1)

• model (342-363)

wren-core-base/manifest-macro/src/lib.rs (1)

• model (119-154)

wren-core/core/src/logical_plan/analyze/plan.rs (3)

wren-core/core/src/mdl/context.rs (1)

• model (342-363)

wren-core/core/src/mdl/dataset.rs (2)

• model (34-38)
• model (62-67)

wren-core/core/src/mdl/mod.rs (1)

• model (201-219)

wren-core/core/src/logical_plan/analyze/access_control.rs (3)

wren-core/core/src/mdl/context.rs (1)

• model (342-363)

wren-core/core/src/mdl/dataset.rs (2)

• model (34-38)
• model (62-67)

wren-core/core/src/mdl/mod.rs (1)

• model (201-219)

wren-core/core/src/mdl/mod.rs (2)

wren-core/core/src/logical_plan/analyze/plan.rs (6)

• new (72-85)
• new (112-127)
• new (783-785)
• new (900-994)
• new (1048-1097)
• new (1156-1158)

wren-core/core/src/mdl/context.rs (1)

• new (336-366)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cargo check
• GitHub Check: ci
• GitHub Check: test

🔇 Additional comments (13)

wren-core/core/src/mdl/dataset.rs (2)

62-77: Remote schema should exclude hidden top-level columns (LGTM).

Using get_physical_columns(true) and expanding only expression sources is correct to prevent exposing hidden columns while still resolving expressions.

---

31-44: All call-sites updated to the new signature. Repository scan shows only calls that pass a boolean (e.g. wren-core/core/src/mdl/utils.rs, logical_plan/analyze/access_control.rs); no stale to_qualified_schema() calls remain.

wren-core/core/src/logical_plan/analyze/access_control.rs (1)

257-260: Early return for empty required properties (LGTM).

This short‑circuit matches the documented behavior and avoids unnecessary work.

wren-core/core/src/mdl/utils.rs (2)

133-136: Visible-only schema choice (LGTM).

Using to_qualified_schema(true) here is appropriate since calculated-field expr qualification should not expose hidden columns.

---

166-172: Visible-only schema for model exprs (LGTM).

Consistent with visibility semantics and prevents accidental resolution of hidden columns via unqualified names.

wren-core-base/src/mdl/manifest.rs (2)

252-265: Visibility-aware physical columns (LGTM).

The split between visible-only and all physical columns is correct and keeps relationship columns excluded.

---

278-289: Accessor split is sound (LGTM).

Providing both get_visible_column and get_column covers callers that need visibility enforcement vs. internal resolution.

wren-core/core/src/mdl/context.rs (1)

343-366: Expose only visible columns in table provider schema (LGTM).

Restricting WrenDataSource columns to visible ones while still validating CLAC is the right balance for preventing leaks.

wren-core/core/src/logical_plan/analyze/plan.rs (5)

145-153: Include hidden columns when required by rules (LGTM).

Using get_physical_columns(false) ensures RLAC-required hidden fields are available to build filters without exposing them directly.

---

241-244: Primary key lookup should honor visibility (LGTM).

get_visible_column(pk) ensures we don’t join on a hidden PK inadvertently.

---

924-944: Wildcard expansion against all physical columns (LGTM).

Collecting from get_physical_columns(false) then filtering out calculated fields is consistent with making hidden fields available only when explicitly required downstream.

---

946-952: Direct field resolution against all physical columns (LGTM).

This allows hidden fields referenced explicitly in required exprs (e.g., RLAC) to be found while later stages handle visibility of outputs.

---

1057-1062: Consistent PK visibility in CalculationPlanNode (LGTM).

Using get_visible_column avoids surfacing hidden keys in outputs.