@zenstackhq/plugin-policy 3.1.0 → 3.2.0

package/dist/index.js

@@ -10,7 +10,7 @@ import { ExpressionWrapper as ExpressionWrapper2, ValueNode as ValueNode4 } from
 import { invariant as invariant3 } from "@zenstackhq/common-helpers";
 import { getCrudDialect as getCrudDialect2, QueryUtils as QueryUtils2, RejectedByPolicyReason, SchemaUtils as SchemaUtils2 } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils4 } from "@zenstackhq/orm/schema";
-import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode2, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
+import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode3, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
 import { match as match3 } from "ts-pattern";
 
 // src/column-collector.ts
@@ -36,7 +36,7 @@ var ColumnCollector = class extends KyselyUtils.DefaultOperationNodeVisitor {
 import { invariant as invariant2 } from "@zenstackhq/common-helpers";
 import { getCrudDialect, QueryUtils, SchemaUtils } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils3 } from "@zenstackhq/orm/schema";
-import { AliasNode as AliasNode2, BinaryOperationNode as BinaryOperationNode2, ColumnNode, expressionBuilder, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode2, SelectionNode, SelectQueryNode, TableNode as TableNode2, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
+import { AliasNode as AliasNode2, BinaryOperationNode as BinaryOperationNode2, ColumnNode as ColumnNode2, expressionBuilder, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode2, SelectionNode, SelectQueryNode, TableNode as TableNode2, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
 import { match as match2 } from "ts-pattern";
 
 // src/expression-evaluator.ts
@@ -126,7 +126,7 @@ var CollectionPredicateOperator = [
 // src/utils.ts
 import { ORMError, ORMErrorReason } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils2 } from "@zenstackhq/orm/schema";
-import { AliasNode, AndNode, BinaryOperationNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode, TableNode, UnaryOperationNode, ValueNode } from "kysely";
+import { AliasNode, AndNode, BinaryOperationNode, ColumnNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode, TableNode, UnaryOperationNode, ValueNode } from "kysely";
 function trueNode(dialect) {
   return ValueNode.createImmediate(dialect.transformPrimitive(true, "Boolean", false));
 }
@@ -627,7 +627,7 @@ var ExpressionTransformer = class {
     if (isBeforeInvocation(expr2.receiver)) {
       invariant2(context.operation === "post-update", "before() can only be used in post-update policy");
       invariant2(expr2.members.length === 1, "before() can only be followed by a scalar field access");
-      return ReferenceNode2.create(ColumnNode.create(expr2.members[0]), TableNode2.create("$before"));
+      return ReferenceNode2.create(ColumnNode2.create(expr2.members[0]), TableNode2.create("$before"));
     }
     invariant2(ExpressionUtils3.isField(expr2.receiver) || ExpressionUtils3.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
     let members = expr2.members;
@@ -697,7 +697,7 @@ var ExpressionTransformer = class {
       } else {
         invariant2(i === members.length - 1, "plain field access must be the last segment");
         invariant2(!currNode, "plain field access must be the last segment");
-        currNode = ColumnNode.create(member);
+        currNode = ColumnNode2.create(member);
       }
     }
     return {
@@ -739,14 +739,14 @@ var ExpressionTransformer = class {
     let condition;
     if (ownedByModel) {
       condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => {
-        let fkRef = ReferenceNode2.create(ColumnNode.create(fk), TableNode2.create(context.alias ?? fromModel));
+        let fkRef = ReferenceNode2.create(ColumnNode2.create(fk), TableNode2.create(context.alias ?? fromModel));
         if (relationFieldDef.originModel && relationFieldDef.originModel !== fromModel) {
           fkRef = this.buildDelegateBaseFieldSelect(fromModel, context.alias ?? fromModel, fk, relationFieldDef.originModel);
         }
-        return BinaryOperationNode2.create(fkRef, OperatorNode2.create("="), ReferenceNode2.create(ColumnNode.create(pk), TableNode2.create(relationModel)));
+        return BinaryOperationNode2.create(fkRef, OperatorNode2.create("="), ReferenceNode2.create(ColumnNode2.create(pk), TableNode2.create(relationModel)));
       }));
     } else {
-      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => BinaryOperationNode2.create(ReferenceNode2.create(ColumnNode.create(pk), TableNode2.create(context.alias ?? fromModel)), OperatorNode2.create("="), ReferenceNode2.create(ColumnNode.create(fk), TableNode2.create(relationModel)))));
+      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => BinaryOperationNode2.create(ReferenceNode2.create(ColumnNode2.create(pk), TableNode2.create(context.alias ?? fromModel)), OperatorNode2.create("="), ReferenceNode2.create(ColumnNode2.create(fk), TableNode2.create(relationModel)))));
