@api-client/core 0.19.41 → 0.19.42

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@api-client/core",
   "description": "The API Client's core client library. Works in NodeJS and in a ES enabled browser.",
-  "version": "0.19.41",
+  "version": "0.19.42",
   "license": "UNLICENSED",
   "exports": {
     "./browser.js": {

package/src/modeling/RuntimeApiModel.ts

@@ -7,6 +7,7 @@ import type { Action } from './actions/Action.js'
 import { SemanticType } from './Semantics.js'
 import type { DomainEntity } from './DomainEntity.js'
 import type { DomainProperty } from './DomainProperty.js'
+import { AccessRule, AccessRuleExecutionPhase } from './rules/AccessRule.js'
 
 /**
  * Identifies a specific exposed entity and its action kind.
@@ -42,6 +43,19 @@ export interface RuntimeResolvedAction {
   params: Record<string, string>
 }
 
+export type RuleEvaluator = (rule: AccessRule) => Promise<boolean | undefined> | boolean | undefined
+
+interface PhaseRules {
+  permissionRules: AccessRule[]
+  mandatoryRules: AccessRule[]
+}
+
+interface ActionRulesCache {
+  preFetch: PhaseRules
+  fetch: PhaseRules
+  postFetch: PhaseRules
+}
+
 /**
  * An optimized API Model subclass designed for fast runtime lookups.
  * It pre-compiles the RoutingMap into a radix tree for O(log N) or faster endpoint resolution.
@@ -74,6 +88,11 @@ export class RuntimeApiModel extends ApiModel {
     role?: DomainProperty
   } = {}
 
+  /**
+   * Cached access rules for each action to avoid runtime computation overhead.
+   */
+  #actionRulesCache = new WeakMap<Action, ActionRulesCache>()
+
   constructor(schema: RuntimeApiModelSchema, domainSchema: DataDomainSchema) {
     super(schema, domainSchema)
 
@@ -82,9 +101,93 @@ export class RuntimeApiModel extends ApiModel {
     }
 
     this.#cacheEntitiesAndProperties()
+    this.#precomputeAccessRules()
+  }
+
+  #precomputeAccessRules(): void {
+    for (const entity of this.exposes.values()) {
+      for (const action of entity.actions) {
+        this.#actionRulesCache.set(action, this.#computeEffectiveRules(action, entity))
+      }
+    }
+  }
+
+  #computeEffectiveRules(action: Action, entity: ExposedEntity): ActionRulesCache {
+    const hierarchy: AccessRule[][] = []
+
+    if (action.accessRule && action.accessRule.length > 0) {
+      hierarchy.push(action.accessRule)
+    }
+
+    let currentEntity: ExposedEntity | undefined = entity
+    while (currentEntity) {
+      if (currentEntity.accessRule && currentEntity.accessRule.length > 0) {
+        hierarchy.push(currentEntity.accessRule)
+      }
+      currentEntity = currentEntity.parent ? this.exposes.get(currentEntity.parent.key) : undefined
+    }
+
+    if (this.accessRule && this.accessRule.length > 0) {
+      hierarchy.push(this.accessRule)
+    }
+
+    const result: ActionRulesCache = {
+      preFetch: {
+        permissionRules: [],
+        mandatoryRules: [],
+      },
+      fetch: {
+        permissionRules: [],
+        mandatoryRules: [],
+      },
+      postFetch: {
+        permissionRules: [],
+        mandatoryRules: [],
+      },
+    }
+
+    const seenTypes = new Set<string>()
+
+    for (const rulesLevel of hierarchy) {
+      const typesInThisLevel = new Set<string>()
+      for (const rule of rulesLevel) {
+        const phase = rule.metadata[action.kind as keyof typeof rule.metadata]
+
+        // If the rule does not specify an execution phase for this action kind, it is not evaluated
+        if (!phase) {
+          continue
+        }
+
+        // Shadowing: If a rule of the same type was defined closer to the action, ignore this one.
+        if (seenTypes.has(rule.type)) {
+          continue
+        }
+        typesInThisLevel.add(rule.type)
+
+        let bucket
+        if (phase === AccessRuleExecutionPhase.POST_FETCH) {
+          bucket = result.postFetch
+        } else if (phase === AccessRuleExecutionPhase.FETCH) {
+          bucket = result.fetch
+        } else {
+          bucket = result.preFetch
+        }
+
+        if (rule.mandatory) {
+          bucket.mandatoryRules.push(rule)
+        } else {
+          bucket.permissionRules.push(rule)
+        }
+      }
+      for (const type of typesInThisLevel) {
+        seenTypes.add(type)
+      }
+    }
+
+    return result
   }
 
