Struct SecureOnConflict 

pub struct SecureOnConflict<E: EntityTrait> { /* private fields */ }

A secure builder for ON CONFLICT DO UPDATE clauses that enforces tenant immutability.

For tenant-scoped entities (ScopableEntity::tenant_col() != None), this builder ensures that tenant_id is never included in the update columns. Attempting to update tenant_id via update_columns() or value() returns an error.

Security Rationale

ON CONFLICT DO UPDATE can be exploited to change an entity’s tenant:

INSERT INTO users (id, tenant_id, email) VALUES ($1, $2, $3)
ON CONFLICT (id) DO UPDATE SET tenant_id = excluded.tenant_id;

This would allow moving a row from one tenant to another, violating tenant isolation.

Example

use modkit_db::secure::{SecureOnConflict, SecureInsertExt};
use sea_orm::ActiveValue::Set;

let scope = AccessScope::both(vec![tenant_id], vec![user_id]);
let am = settings::ActiveModel {
    tenant_id: Set(tenant_id),
    user_id: Set(user_id),
    theme: Set(Some("dark".to_string())),
    language: Set(Some("en".to_string())),
};

// Build secure on_conflict - validates tenant_id is not updated
let on_conflict = SecureOnConflict::<settings::Entity>::columns([
        settings::Column::TenantId,
        settings::Column::UserId,
    ])
    .update_columns([settings::Column::Theme, settings::Column::Language])?;

settings::Entity::insert(am)
    .secure()
    .scope_with(&scope)?
    .on_conflict(on_conflict)
    .exec(conn)
    .await?;

Implementations

impl<E> SecureOnConflict<E>

where E: ScopableEntity + EntityTrait, E::Column: ColumnTrait + Copy,

pub fn columns<C, I>(cols: I) -> Self

where C: IntoIden, I: IntoIterator<Item = C>,

Start building an ON CONFLICT clause with the specified conflict columns.

These are the columns that define uniqueness (typically the primary key or a unique constraint).

pub fn update_columns<C, I>(self, cols: I) -> Result<Self, ScopeError>

where C: IntoIden + Copy + 'static, I: IntoIterator<Item = C>,

Specify columns to update on conflict.

Errors

Returns ScopeError::Denied("tenant_id is immutable") if the entity has a tenant column and it appears in the update columns list.

pub fn value<C>(self, col: C, expr: SimpleExpr) -> Result<Self, ScopeError>

where C: IntoIden + Copy + 'static,

Set a custom update expression for a column on conflict.

Errors

Returns ScopeError::Denied("tenant_id is immutable") if the entity has a tenant column and the specified column matches it.

pub fn build(self) -> OnConflict

Consume the builder and return the underlying SeaORM OnConflict.

Call this after configuring all update columns/values.

pub fn inner_mut(&mut self) -> &mut OnConflict

Get a reference to the inner OnConflict for chaining with SeaORM methods that are not wrapped by this builder.

Safety

The caller must ensure they don’t add tenant column updates through the inner OnConflict directly, as this would bypass the security check.

Trait Implementations

impl<E: Clone + EntityTrait> Clone for SecureOnConflict<E>

fn clone(&self) -> SecureOnConflict<E>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<E: Debug + EntityTrait> Debug for SecureOnConflict<E>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.