extra fixes and tests

ymc9 · ymc9 · commit f3e04b5e1676 · 2025-09-19T11:46:25.000-07:00
diff --git a/packages/runtime/src/plugins/policy/expression-transformer.ts b/packages/runtime/src/plugins/policy/expression-transformer.ts
@@ -24,7 +24,13 @@ import type { ClientContract, CRUD } from '../../client/contract';
 import { getCrudDialect } from '../../client/crud/dialects';
 import type { BaseCrudDialect } from '../../client/crud/dialects/base-dialect';
 import { InternalError, QueryError } from '../../client/errors';
-import { getModel, getRelationForeignKeyFieldPairs, requireField, requireIdFields } from '../../client/query-utils';
+import {
+    getManyToManyRelation,
+    getModel,
+    getRelationForeignKeyFieldPairs,
+    requireField,
+    requireIdFields,
+} from '../../client/query-utils';
 import type {
     BinaryExpression,
     BinaryOperator,
@@ -543,6 +549,11 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
         relationModel: string,
         context: ExpressionTransformerContext<Schema>,
     ): SelectQueryNode {
+        const m2m = getManyToManyRelation(this.schema, context.model, field);
+        if (m2m) {
+            return this.transformManyToManyRelationAccess(m2m, context);
+        }
+
         const fromModel = context.model;
         const { keyPairs, ownedByModel } = getRelationForeignKeyFieldPairs(this.schema, fromModel, field);
 
@@ -580,6 +591,28 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
         };
     }
 
+    private transformManyToManyRelationAccess(
+        m2m: NonNullable<ReturnType<typeof getManyToManyRelation>>,
+        context: ExpressionTransformerContext<Schema>,
+    ) {
+        const eb = expressionBuilder<any, any>();
+        const relationQuery = eb
+            .selectFrom(m2m.otherModel)
+            // inner join with join table and additionally filter by the parent model
+            .innerJoin(m2m.joinTable, (join) =>
+                join
+                    // relation model pk to join table fk
+                    .onRef(`${m2m.otherModel}.${m2m.otherPKName}`, '=', `${m2m.joinTable}.${m2m.otherFkName}`)
+                    // parent model pk to join table fk
+                    .onRef(
+                        `${m2m.joinTable}.${m2m.parentFkName}`,
+                        '=',
+                        `${context.alias ?? context.model}.${m2m.parentPKName}`,
+                    ),
+            );
+        return relationQuery.toOperationNode();
+    }
+
     private createColumnRef(column: string, context: ExpressionTransformerContext<Schema>): ReferenceNode {
         return ReferenceNode.create(ColumnNode.create(column), TableNode.create(context.alias ?? context.model));
     }
diff --git a/packages/runtime/src/plugins/policy/policy-handler.ts b/packages/runtime/src/plugins/policy/policy-handler.ts
@@ -1,4 +1,4 @@
-import { invariant, zip } from '@zenstackhq/common-helpers';
+import { invariant } from '@zenstackhq/common-helpers';
 import {
     AliasNode,
     BinaryOperationNode,
@@ -28,7 +28,6 @@ import {
     type OperationNode,
     type QueryResult,
     type RootOperationNode,
-    type SelectQueryBuilder,
 } from 'kysely';
 import { match } from 'ts-pattern';
 import type { ClientContract } from '../../client';
@@ -758,41 +757,33 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             return undefined;
         }
 
-        const sortedRecords = [
-            {
-                model: m2m.firstModel,
-                field: m2m.firstField,
-            },
-            {
-                model: m2m.secondModel,
-                field: m2m.secondField,
-            },
-        ];
-
         // join table's permission:
         //   - read: requires both sides to be readable
         //   - mutation: requires both sides to be updatable
 
-        const queries: SelectQueryBuilder<any, any, any>[] = [];
+        const checkForOperation = operation === 'read' ? 'read' : 'update';
         const eb = expressionBuilder<any, any>();
+        const joinTable = alias ?? tableName;
 
-        for (const [fk, entry] of zip(['A', 'B'], sortedRecords)) {
-            const idFields = requireIdFields(this.client.$schema, entry.model);
-            invariant(idFields.length === 1, 'only single-field id is supported for implicit many-to-many join table');
+        const aQuery = eb
+            .selectFrom(m2m.firstModel)
+            .whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, '=', `${joinTable}.A`)
+            .select(() =>
+                new ExpressionWrapper(
+                    this.buildPolicyFilter(m2m.firstModel as GetModels<Schema>, undefined, checkForOperation),
+                ).as('$conditionA'),
+            );
 
-            const policyFilter = this.buildPolicyFilter(
-                entry.model as GetModels<Schema>,
-                undefined,
-                operation === 'read' ? 'read' : 'update',
+        const bQuery = eb
+            .selectFrom(m2m.secondModel)
+            .whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, '=', `${joinTable}.B`)
+            .select(() =>
+                new ExpressionWrapper(
+                    this.buildPolicyFilter(m2m.secondModel as GetModels<Schema>, undefined, checkForOperation),
+                ).as('$conditionB'),
             );
-            const query = eb
-                .selectFrom(entry.model)
-                .whereRef(`${entry.model}.${idFields[0]}`, '=', `${alias ?? tableName}.${fk}`)
-                .select(new ExpressionWrapper(policyFilter).as(`$condition${fk}`));
-            queries.push(query);
-        }
 
