fix: using auth() in @default() is not effective for createManyAndReturn (#1727)

Author: ymc9

packages/runtime/src/cross/nested-write-visitor.ts

@@ -169,6 +169,7 @@ export class NestedWriteVisitor {
                 break;
 
             case 'createMany':
+            case 'createManyAndReturn':
                 if (data) {
                     const newContext = pushNewContext(field, model, {});
                     let callbackResult: any;

packages/runtime/src/cross/types.ts

@@ -4,6 +4,7 @@
 export const PrismaWriteActions = [
     'create',
     'createMany',
+    'createManyAndReturn',
     'connectOrCreate',
     'update',
     'updateMany',

packages/runtime/src/enhancements/node/default-auth.ts

@@ -49,7 +49,14 @@ class DefaultAuthHandler extends DefaultPrismaProxyHandler {
 
     // base override
     protected async preprocessArgs(action: PrismaProxyActions, args: any) {
-        const actionsOfInterest: PrismaProxyActions[] = ['create', 'createMany', 'update', 'updateMany', 'upsert'];
+        const actionsOfInterest: PrismaProxyActions[] = [
+            'create',
+            'createMany',
+            'createManyAndReturn',
+            'update',
+            'updateMany',
+            'upsert',
+        ];
         if (actionsOfInterest.includes(action)) {
             const newArgs = await this.preprocessWritePayload(this.model, action as PrismaWriteActionType, args);
             return newArgs;

packages/runtime/src/enhancements/node/policy/handler.ts

@@ -12,6 +12,7 @@ import {
     NestedWriteVisitorContext,
     enumerate,
     getIdFields,
+    getModelInfo,
     requireField,
     resolveField,
     type FieldInfo,
@@ -435,17 +436,16 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
 
             args = this.policyUtils.safeClone(args);
 
-            // go through create items, statically check input to determine if post-create
-            // check is needed, and also validate zod schema
-            const needPostCreateCheck = this.validateCreateInput(args);
+            // `createManyAndReturn` may need to be converted to regular `create`s
+            const shouldConvertToCreate = this.preprocessCreateManyPayload(args);
 
-            if (!needPostCreateCheck) {
-                // direct create
+            if (!shouldConvertToCreate) {
+                // direct `createMany`
                 return this.modelClient.createMany(args);
             } else {
                 // create entities in a transaction with post-create checks
                 return this.queryUtils.transaction(this.prisma, async (tx) => {
-                    const { result, postWriteChecks } = await this.doCreateMany(this.model, args, tx);
+                    const { result, postWriteChecks } = await this.doCreateMany(this.model, args, tx, 'createMany');
                     // post-create check
                     await this.runPostWriteChecks(postWriteChecks, tx);
                     return { count: result.length };
@@ -472,14 +472,13 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
             const origArgs = args;
             args = this.policyUtils.safeClone(args);
 
-            // go through create items, statically check input to determine if post-create
-            // check is needed, and also validate zod schema
-            const needPostCreateCheck = this.validateCreateInput(args);
+            // `createManyAndReturn` may need to be converted to regular `create`s
+            const shouldConvertToCreate = this.preprocessCreateManyPayload(args);
 
             let result: { result: unknown; error?: Error }[];
 
-            if (!needPostCreateCheck) {
-                // direct create
+            if (!shouldConvertToCreate) {
+                // direct `createManyAndReturn`
                 const created = await this.modelClient.createManyAndReturn(args);
 
                 // process read-back
@@ -489,7 +488,13 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
             } else {
                 // create entities in a transaction with post-create checks
                 result = await this.queryUtils.transaction(this.prisma, async (tx) => {
-                    const { result: created, postWriteChecks } = await this.doCreateMany(this.model, args, tx);
+                    const { result: created, postWriteChecks } = await this.doCreateMany(
+                        this.model,
+                        args,
+                        tx,
+                        'createManyAndReturn'
+                    );
+
                     // post-create check
                     await this.runPostWriteChecks(postWriteChecks, tx);
 
@@ -510,6 +515,46 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
         });
     }
 
+    /**
+     * Preprocess the payload of `createMany` and `createManyAndReturn` and update in place if needed.
+     * @returns `true` if the operation should be converted to regular `create`s; false otherwise.
+     */
+    private preprocessCreateManyPayload(args: { data: any; select?: any; skipDuplicates?: boolean }) {
+        if (!args) {
+            return false;
+        }
+
+        // if post-create check is needed
+        const needPostCreateCheck = this.validateCreateInput(args);
+
+        // if the payload has any relation fields. Note that other enhancements (`withDefaultInAuth` for now)
+        // can introduce relation fields into the payload
+        let hasRelationFields = false;
+        if (args.data) {
+            hasRelationFields = this.hasRelationFieldsInPayload(this.model, args.data);
+        }
+
+        return needPostCreateCheck || hasRelationFields;
+    }
+
+    private hasRelationFieldsInPayload(model: string, payload: any) {
+        const modelInfo = getModelInfo(this.modelMeta, model);
+        if (!modelInfo) {
+            return false;
+        }
+
+        for (const item of enumerate(payload)) {
+            for (const field of Object.keys(item)) {
+                const fieldInfo = resolveField(this.modelMeta, model, field);
+                if (fieldInfo?.isDataModel) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
     private validateCreateInput(args: { data: any; skipDuplicates?: boolean | undefined }) {
         let needPostCreateCheck = false;
         for (const item of enumerate(args.data)) {
@@ -537,7 +582,12 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
         return needPostCreateCheck;
     }
 
-    private async doCreateMany(model: string, args: { data: any; skipDuplicates?: boolean }, db: CrudContract) {
+    private async doCreateMany(
+        model: string,
+        args: { data: any; skipDuplicates?: boolean },
+        db: CrudContract,
+        action: 'createMany' | 'createManyAndReturn'
+    ) {
         // We can't call the native "createMany" because we can't get back what was created
         // for post-create checks. Instead, do a "create" for each item and collect the results.
 
