npm - @zenstackhq/plugin-policy - Versions diffs - 3.0.0-beta.19 → 3.0.0-beta.20 - Mend

@zenstackhq/plugin-policy 3.0.0-beta.19 → 3.0.0-beta.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { ExpressionWrapper as ExpressionWrapper2, ValueNode as ValueNode4 } from
 // src/policy-handler.ts
 import { invariant as invariant3 } from "@zenstackhq/common-helpers";
-import { getCrudDialect as getCrudDialect2, InternalError as InternalError2, QueryError as QueryError2, QueryUtils as QueryUtils2, RejectedByPolicyError, RejectedByPolicyReason, SchemaUtils } from "@zenstackhq/orm";
+import { getCrudDialect as getCrudDialect2, QueryUtils as QueryUtils2, RejectedByPolicyReason, SchemaUtils } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils4 } from "@zenstackhq/orm/schema";
 import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode2, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
 import { match as match3 } from "ts-pattern";
@@ -34,7 +34,7 @@ var ColumnCollector = class extends KyselyUtils.DefaultOperationNodeVisitor {
 // src/expression-transformer.ts
 import { invariant as invariant2 } from "@zenstackhq/common-helpers";
-import { getCrudDialect, InternalError, QueryError, QueryUtils } from "@zenstackhq/orm";
+import { getCrudDialect, QueryUtils } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils3 } from "@zenstackhq/orm/schema";
 import { AliasNode as AliasNode2, BinaryOperationNode as BinaryOperationNode2, ColumnNode, expressionBuilder, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode2, SelectionNode, SelectQueryNode, TableNode as TableNode2, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
 import { match as match2 } from "ts-pattern";
@@ -111,6 +111,7 @@ var ExpressionEvaluator = class {
 };
 // src/utils.ts
+import { ORMError, ORMErrorReason } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils2 } from "@zenstackhq/orm/schema";
 import { AliasNode, AndNode, BinaryOperationNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode, TableNode, UnaryOperationNode, ValueNode } from "kysely";
 function trueNode(dialect) {
@@ -212,6 +213,17 @@ function isBeforeInvocation(expr2) {
   return ExpressionUtils2.isCall(expr2) && expr2.function === "before";
 }
 __name(isBeforeInvocation, "isBeforeInvocation");
+function createRejectedByPolicyError(model, reason, message) {
+  const err = new ORMError(ORMErrorReason.REJECTED_BY_POLICY, message ?? "operation is rejected by access policies");
+  err.rejectedByPolicyReason = reason;
+  err.model = model;
+  return err;
+}
+__name(createRejectedByPolicyError, "createRejectedByPolicyError");
+function createUnsupportedError(message) {
+  return new ORMError(ORMErrorReason.NOT_SUPPORTED, message);
+}
+__name(createUnsupportedError, "createUnsupportedError");
 // src/expression-transformer.ts
 function _ts_decorate(decorators, target, key, desc) {
@@ -256,7 +268,7 @@ var ExpressionTransformer = class {
   }
   get authType() {
     if (!this.schema.authType) {
-      throw new InternalError('Schema does not have an "authType" specified');
+      invariant2(false, 'Schema does not have an "authType" specified');
     }
     return this.schema.authType;
   }
@@ -424,7 +436,7 @@ var ExpressionTransformer = class {
   }
   transformAuthBinary(expr2, context) {
     if (expr2.op !== "==" && expr2.op !== "!=") {
-      throw new QueryError(`Unsupported operator for \`auth()\` in policy of model "${context.model}": ${expr2.op}`);
+      throw createUnsupportedError(`Unsupported operator for \`auth()\` in policy of model "${context.model}": ${expr2.op}`);
     }
     let authExpr;
     let other;
@@ -440,7 +452,7 @@ var ExpressionTransformer = class {
     } else {
       const authModel = QueryUtils.getModel(this.schema, this.authType);
       if (!authModel) {
-        throw new QueryError(`Unsupported use of \`auth()\` in policy of model "${context.model}", comparing with \`auth()\` is only possible when auth type is a model`);
+        throw createUnsupportedError(`Unsupported use of \`auth()\` in policy of model "${context.model}", comparing with \`auth()\` is only possible when auth type is a model`);
       }
       const idFields = Object.values(authModel.fields).filter((f) => f.id).map((f) => f.name);
       invariant2(idFields.length > 0, "auth type model must have at least one id field");
@@ -490,7 +502,7 @@ var ExpressionTransformer = class {
   transformCall(expr2, context) {
     const func = this.getFunctionImpl(expr2.function);
     if (!func) {
-      throw new QueryError(`Function not implemented: ${expr2.function}`);
+      throw createUnsupportedError(`Function not implemented: ${expr2.function}`);
     }
     const eb = expressionBuilder();
     return func(eb, (expr2.args ?? []).map((arg) => this.transformCallArg(eb, arg, context)), {
@@ -527,7 +539,7 @@ var ExpressionTransformer = class {
       const valNode = this.valueMemberAccess(this.auth, arg, this.authType);
       return valNode ? eb.val(valNode.value) : eb.val(null);
     }
-    throw new InternalError(`Unsupported argument expression: ${arg.kind}`);
+    throw createUnsupportedError(`Unsupported argument expression: ${arg.kind}`);
   }
   _member(expr2, context) {
     if (this.isAuthCall(expr2.receiver)) {
@@ -799,7 +811,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   async handle(node, proceed) {
