@sladkoff/kysely-access-control 0.0.9 → 0.0.11

package/README.md

@@ -215,6 +215,8 @@ For example, the following pattern will not work:
 
 Use the full table name without aliases in subqueries to ensure proper permission enforcement.
 
+**Note**: If you need to use table aliases in a subquery and want to bypass access control, you can use `bypassAccessControl()` to skip the checks, but this should be done with caution as it may introduce security risks.
+
 # Features
 
 ## Table/Column Statement Type + Context Controls
@@ -288,6 +290,44 @@ If you choose this option, the column you select will be omitted from the query,
 
 This also works for `returning` clauses as well, whether they are on a top level insert, update, or delete statement.
 
+## Bypassing Access Control for Subqueries
+
+In some cases, you may want to embed a subquery that should bypass access control checks. This is useful when:
+
+1. **Embedding queries from a different context**: You want to include data from a table that the current user doesn't have access to, but you've already validated the access at a higher level.
+2. **Performance optimization**: You want to avoid redundant access control checks on subqueries that you know are safe.
+3. **Complex query patterns**: You're building complex queries where some subqueries need different access control behavior.
+
+Use the `bypassAccessControl()` helper function to mark a query builder so that its subquery will skip access control enforcement:
+
+```typescript
+import { bypassAccessControl, createAccessControlPlugin } from 'kysely-access-control';
+import { jsonArrayFrom } from 'kysely/helpers/postgres';
+
+const plugin = createAccessControlPlugin(guard);
+
+// In a query with access control
+const result = await db
+  .withPlugin(plugin)
+  .selectFrom("person")
+  .select((qb) => {
+    // This subquery will bypass access control checks
+    const rsvps = bypassAccessControl(qb.selectFrom("rsvp").select("id"));
+    
+    return [
+      "person.first_name",
+      "person.last_name",
+      jsonArrayFrom(rsvps).as("rsvps"),
+    ];
+  })
+  .execute();
+```
+
+**Important Notes:**
+- `bypassAccessControl()` only affects the specific query builder it wraps. Other parts of the query still have access control enforced.
+- Use this feature carefully - bypassing access control can introduce security vulnerabilities if not used correctly.
+- The function works by marking the query builder, so it must be called before the query builder is used in `jsonArrayFrom`/`jsonObjectFrom` or other subquery contexts.
+
 # Contributing
 
 The most helpful form of contribution right now would be additional tests on complex queries in your

package/dist/src/kyselyAccessControl.d.ts

@@ -1,7 +1,24 @@
-import { ColumnNode, ExpressionWrapper, KyselyPlugin, TableNode, SqlBool } from "kysely";
+import { ColumnNode, ExpressionWrapper, KyselyPlugin, TableNode, OperationNode, SqlBool } from "kysely";
 export declare const Allow: "allow";
 export declare const Deny: "deny";
 export declare const Omit: "omit";
+/**
+ * Marks a query builder to bypass access control when used in subqueries.
+ * Use this for query builders created from `db` (without plugin) that you want
+ * to embed via jsonArrayFrom/jsonObjectFrom.
+ *
+ * This works by wrapping the query builder in a proxy that intercepts
+ * `.toOperationNode()` and marks the resulting node in a WeakMap.
+ *
+ * @example
+ * ```typescript
+ * const rsvps = bypassAccessControl(db.selectFrom("rsvp").select("id"));
+ * return [jsonArrayFrom(rsvps).as("rsvps")];
+ * ```
+ */
+export declare function bypassAccessControl<T extends {
+    toOperationNode(): OperationNode;
+}>(qb: T): T;
 type TAllow = typeof Allow;
 type TDeny = typeof Deny;
 type TOmit = typeof Omit;