@@ -553,7 +603,7 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
                 }
 
                 if (this.shouldLogQuery) {
-                    this.logger.info(`[policy] \`create\` for \`createMany\` ${model}: ${formatObject(item)}`);
+                    this.logger.info(`[policy] \`create\` for \`${action}\` ${model}: ${formatObject(item)}`);
                 }
                 return await db[model].create({ select: this.policyUtils.makeIdSelection(model), data: item });
             })

tests/integration/tests/enhancements/with-policy/auth.test.ts

@@ -389,6 +389,11 @@ describe('auth() runtime test', () => {
         await expect(userDb.post.create({ data: { title: 'abc' } })).toResolveTruthy();
         await expect(userDb.post.findMany()).resolves.toHaveLength(1);
         await expect(userDb.post.count({ where: { authorName: 'user1', score: 10 } })).resolves.toBe(1);
+
+        await expect(userDb.post.createMany({ data: [{ title: 'def' }] })).resolves.toMatchObject({ count: 1 });
+        const r = await userDb.post.createManyAndReturn({ data: [{ title: 'xxx' }, { title: 'yyy' }] });
+        expect(r[0]).toMatchObject({ title: 'xxx', score: 10 });
+        expect(r[1]).toMatchObject({ title: 'yyy', score: 10 });
     });
 
     it('Default auth() data should not override passed args', async () => {
@@ -414,6 +419,12 @@ describe('auth() runtime test', () => {
         const userDb = enhance({ id: '1', name: userContextName });
         await expect(userDb.post.create({ data: { authorName: overrideName } })).toResolveTruthy();
         await expect(userDb.post.count({ where: { authorName: overrideName } })).resolves.toBe(1);
+
+        await expect(userDb.post.createMany({ data: [{ authorName: overrideName }] })).toResolveTruthy();
+        await expect(userDb.post.count({ where: { authorName: overrideName } })).resolves.toBe(2);
+
+        const r = await userDb.post.createManyAndReturn({ data: [{ authorName: overrideName }] });
+        expect(r[0]).toMatchObject({ authorName: overrideName });
     });
 
     it('Default auth() with foreign key', async () => {
@@ -465,6 +476,15 @@ describe('auth() runtime test', () => {
                 update: { title: 'post4' },
             })
         ).resolves.toMatchObject({ authorId: 'userId-1' });
+
+        // default auth effective for createMany
+        await expect(db.post.createMany({ data: { title: 'post5' } })).resolves.toMatchObject({ count: 1 });
+        const r = await db.post.findFirst({ where: { title: 'post5' } });
+        expect(r).toMatchObject({ authorId: 'userId-1' });
+
+        // default auth effective for createManyAndReturn
+        const r1 = await db.post.createManyAndReturn({ data: { title: 'post6' } });
+        expect(r1[0]).toMatchObject({ authorId: 'userId-1' });
     });
 
     it('Default auth() with nested user context value', async () => {
@@ -631,14 +651,23 @@ describe('auth() runtime test', () => {
         const db = enhance({ id: 'userId-1' });
         await db.user.create({ data: { id: 'userId-1' } });
 
-        // safe
+        // unsafe
         await db.stats.create({ data: { id: 'stats-1', viewCount: 10 } });
-        await expect(db.post.create({ data: { title: 'title', statsId: 'stats-1' } })).toResolveTruthy();
+        await expect(db.post.create({ data: { title: 'title1', statsId: 'stats-1' } })).toResolveTruthy();
 
-        // unsafe
         await db.stats.create({ data: { id: 'stats-2', viewCount: 10 } });
+        await expect(db.post.createMany({ data: [{ title: 'title2', statsId: 'stats-2' }] })).resolves.toMatchObject({
+            count: 1,
+        });
+
+        await db.stats.create({ data: { id: 'stats-3', viewCount: 10 } });
+        const r = await db.post.createManyAndReturn({ data: [{ title: 'title3', statsId: 'stats-3' }] });
+        expect(r[0]).toMatchObject({ statsId: 'stats-3' });
+
+        // safe
+        await db.stats.create({ data: { id: 'stats-4', viewCount: 10 } });
         await expect(
-            db.post.create({ data: { title: 'title', stats: { connect: { id: 'stats-2' } } } })
+            db.post.create({ data: { title: 'title4', stats: { connect: { id: 'stats-4' } } } })
         ).toResolveTruthy();
     });
 });

tests/regression/tests/issue-1681.test.ts

@@ -0,0 +1,29 @@
+import { loadSchema } from '@zenstackhq/testtools';
+describe('issue 1681', () => {
+    it('regression', async () => {
+        const { enhance } = await loadSchema(
+            `
+            model User {
+                id Int @id @default(autoincrement())
+                posts Post[]
+                @@allow('all', true)
+            }
+            
+            model Post {
+                id Int @id @default(autoincrement())
+                title String
+                author User @relation(fields: [authorId], references: [id])
+                authorId Int @default(auth().id)
+                @@allow('all', true)
+            }
+            `
+        );
+
+        const db = enhance({ id: 1 });
+        const user = await db.user.create({ data: {} });
+        await expect(db.post.createMany({ data: [{ title: 'Post1' }] })).resolves.toMatchObject({ count: 1 });
+
+        const r = await db.post.createManyAndReturn({ data: [{ title: 'Post2' }] });
+        expect(r[0].authorId).toBe(user.id);
+    });
+});