-  #cacheEntitiesAndProperties() {
+  #cacheEntitiesAndProperties(): void {
     if (!this.user || !this.domain) {
       return
     }
@@ -109,7 +212,7 @@ export class RuntimeApiModel extends ApiModel {
     }
   }
 
-  #initializeRouter(routingMap: RoutingMap) {
+  #initializeRouter(routingMap: RoutingMap): void {
     for (const [method, definitions] of Object.entries(routingMap)) {
       const parsedRoutes = []
       for (const def of definitions) {
@@ -167,6 +270,67 @@ export class RuntimeApiModel extends ApiModel {
     }
   }
 
+  /**
+   * Evaluates access rules for a given action and phase.
+   *
+   * The evaluation process follows two phases per execution phase (PRE_FETCH, FETCH, POST_FETCH):
+   * 1. Mandatory Phase: All rules marked as `mandatory: true` across all levels must return true.
+   *    If any fail, the request is immediately rejected.
+   * 2. Permission Phase: Evaluation follows the hierarchy from most specific to most general:
+   *    Action -> Endpoint (ExposedEntity) -> API Model.
+   *    If an explicit allow (true) or deny (false) is hit, evaluation stops and returns the result.
+   *    If no rules match (all return undefined), the request is rejected by default.
+   *
+   * @param action The resolved action to evaluate.
+   * @param evaluator A callback that evaluates a single rule. Should return true (allow),
+   *                  false (deny), or undefined (no hit).
+   * @param phase The execution phase to evaluate.
+   * @returns A promise that resolves to true if access is granted, false if denied.
+   */
+  async evaluateAccess(
+    action: RuntimeResolvedAction,
+    evaluator: RuleEvaluator,
+    phase: AccessRuleExecutionPhase
+  ): Promise<boolean> {
+    let cachedRules = this.#actionRulesCache.get(action.action)
+    if (!cachedRules) {
+      // Fallback if somehow action is not cached (e.g. dynamically added after initialization or in tests)
+      cachedRules = this.#computeEffectiveRules(action.action, action.entity)
+      this.#actionRulesCache.set(action.action, cachedRules)
+    }
+
+    let rulesForPhase
+    if (phase === AccessRuleExecutionPhase.POST_FETCH) {
+      rulesForPhase = cachedRules.postFetch
+    } else if (phase === AccessRuleExecutionPhase.FETCH) {
+      rulesForPhase = cachedRules.fetch
+    } else {
+      rulesForPhase = cachedRules.preFetch
+    }
+
+    // Step 1: Mandatory Phase
+    for (const rule of rulesForPhase.mandatoryRules) {
+      const result = await evaluator(rule)
+      if (result !== true) {
+        return false // Immediately reject if any mandatory rule fails
+      }
+    }
+
+    // Step 2-4: Permission Phase
+    for (const rule of rulesForPhase.permissionRules) {
+      const result = await evaluator(rule)
+      if (result === true) {
+        return true
+      }
+      if (result === false) {
+        return false
+      }
+    }
+
+    // Default: no hit
+    return false
+  }
+
   override toJSON(): RuntimeApiModelSchema {
     const base = super.toJSON() as RuntimeApiModelSchema
 

package/src/modeling/rules/AccessRule.ts

@@ -2,12 +2,47 @@ import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
 
+export enum AccessRuleExecutionPhase {
+  /**
+   * The action that happens before the fetch.
+   * For example MatchUserRole and MatchUserProperty are executed in this phase.
+   */
+  PRE_FETCH = 'pre-fetch',
+  /**
+   * The action that happens during the fetch, for example injecting clauses into a query.
+   */
+  FETCH = 'fetch',
+  /**
+   * The action that happens after the resource is fetched from the database.
+   */
+  POST_FETCH = 'post-fetch',
+}
+
 export interface AccessRuleSchema {
   /**
    * The unique identifier for the access rule.
    * This is used to reference the rule in the API configuration.
    */
   type: string
+
+  /**
+   * Whether this rule is mandatory. If true, the rule must be satisfied for the action to be allowed,
+   * regardless of other rules. If a mandatory rule is not satisfied, the action is denied.
+   */
+  mandatory?: boolean
+}
+
+/**
+ * The definition of when exactly the access rule should be evaluated.
+ * If the action is not specified, the rule is not evaluated for that action.
+ */
+export interface AccessRuleExecutionMetadata {
+  readonly list?: AccessRuleExecutionPhase
+  readonly create?: AccessRuleExecutionPhase
+  readonly search?: AccessRuleExecutionPhase
+  readonly read?: AccessRuleExecutionPhase
+  readonly update?: AccessRuleExecutionPhase
+  readonly delete?: AccessRuleExecutionPhase
 }
 