     }
     return {
       kind: "SelectQueryNode",
@@ -764,11 +764,11 @@ var ExpressionTransformer = class {
   createColumnRef(column, context) {
     const tableName = context.alias ?? context.modelOrType;
     if (context.operation === "create") {
-      return ReferenceNode2.create(ColumnNode.create(column), TableNode2.create(tableName));
+      return ReferenceNode2.create(ColumnNode2.create(column), TableNode2.create(tableName));
     }
     const fieldDef = QueryUtils.requireField(this.schema, context.modelOrType, column);
     if (!fieldDef.originModel || fieldDef.originModel === context.modelOrType) {
-      return ReferenceNode2.create(ColumnNode.create(column), TableNode2.create(tableName));
+      return ReferenceNode2.create(ColumnNode2.create(column), TableNode2.create(tableName));
     }
     return this.buildDelegateBaseFieldSelect(context.modelOrType, tableName, column, fieldDef.originModel);
   }
@@ -780,9 +780,9 @@ var ExpressionTransformer = class {
         TableNode2.create(baseModel)
       ]),
       selections: [
-        SelectionNode.create(ReferenceNode2.create(ColumnNode.create(field), TableNode2.create(baseModel)))
+        SelectionNode.create(ReferenceNode2.create(ColumnNode2.create(field), TableNode2.create(baseModel)))
       ],
-      where: WhereNode.create(conjunction(this.dialect, idFields.map((idField) => BinaryOperationNode2.create(ReferenceNode2.create(ColumnNode.create(idField), TableNode2.create(baseModel)), OperatorNode2.create("="), ReferenceNode2.create(ColumnNode.create(idField), TableNode2.create(modelAlias))))))
+      where: WhereNode.create(conjunction(this.dialect, idFields.map((idField) => BinaryOperationNode2.create(ReferenceNode2.create(ColumnNode2.create(idField), TableNode2.create(baseModel)), OperatorNode2.create("="), ReferenceNode2.create(ColumnNode2.create(idField), TableNode2.create(modelAlias))))))
     };
   }
   isAuthCall(value) {
@@ -903,6 +903,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
   get kysely() {
     return this.client.$qb;
   }
+  // #region main entry point
   async handle(node, proceed) {
     if (!this.isCrudQueryNode(node)) {
       throw createRejectedByPolicyError(void 0, RejectedByPolicyReason.OTHER, "non-CRUD queries are not allowed");
@@ -913,19 +914,10 @@ var PolicyHandler = class extends OperationNodeTransformer {
     const { mutationModel } = this.getMutationModel(node);
     this.tryRejectNonexistentModel(mutationModel);
     if (InsertQueryNode.is(node)) {
-      const isManyToManyJoinTable = this.isManyToManyJoinTable(mutationModel);
-      let needCheckPreCreate = true;
-      if (!isManyToManyJoinTable) {
-        const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
-        if (constCondition === true) {
-          needCheckPreCreate = false;
-        } else if (constCondition === false) {
-          throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS);
-        }
-      }
-      if (needCheckPreCreate) {
-        await this.enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed);
-      }
+      await this.preCreateCheck(mutationModel, node, proceed);
+    }
+    if (UpdateQueryNode.is(node)) {
+      await this.preUpdateCheck(mutationModel, node, proceed);
     }
     const hasPostUpdatePolicies = UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
     let beforeUpdateInfo;
@@ -984,94 +976,85 @@ var PolicyHandler = class extends OperationNodeTransformer {
       return readBackResult;
     }
   }
-  // correction to kysely mutation result may be needed because we might have added
-  // returning clause to the query and caused changes to the result shape
-  postProcessMutationResult(result, node) {
-    if (node.returning) {
-      return result;
-    } else {
-      return {
-        ...result,
-        rows: [],
-        numAffectedRows: result.numAffectedRows ?? BigInt(result.rows.length)
-      };
+  async preCreateCheck(mutationModel, node, proceed) {
+    const isManyToManyJoinTable = this.isManyToManyJoinTable(mutationModel);
+    let needCheckPreCreate = true;
+    if (!isManyToManyJoinTable) {
+      const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
+      if (constCondition === true) {
+        needCheckPreCreate = false;
+      } else if (constCondition === false) {
+        throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS);
+      }
     }
-  }
-  hasPostUpdatePolicies(model) {
-    const policies = this.getModelPolicies(model, "post-update");
-    return policies.length > 0;
-  }
-  async loadBeforeUpdateEntities(model, where, proceed) {
-    const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
-    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
-      return void 0;
+    if (needCheckPreCreate) {
+      await this.enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed);
