npm - @sladkoff/kysely-access-control - Versions diffs - 0.0.9 → 0.0.10 - Mend

@sladkoff/kysely-access-control 0.0.9 → 0.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +40 -0
package/dist/src/kyselyAccessControl.d.ts +18 -1
package/dist/src/kyselyAccessControl.js +51 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -215,6 +215,8 @@ For example, the following pattern will not work:
 Use the full table name without aliases in subqueries to ensure proper permission enforcement.
+**Note**: If you need to use table aliases in a subquery and want to bypass access control, you can use `bypassAccessControl()` to skip the checks, but this should be done with caution as it may introduce security risks.
 # Features
 ## Table/Column Statement Type + Context Controls
@@ -288,6 +290,44 @@ If you choose this option, the column you select will be omitted from the query,
 This also works for `returning` clauses as well, whether they are on a top level insert, update, or delete statement.
+## Bypassing Access Control for Subqueries
+In some cases, you may want to embed a subquery that should bypass access control checks. This is useful when:
+1. **Embedding queries from a different context**: You want to include data from a table that the current user doesn't have access to, but you've already validated the access at a higher level.
+2. **Performance optimization**: You want to avoid redundant access control checks on subqueries that you know are safe.
+3. **Complex query patterns**: You're building complex queries where some subqueries need different access control behavior.
+Use the `bypassAccessControl()` helper function to mark a query builder so that its subquery will skip access control enforcement:
+```typescript
+import { bypassAccessControl, createAccessControlPlugin } from 'kysely-access-control';
+import { jsonArrayFrom } from 'kysely/helpers/postgres';
+const plugin = createAccessControlPlugin(guard);
+// In a query with access control
+const result = await db
+  .withPlugin(plugin)
+  .selectFrom("person")
+  .select((qb) => {
+    // This subquery will bypass access control checks
+    const rsvps = bypassAccessControl(qb.selectFrom("rsvp").select("id"));
+    return [
+      "person.first_name",
+      "person.last_name",
+      jsonArrayFrom(rsvps).as("rsvps"),
+    ];
+  })
+  .execute();
+```
+**Important Notes:**
+- `bypassAccessControl()` only affects the specific query builder it wraps. Other parts of the query still have access control enforced.
+- Use this feature carefully - bypassing access control can introduce security vulnerabilities if not used correctly.
+- The function works by marking the query builder, so it must be called before the query builder is used in `jsonArrayFrom`/`jsonObjectFrom` or other subquery contexts.
 # Contributing
 The most helpful form of contribution right now would be additional tests on complex queries in your

package/dist/src/kyselyAccessControl.d.ts CHANGED Viewed

@@ -1,7 +1,24 @@
-import { ColumnNode, ExpressionWrapper, KyselyPlugin, TableNode, SqlBool } from "kysely";
+import { ColumnNode, ExpressionWrapper, KyselyPlugin, TableNode, OperationNode, SqlBool } from "kysely";
 export declare const Allow: "allow";
 export declare const Deny: "deny";
 export declare const Omit: "omit";
+/**
+ * Marks a query builder to bypass access control when used in subqueries.
+ * Use this for query builders created from `db` (without plugin) that you want
+ * to embed via jsonArrayFrom/jsonObjectFrom.
+ *
+ * This works by wrapping the query builder in a proxy that intercepts
+ * `.toOperationNode()` and marks the resulting node in a WeakMap.
+ *
+ * @example
+ * ```typescript
+ * const rsvps = bypassAccessControl(db.selectFrom("rsvp").select("id"));
+ * return [jsonArrayFrom(rsvps).as("rsvps")];
+ * ```
+ */
+export declare function bypassAccessControl<T extends {
+    toOperationNode(): OperationNode;
+}>(qb: T): T;
 type TAllow = typeof Allow;
 type TDeny = typeof Deny;
 type TOmit = typeof Omit;

package/dist/src/kyselyAccessControl.js CHANGED Viewed

@@ -3,12 +3,56 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAccessControlPlugin = exports.throwIfDenyWithReason = exports.TableUsageContext = exports.ColumnUsageContext = exports.StatementType = exports.Omit = exports.Deny = exports.Allow = void 0;
+exports.createAccessControlPlugin = exports.throwIfDenyWithReason = exports.TableUsageContext = exports.ColumnUsageContext = exports.StatementType = exports.bypassAccessControl = exports.Omit = exports.Deny = exports.Allow = void 0;
 const kysely_1 = require("kysely");
 const tiny_invariant_1 = __importDefault(require("tiny-invariant"));
 exports.Allow = "allow";
 exports.Deny = "deny";
 exports.Omit = "omit";
+// WeakMap to track OperationNodes that should bypass access control
+const bypassAccessControlNodes = new WeakMap();
+/**
+ * Marks a query builder to bypass access control when used in subqueries.
+ * Use this for query builders created from `db` (without plugin) that you want
+ * to embed via jsonArrayFrom/jsonObjectFrom.
+ *
+ * This works by wrapping the query builder in a proxy that intercepts
+ * `.toOperationNode()` and marks the resulting node in a WeakMap.
+ *
+ * @example
+ * ```typescript
+ * const rsvps = bypassAccessControl(db.selectFrom("rsvp").select("id"));
+ * return [jsonArrayFrom(rsvps).as("rsvps")];
+ * ```
+ */
+function bypassAccessControl(qb) {
+    return new Proxy(qb, {
+        get(target, prop) {
+            if (prop === "toOperationNode") {
+                return () => {
+                    const node = target.toOperationNode();
+                    // Mark the node to bypass access control in WeakMap
+                    bypassAccessControlNodes.set(node, true);
+                    return node;
+                };
+            }
+            const value = target[prop];
+            // If it's a function that returns a query builder, wrap it too
+            if (typeof value === "function" && prop !== "toOperationNode") {
+                return (...args) => {
+                    const result = value.apply(target, args);
+                    // If the result is a query builder-like object, wrap it
+                    if (result && typeof result === "object" && "toOperationNode" in result) {
+                        return bypassAccessControl(result);
+                    }
+                    return result;
+                };
+            }
+            return value;
+        },
+    });
+}
+exports.bypassAccessControl = bypassAccessControl;
 var StatementType;
 (function (StatementType) {
     StatementType["Select"] = "select";
@@ -164,6 +208,12 @@ const createAccessControlPlugin = (guard) => {
         transformSelectQuery(node) {
             var _a;
             const { from: fromNode, selections, joins, where } = node;
+            // Skip access control for nested subqueries that were explicitly marked to bypass
+            // This happens when a query builder is wrapped with bypassAccessControl()
+            if (bypassAccessControlNodes.has(node)) {
+                // This subquery was marked to bypass access control, skip enforcement
+                return super.transformSelectQuery(node);
+            }
             if (!fromNode) {
                 // This covers queries such as select 1, or select following only by subselects
                 // We do nothing here

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "module": "index.ts",
-  "version": "0.0.9",
+  "version": "0.0.10",
   "scripts": {
     "compile": "tsc -p tsconfig.build.json"
   },