 /**
@@ -17,16 +52,49 @@ export class AccessRule extends EventTarget implements AccessRuleSchema {
   readonly type: string
   readonly parent: ExposedEntity | ApiModel | Action
 
-  constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<AccessRuleSchema> = {}) {
+  /**
+   * Whether this rule is mandatory. If true, the rule must be satisfied for the action to be allowed,
+   * regardless of other rules. If a mandatory rule is not satisfied, the action is denied.
+   */
+  mandatory: boolean
+
+  /**
+   * The execution phase dictates when the rule is evaluated during the request lifecycle.
+   * - 'pre-fetch': Evaluated before the underlying resource is fetched from the database.
+   * - 'post-fetch': Evaluated after the underlying resource is fetched from the database.
+   *
+   * In some situations (like List and MatchResourceOwner) this is executed when a query is
+   * build to inject additional clauses for example.
+   */
+  #metadata: AccessRuleExecutionMetadata
+
+  get metadata(): AccessRuleExecutionMetadata {
+    if (!this.#metadata) {
+      throw new Error('Metadata not set for access rule ' + this.type)
+    }
+    return this.#metadata
+  }
+
+  constructor(
+    parent: ExposedEntity | ApiModel | Action,
+    metadata: AccessRuleExecutionMetadata,
+    state: Partial<AccessRuleSchema> = {}
+  ) {
     super()
     this.parent = parent
     this.type = state.type ?? ''
+    this.mandatory = state.mandatory ?? false
+    this.#metadata = metadata
   }
 
   toJSON(): AccessRuleSchema {
-    return {
+    const result: AccessRuleSchema = {
       type: this.type,
     }
+    if (this.mandatory) {
+      result.mandatory = true
+    }
+    return result
   }
 
   notifyChange() {

package/src/modeling/rules/AllowAuthenticated.ts

@@ -1,7 +1,7 @@
 import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
-import { AccessRule, type AccessRuleSchema } from './AccessRule.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
 
 /**
  * The action is allowed for any authenticated user.
@@ -21,7 +21,18 @@ export class AllowAuthenticatedAccessRule extends AccessRule implements AllowAut
   override readonly type: 'allowAuthenticated'
 
   constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<AllowAuthenticatedAccessRuleSchema> = {}) {
-    super(parent, state)
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.PRE_FETCH,
+        create: AccessRuleExecutionPhase.PRE_FETCH,
+        search: AccessRuleExecutionPhase.PRE_FETCH,
+        read: AccessRuleExecutionPhase.PRE_FETCH,
+        update: AccessRuleExecutionPhase.PRE_FETCH,
+        delete: AccessRuleExecutionPhase.PRE_FETCH,
+      },
+      state
+    )
     this.type = 'allowAuthenticated'
   }
 }

package/src/modeling/rules/AllowPublic.ts

@@ -1,7 +1,7 @@
 import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
-import { AccessRule, type AccessRuleSchema } from './AccessRule.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
 
 /**
  * The action is allowed for all users, including unauthenticated ones.
@@ -21,7 +21,18 @@ export class AllowPublicAccessRule extends AccessRule implements AllowPublicAcce
   override readonly type: 'allowPublic'
 
   constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<AllowPublicAccessRuleSchema> = {}) {
-    super(parent, state)
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.PRE_FETCH,
+        create: AccessRuleExecutionPhase.PRE_FETCH,
+        search: AccessRuleExecutionPhase.PRE_FETCH,
+        read: AccessRuleExecutionPhase.PRE_FETCH,
+        update: AccessRuleExecutionPhase.PRE_FETCH,
+        delete: AccessRuleExecutionPhase.PRE_FETCH,
+      },
+      state
+    )
     this.type = 'allowPublic'
   }
 }