package/dist/src/kyselyAccessControl.js

@@ -3,12 +3,56 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAccessControlPlugin = exports.throwIfDenyWithReason = exports.TableUsageContext = exports.ColumnUsageContext = exports.StatementType = exports.Omit = exports.Deny = exports.Allow = void 0;
+exports.createAccessControlPlugin = exports.throwIfDenyWithReason = exports.TableUsageContext = exports.ColumnUsageContext = exports.StatementType = exports.bypassAccessControl = exports.Omit = exports.Deny = exports.Allow = void 0;
 const kysely_1 = require("kysely");
 const tiny_invariant_1 = __importDefault(require("tiny-invariant"));
 exports.Allow = "allow";
 exports.Deny = "deny";
 exports.Omit = "omit";
+// WeakMap to track OperationNodes that should bypass access control
+const bypassAccessControlNodes = new WeakMap();
+/**
+ * Marks a query builder to bypass access control when used in subqueries.
+ * Use this for query builders created from `db` (without plugin) that you want
+ * to embed via jsonArrayFrom/jsonObjectFrom.
+ *
+ * This works by wrapping the query builder in a proxy that intercepts
+ * `.toOperationNode()` and marks the resulting node in a WeakMap.
+ *
+ * @example
+ * ```typescript
+ * const rsvps = bypassAccessControl(db.selectFrom("rsvp").select("id"));
+ * return [jsonArrayFrom(rsvps).as("rsvps")];
+ * ```
+ */
+function bypassAccessControl(qb) {
+    return new Proxy(qb, {
+        get(target, prop) {
+            if (prop === "toOperationNode") {
+                return () => {
+                    const node = target.toOperationNode();
+                    // Mark the node to bypass access control in WeakMap
+                    bypassAccessControlNodes.set(node, true);
+                    return node;
+                };
+            }
+            const value = target[prop];
+            // If it's a function that returns a query builder, wrap it too
+            if (typeof value === "function" && prop !== "toOperationNode") {
+                return (...args) => {
+                    const result = value.apply(target, args);
+                    // If the result is a query builder-like object, wrap it
+                    if (result && typeof result === "object" && "toOperationNode" in result) {
+                        return bypassAccessControl(result);
+                    }
+                    return result;
+                };
+            }
+            return value;
+        },
+    });
+}
+exports.bypassAccessControl = bypassAccessControl;
 var StatementType;
 (function (StatementType) {
     StatementType["Select"] = "select";
@@ -164,6 +208,12 @@ const createAccessControlPlugin = (guard) => {
         transformSelectQuery(node) {
             var _a;
             const { from: fromNode, selections, joins, where } = node;
+            // Skip access control for nested subqueries that were explicitly marked to bypass
+            // This happens when a query builder is wrapped with bypassAccessControl()
+            if (bypassAccessControlNodes.has(node)) {
+                // This subquery was marked to bypass access control, skip enforcement
+                return super.transformSelectQuery(node);
+            }
             if (!fromNode) {
                 // This covers queries such as select 1, or select following only by subselects
                 // We do nothing here
@@ -174,8 +224,17 @@ const createAccessControlPlugin = (guard) => {
             (0, tiny_invariant_1.default)(kysely_1.TableNode.is(tableNode), "kysely-access-control: currently only select from table/view is supported");
             (0, tiny_invariant_1.default)(selections !== undefined, "kysely-access-control: selections should be defined");
             const table = tableNode.table;
+            const tableName = table.identifier.name;
+            // Check if this table is a CTE that should bypass access control
+            const bypassedCteNames = this._getBypassedCteNames();
+            if (bypassedCteNames.has(tableName)) {
+                // This is a bypassed CTE, skip all access control enforcement
+                // The CTE query already handled access control (or bypassed it)
+                // Just pass through the query without additional checks
+                return super.transformSelectQuery(node);
+            }
             const guardResult = fullGuard.table(table, StatementType.Select, TableUsageContext.TableTopLevel);
-            (0, exports.throwIfDenyWithReason)(guardResult, `SELECT denied on table ${((_a = table.schema) === null || _a === void 0 ? void 0 : _a.name) ? `${table.schema.name}.` : ""}${table.identifier.name}`);
+            (0, exports.throwIfDenyWithReason)(guardResult, `SELECT denied on table ${((_a = table.schema) === null || _a === void 0 ? void 0 : _a.name) ? `${table.schema.name}.` : ""}${tableName}`);
             /* COLUMN ENFORCEMENT */
             // Some selected columns include a table, some don't
             // If there's no joins and therefore only one valid relation to reference
@@ -352,6 +411,36 @@ const createAccessControlPlugin = (guard) => {
             }
             throw new Error("_topLevelHasMoreThanOneTable called with something that is not a select, update, or delete query");
         }
+        /**
+         * Get the set of CTE names that should bypass access control.
+         * Traverses up the node stack to find the top-level query with a `with` clause,
+         * then checks which CTEs have their query nodes marked in bypassAccessControlNodes.
+         */
+        _getBypassedCteNames() {
+            var _a, _b, _c, _d, _e;
+            const bypassedCteNames = new Set();
+            // Traverse up the node stack to find the top-level query with a `with` clause
+            for (let i = this.nodeStack.length - 1; i >= 0; i--) {
+                const node = this.nodeStack[i];
+                if (kysely_1.SelectQueryNode.is(node) && ((_a = node.with) === null || _a === void 0 ? void 0 : _a.expressions)) {
+                    // Found a query with CTEs, check which ones are bypassed
+                    for (const cteExpression of node.with.expressions) {
+                        // Extract CTE name from the expression
+                        // Structure: cteExpression.name.table.table.identifier.name
+                        const cteName = (_e = (_d = (_c = (_b = cteExpression.name) === null || _b === void 0 ? void 0 : _b.table) === null || _c === void 0 ? void 0 : _c.table) === null || _d === void 0 ? void 0 : _d.identifier) === null || _e === void 0 ? void 0 : _e.name;
+                        if (cteName && kysely_1.SelectQueryNode.is(cteExpression.expression)) {
+                            // Check if this CTE's query node is marked to bypass access control
+                            if (bypassAccessControlNodes.has(cteExpression.expression)) {
+                                bypassedCteNames.add(cteName);
+                            }
+                        }
+                    }
+                    // Only check the top-level query's with clause, so break after finding it
+                    break;
+                }
+            }
+            return bypassedCteNames;
+        }
         /**
          * Get the table node for a top level query type (select, update, delete, or insert)
          */

package/package.json

@@ -3,7 +3,7 @@
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "module": "index.ts",
-  "version": "0.0.9",
+  "version": "0.0.11",
   "scripts": {
     "compile": "tsc -p tsconfig.build.json"
   },
@@ -12,8 +12,8 @@
     "typescript": "^5.2.2"
   },
   "peerDependencies": {
-    "typescript": "^5.0.0",
-    "kysely": "^0.26.3"
+    "kysely": "^0.26.3",
+    "typescript": "^5.0.0"
   },
   "dependencies": {
     "tiny-invariant": "^1.3.1"