-        return eb.and(queries).toOperationNode();
+        return eb.and([aQuery, bQuery]).toOperationNode();
     }
 
     // #endregion
diff --git a/packages/runtime/test/policy/crud/create.test.ts b/packages/runtime/test/policy/crud/create.test.ts
@@ -273,4 +273,98 @@ model Profile {
             },
         });
     });
+
+    it('works with unnamed many-to-many relation', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id Int @id
+    groups Group[]
+    private Boolean
+    @@allow('create,read', true)
+    @@allow('update', !private)
+}
+
+model Group {
+    id Int @id
+    private Boolean
+    users User[]
+    @@allow('create,read', true)
+    @@allow('update', !private)
+}
+            `,
+            { usePrismaPush: true },
+        );
+
+        await expect(
+            db.user.create({
+                data: { id: 1, private: false, groups: { create: [{ id: 1, private: false }] } },
+            }),
+        ).toResolveTruthy();
+
+        await expect(
+            db.user.create({
+                data: { id: 2, private: true, groups: { create: [{ id: 2, private: false }] } },
+            }),
+        ).toBeRejectedByPolicy();
+
+        await expect(
+            db.user.create({
+                data: { id: 2, private: false, groups: { create: [{ id: 2, private: true }] } },
+            }),
+        ).toBeRejectedByPolicy();
+
+        await expect(
+            db.user.create({
+                data: { id: 2, private: true, groups: { create: [{ id: 2, private: true }] } },
+            }),
+        ).toBeRejectedByPolicy();
+    });
+
+    it('works with named many-to-many relation', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id Int @id
+    groups Group[] @relation("UserGroups")
+    private Boolean
+    @@allow('create,read', true)
+    @@allow('update', !private)
+}
+
+model Group {
+    id Int @id
+    private Boolean
+    users User[] @relation("UserGroups")
+    @@allow('create,read', true)
+    @@allow('update', !private)
+}
+            `,
+            { usePrismaPush: true },
+        );
+
+        await expect(
+            db.user.create({
+                data: { id: 1, private: false, groups: { create: [{ id: 1, private: false }] } },
+            }),
+        ).toResolveTruthy();
+
+        await expect(
+            db.user.create({
+                data: { id: 2, private: true, groups: { create: [{ id: 2, private: false }] } },
+            }),
+        ).toBeRejectedByPolicy();
+
+        await expect(
+            db.user.create({
+                data: { id: 2, private: false, groups: { create: [{ id: 2, private: true }] } },
+            }),
+        ).toBeRejectedByPolicy();
+
+        await expect(
+            db.user.create({
+                data: { id: 2, private: true, groups: { create: [{ id: 2, private: true }] } },
+            }),
+        ).toBeRejectedByPolicy();
+    });
 });
diff --git a/packages/runtime/test/policy/crud/read.test.ts b/packages/runtime/test/policy/crud/read.test.ts
@@ -165,6 +165,86 @@ model Bar {
             });
         });
 
+        it('works with unnamed many-to-many relation read', async () => {
+            const db = await createPolicyTestClient(
+                `
+model User {
+    id Int @id
+    groups Group[]
+    @@allow('all', true)
+}
+
+model Group {
+    id Int @id
+    private Boolean
+    users User[]
+    @@allow('read', !private)
+}
+`,
+                { usePrismaPush: true },
+            );
+
+            await db.$unuseAll().user.create({
+                data: {
+                    id: 1,
+                    groups: {
+                        create: [
+                            { id: 1, private: true },
+                            { id: 2, private: false },
+                        ],
+                    },
+                },
+            });
+            await expect(db.user.findFirst({ include: { groups: true } })).resolves.toMatchObject({
+                groups: [{ id: 2 }],
+            });
+            await expect(
+                db.user.findFirst({ where: { id: 1 }, select: { _count: { select: { groups: true } } } }),
+            ).resolves.toMatchObject({
+                _count: { groups: 1 },
+            });
+        });
+
+        it('works with named many-to-many relation read', async () => {
+            const db = await createPolicyTestClient(
+                `
+model User {
+    id Int @id
+    groups Group[] @relation("UserGroups")
+    @@allow('all', true)
+}
+
+model Group {
+    id Int @id
+    private Boolean
+    users User[] @relation("UserGroups")
+    @@allow('read', !private)
+}
+`,
+                { usePrismaPush: true },
+            );
+
+            await db.$unuseAll().user.create({
+                data: {
+                    id: 1,
+                    groups: {
+                        create: [
+                            { id: 1, private: true },
+                            { id: 2, private: false },
+                        ],
+                    },
+                },
+            });
+            await expect(db.user.findFirst({ include: { groups: true } })).resolves.toMatchObject({
+                groups: [{ id: 2 }],
+            });
+            await expect(
+                db.user.findFirst({ where: { id: 1 }, select: { _count: { select: { groups: true } } } }),
+            ).resolves.toMatchObject({
+                _count: { groups: 1 },
+            });
+        });
+
         it('works with filtered by to-one relation field', async () => {
             const db = await createPolicyTestClient(
                 `
diff --git a/packages/runtime/test/policy/crud/update.test.ts b/packages/runtime/test/policy/crud/update.test.ts