package/src/modeling/rules/LifecycleStatus.ts

@@ -0,0 +1,71 @@
+import type { Action } from '../actions/Action.js'
+import type { ApiModel } from '../ApiModel.js'
+import type { ExposedEntity } from '../ExposedEntity.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
+import { observed, toRaw } from '../../decorators/observed.js'
+
+/**
+ * A specialized rule for entities using Status Semantics;
+ * ensures specific status records (e.g. "Archived" or "Draft") are granted or restricted.
+ *
+ * Since the data domain requires for an entity to have at the most one Status semantic, it is
+ * clear which field to use.
+ */
+export interface LifecycleStatusAccessRuleSchema extends AccessRuleSchema {
+  type: 'lifecycleStatus'
+
+  /**
+   * The statuses that are allowed access. If the resource's status is not in this list,
+   * access will be denied by this rule (or un-handled if permission phase).
+   */
+  allowedStatuses?: string[]
+
+  /**
+   * The statuses that are explicitly denied access. If the resource's status is in this list,
+   * access will be denied.
+   */
+  deniedStatuses?: string[]
+}
+
+/**
+ * A specialized rule for entities using Status Semantics;
+ * ensures specific status records (e.g. "Archived" or "Draft") are granted or restricted.
+ */
+export class LifecycleStatusAccessRule extends AccessRule implements LifecycleStatusAccessRuleSchema {
+  override readonly type: 'lifecycleStatus'
+
+  @observed({ deep: true }) accessor allowedStatuses: string[]
+  @observed({ deep: true }) accessor deniedStatuses: string[]
+
+  constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<LifecycleStatusAccessRuleSchema> = {}) {
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.FETCH,
+        search: AccessRuleExecutionPhase.FETCH,
+        read: AccessRuleExecutionPhase.POST_FETCH,
+        update: AccessRuleExecutionPhase.POST_FETCH,
+        delete: AccessRuleExecutionPhase.POST_FETCH,
+      },
+      state
+    )
+    this.type = 'lifecycleStatus'
+    this.allowedStatuses = state.allowedStatuses ? [...state.allowedStatuses] : []
+    this.deniedStatuses = state.deniedStatuses ? [...state.deniedStatuses] : []
+  }
+
+  override toJSON(): LifecycleStatusAccessRuleSchema {
+    const json: LifecycleStatusAccessRuleSchema = {
+      ...(super.toJSON() as LifecycleStatusAccessRuleSchema),
+    }
+
+    if (this.allowedStatuses.length > 0) {
+      json.allowedStatuses = structuredClone(toRaw(this, this.allowedStatuses)) as string[]
+    }
+    if (this.deniedStatuses.length > 0) {
+      json.deniedStatuses = structuredClone(toRaw(this, this.deniedStatuses)) as string[]
+    }
+
+    return json
+  }
+}

package/src/modeling/rules/MatchEmailDomain.ts

@@ -1,7 +1,7 @@
 import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
-import { AccessRule, type AccessRuleSchema } from './AccessRule.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
 import { observed, toRaw } from '../../decorators/observed.js'
 
 /**
@@ -28,7 +28,18 @@ export class MatchEmailDomainAccessRule extends AccessRule implements MatchEmail
   @observed({ deep: true }) accessor domains: string[]
 
   constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchEmailDomainAccessRuleSchema> = {}) {
-    super(parent, state)
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.PRE_FETCH,
+        create: AccessRuleExecutionPhase.PRE_FETCH,
+        search: AccessRuleExecutionPhase.PRE_FETCH,
+        read: AccessRuleExecutionPhase.PRE_FETCH,
+        update: AccessRuleExecutionPhase.PRE_FETCH,
+        delete: AccessRuleExecutionPhase.PRE_FETCH,
+      },
+      state
+    )
     this.type = 'matchEmailDomain'
     this.domains = state.domains ? [...state.domains] : []
   }