     if (!this.isCrudQueryNode(node)) {
-      throw new RejectedByPolicyError(void 0, RejectedByPolicyReason.OTHER, "non-CRUD queries are not allowed");
+      throw createRejectedByPolicyError(void 0, RejectedByPolicyReason.OTHER, "non-CRUD queries are not allowed");
     }
     if (!this.isMutationQueryNode(node)) {
       return proceed(this.transformNode(node));
@@ -813,7 +825,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
         if (constCondition === true) {
           needCheckPreCreate = false;
         } else if (constCondition === false) {
-          throw new RejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS);
+          throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS);
         }
       }
       if (needCheckPreCreate) {
@@ -833,7 +845,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
         for (const postRow of result.rows) {
           const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
           if (!beforeRow) {
-            throw new QueryError2("Before-update and after-update rows do not match by id. If you have post-update policies on a model, updating id fields is not supported.");
+            throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match by id. If you have post-update policies on a model, updating id fields is not supported.");
           }
         }
       }
@@ -864,7 +876,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       }));
       const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
       if (!postUpdateResult.rows[0]?.$condition) {
-        throw new RejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
+        throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
       }
     }
     if (!node.returning || this.onlyReturningId(node)) {
@@ -872,7 +884,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     } else {
       const readBackResult = await this.processReadBack(node, result, proceed);
       if (readBackResult.rows.length !== result.rows.length) {
-        throw new RejectedByPolicyError(mutationModel, RejectedByPolicyReason.CANNOT_READ_BACK, "result is not allowed to be read back");
+        throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.CANNOT_READ_BACK, "result is not allowed to be read back");
       }
       return readBackResult;
     }
@@ -1131,10 +1143,10 @@ var PolicyHandler = class extends OperationNodeTransformer {
     };
     const result = await proceed(queryNode);
     if (!result.rows[0]?.$conditionA) {
-      throw new RejectedByPolicyError(m2m.firstModel, RejectedByPolicyReason.CANNOT_READ_BACK, `many-to-many relation participant model "${m2m.firstModel}" not updatable`);
+      throw createRejectedByPolicyError(m2m.firstModel, RejectedByPolicyReason.CANNOT_READ_BACK, `many-to-many relation participant model "${m2m.firstModel}" not updatable`);
     }
     if (!result.rows[0]?.$conditionB) {
-      throw new RejectedByPolicyError(m2m.secondModel, RejectedByPolicyReason.NO_ACCESS, `many-to-many relation participant model "${m2m.secondModel}" not updatable`);
+      throw createRejectedByPolicyError(m2m.secondModel, RejectedByPolicyReason.NO_ACCESS, `many-to-many relation participant model "${m2m.secondModel}" not updatable`);
     }
   }
   async enforcePreCreatePolicyForOne(model, fields, values, proceed) {
@@ -1176,7 +1188,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     };
     const result = await proceed(preCreateCheck);
     if (!result.rows[0]?.$condition) {
-      throw new RejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
+      throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
     }
   }
   unwrapCreateValueRows(node, model, fields, isManyToManyJoinTable) {
@@ -1187,7 +1199,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
         this.unwrapCreateValueRow(node.values, model, fields, isManyToManyJoinTable)
       ];
     } else {
-      throw new InternalError2(`Unexpected node kind: ${node.kind} for unwrapping create values`);
+      invariant3(false, `Unexpected node kind: ${node.kind} for unwrapping create values`);
     }
   }
   unwrapCreateValueRow(data, model, fields, isImplicitManyToManyJoinTable) {
@@ -1278,7 +1290,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       alias: void 0
     })).when(UpdateQueryNode.is, (node2) => {
       if (!node2.table) {
-        throw new QueryError2("Update query must have a table");
+        invariant3(false, "Update query must have a table");
       }
       const r2 = this.extractTableName(node2.table);
       return r2 ? {
@@ -1287,7 +1299,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       } : void 0;
     }).when(DeleteQueryNode.is, (node2) => {
       if (node2.from.froms.length !== 1) {
-        throw new QueryError2("Only one from table is supported for delete");
+        throw createUnsupportedError("Only one from table is supported for delete");
       }
       const r2 = this.extractTableName(node2.from.froms[0]);
       return r2 ? {
@@ -1296,7 +1308,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       } : void 0;
     }).exhaustive();
     if (!r) {
-      throw new InternalError2(`Unable to get table name for query node: ${node}`);
+      invariant3(false, `Unable to get table name for query node: ${node}`);
     }
     return r;
   }