package/src/modeling/rules/MatchResourceAttribute.ts

@@ -0,0 +1,82 @@
+import type { Action } from '../actions/Action.js'
+import type { ApiModel } from '../ApiModel.js'
+import type { ExposedEntity } from '../ExposedEntity.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
+import { observed } from '../../decorators/observed.js'
+
+export type MatchResourceAttributeOperator =
+  | 'equal'
+  | 'notEqual'
+  | 'startsWith'
+  | 'endsWith'
+  | 'contains'
+  | 'greaterThan'
+  | 'lessThan'
+  | 'greaterThanOrEqual'
+  | 'lessThanOrEqual'
+
+/**
+ * Grants access based on a static value within the resource itself.
+ * Example: Allow Read behavior if status == 'published'.
+ */
+export interface MatchResourceAttributeAccessRuleSchema extends AccessRuleSchema {
+  type: 'matchResourceAttribute'
+
+  /**
+   * The name of the attribute on the resource to check.
+   */
+  attribute: string
+
+  /**
+   * The static value to match against the resource's attribute.
+   */
+  value: string | number | boolean
+
+  /**
+   * The operator to use when comparing the resource's attribute to the given value.
+   * Defaults to 'equal'.
+   */
+  operator?: MatchResourceAttributeOperator
+}
+
+/**
+ * Grants access based on a static value within the resource itself.
+ * Example: Allow Read behavior if status == 'published'.
+ */
+export class MatchResourceAttributeAccessRule extends AccessRule implements MatchResourceAttributeAccessRuleSchema {
+  override readonly type: 'matchResourceAttribute'
+
+  @observed() accessor attribute: string
+  @observed() accessor value: string | number | boolean
+  @observed() accessor operator: MatchResourceAttributeOperator
+
+  constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchResourceAttributeAccessRuleSchema> = {}) {
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.FETCH,
+        search: AccessRuleExecutionPhase.FETCH,
+        read: AccessRuleExecutionPhase.POST_FETCH,
+        update: AccessRuleExecutionPhase.POST_FETCH,
+        delete: AccessRuleExecutionPhase.POST_FETCH,
+      },
+      state
+    )
+    this.type = 'matchResourceAttribute'
+    this.attribute = state.attribute ?? ''
+    this.value = state.value ?? ''
+    this.operator = state.operator ?? 'equal'
+  }
+
+  override toJSON(): MatchResourceAttributeAccessRuleSchema {
+    const json: MatchResourceAttributeAccessRuleSchema = {
+      ...(super.toJSON() as MatchResourceAttributeAccessRuleSchema),
+      attribute: this.attribute,
+      value: this.value,
+    }
+    if (this.operator) {
+      json.operator = this.operator
+    }
+    return json
+  }
+}

package/src/modeling/rules/MatchResourceOwner.ts

@@ -1,7 +1,7 @@
 import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
-import { AccessRule, type AccessRuleSchema } from './AccessRule.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
 import { observed } from '../../decorators/observed.js'
 
 /**
@@ -42,7 +42,17 @@ export class MatchResourceOwnerAccessRule extends AccessRule implements MatchRes
   @observed() accessor target: 'property' | 'user-entity'
 
   constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchResourceOwnerAccessRuleSchema> = {}) {
-    super(parent, state)
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.FETCH,
+        search: AccessRuleExecutionPhase.FETCH,
+        read: AccessRuleExecutionPhase.POST_FETCH,
+        update: AccessRuleExecutionPhase.POST_FETCH,
+        delete: AccessRuleExecutionPhase.POST_FETCH,
+      },
+      state
+    )
     this.type = 'matchResourceOwner'
     this.property = state.property
     this.target = state.target ?? 'property'

package/src/modeling/rules/MatchUserProperty.ts

@@ -1,7 +1,7 @@
 import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
-import { AccessRule, type AccessRuleSchema } from './AccessRule.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
 import { observed } from '../../decorators/observed.js'
 
 /**
@@ -31,7 +31,18 @@ export class MatchUserPropertyAccessRule extends AccessRule implements MatchUser
   @observed() accessor value: string
 
   constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchUserPropertyAccessRuleSchema> = {}) {
-    super(parent, state)
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.PRE_FETCH,
+        create: AccessRuleExecutionPhase.PRE_FETCH,
+        search: AccessRuleExecutionPhase.PRE_FETCH,
+        read: AccessRuleExecutionPhase.PRE_FETCH,
+        update: AccessRuleExecutionPhase.PRE_FETCH,
+        delete: AccessRuleExecutionPhase.PRE_FETCH,
+      },
+      state
+    )
     this.type = 'matchUserProperty'
     this.property = state.property ?? ''
     this.value = state.value ?? ''

package/src/modeling/rules/MatchUserRole.ts

@@ -1,7 +1,7 @@
 import type { Action } from '../actions/Action.js'
 import type { ApiModel } from '../ApiModel.js'
 import type { ExposedEntity } from '../ExposedEntity.js'
-import { AccessRule, type AccessRuleSchema } from './AccessRule.js'
+import { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'
 import { observed, toRaw } from '../../decorators/observed.js'
 
 /**
@@ -32,7 +32,18 @@ export class MatchUserRoleAccessRule extends AccessRule implements MatchUserRole
   @observed({ deep: true }) accessor role: string[]
 
   constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchUserRoleAccessRuleSchema> = {}) {
-    super(parent, state)
+    super(
+      parent,
+      {
+        list: AccessRuleExecutionPhase.PRE_FETCH,
+        create: AccessRuleExecutionPhase.PRE_FETCH,
+        search: AccessRuleExecutionPhase.PRE_FETCH,
+        read: AccessRuleExecutionPhase.PRE_FETCH,
+        update: AccessRuleExecutionPhase.PRE_FETCH,
+        delete: AccessRuleExecutionPhase.PRE_FETCH,
+      },
+      state
+    )
     this.type = 'matchUserRole'
     this.role = state.role ? [...state.role] : []
   }