     }
-    const policyFilter = this.buildPolicyFilter(model, model, "update");
-    const combinedFilter = where ? conjunction(this.dialect, [
-      where.where,
-      policyFilter
-    ]) : policyFilter;
-    const query = {
-      kind: "SelectQueryNode",
-      from: FromNode2.create([
-        TableNode3.create(model)
-      ]),
-      where: WhereNode2.create(combinedFilter),
-      selections: [
-        ...beforeUpdateAccessFields.map((f) => SelectionNode2.create(ColumnNode2.create(f)))
-      ]
-    };
-    const result = await proceed(query);
-    return {
-      fields: beforeUpdateAccessFields,
-      rows: result.rows
-    };
   }
-  getFieldsAccessForBeforeUpdatePolicies(model) {
-    const policies = this.getModelPolicies(model, "post-update");
-    if (policies.length === 0) {
-      return void 0;
-    }
-    const fields = /* @__PURE__ */ new Set();
-    const fieldCollector = new class extends SchemaUtils2.ExpressionVisitor {
-      visitMember(e) {
-        if (isBeforeInvocation(e.receiver)) {
-          invariant3(e.members.length === 1, "before() can only be followed by a scalar field access");
-          fields.add(e.members[0]);
-        }
-        super.visitMember(e);
-      }
-    }();
-    for (const policy of policies) {
-      fieldCollector.visit(policy.condition);
+  async preUpdateCheck(mutationModel, node, proceed) {
+    const fieldsToUpdate = node.updates?.map((u) => ColumnNode3.is(u.column) ? u.column.column.name : void 0).filter((f) => !!f) ?? [];
+    const fieldUpdatePolicies = fieldsToUpdate.map((f) => this.buildFieldPolicyFilter(mutationModel, f, "update"));
+    const fieldLevelFilter = conjunction(this.dialect, fieldUpdatePolicies);
+    if (isTrueNode(fieldLevelFilter)) {
+      return;
     }
-    if (fields.size === 0) {
-      return void 0;
+    const modelLevelFilter = this.buildPolicyFilter(mutationModel, void 0, "update");
+    const updateFilter = conjunction(this.dialect, [
+      modelLevelFilter,
+      node.where?.where ?? trueNode(this.dialect)
+    ]);
+    const preUpdateCheckQuery = expressionBuilder2().selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(eb.cast(new ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)), "integer")), eb.lit(0)).as("$filteredCount")).where(() => new ExpressionWrapper(updateFilter));
+    const preUpdateResult = await proceed(preUpdateCheckQuery.toOperationNode());
+    if (preUpdateResult.rows[0].$filteredCount > 0) {
+      throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some rows cannot be updated due to field policies");
     }
-    QueryUtils2.requireIdFields(this.client.$schema, model).forEach((f) => fields.add(f));
-    return Array.from(fields).sort();
   }
-  // #region overrides
+  // #endregion
+  // #region Transformations
   transformSelectQuery(node) {
     if (!node.from) {
       return super.transformSelectQuery(node);
     }
-    let whereNode = this.transformNode(node.where);
-    const policyFilter = this.createPolicyFilterForFrom(node.from);
-    if (policyFilter) {
-      whereNode = WhereNode2.create(whereNode?.where ? conjunction(this.dialect, [
-        whereNode.where,
-        policyFilter
-      ]) : policyFilter);
-    }
-    const baseResult = super.transformSelectQuery({
-      ...node,
-      where: void 0
+    this.tryRejectNonexistingTables(node.from.froms);
+    let result = super.transformSelectQuery(node);
+    const hasFieldLevelPolicies = node.from.froms.some((table) => {
+      const extractedTable = this.extractTableName(table);
+      if (extractedTable) {
+        return this.hasFieldLevelPolicies(extractedTable.model, "read");
+      } else {
+        return false;
+      }
     });
-    return {
-      ...baseResult,
-      where: whereNode
-    };
+    if (hasFieldLevelPolicies) {
+      const updatedFroms = [];
+      for (const table of result.from.froms) {
+        const extractedTable = this.extractTableName(table);
+        if (extractedTable?.model && QueryUtils2.getModel(this.client.$schema, extractedTable.model)) {
+          const { query } = this.createSelectAllFieldsWithPolicies(extractedTable.model, extractedTable.alias, "read");
+          updatedFroms.push(query);
+        } else {
+          updatedFroms.push(table);
+        }
+      }
+      result = {
+        ...result,
+        from: FromNode2.create(updatedFroms)
+      };
+    } else {
+      let whereNode = result.where;
+      const policyFilter = this.createPolicyFilterForFrom(result.from);
+      if (policyFilter && !isTrueNode(policyFilter)) {
+        whereNode = WhereNode2.create(whereNode?.where ? conjunction(this.dialect, [
+          whereNode.where,
+          policyFilter
+        ]) : policyFilter);
+      }
+      result = {
+        ...result,
+        where: whereNode
+      };
+    }
+    return result;
   }
   transformJoin(node) {
     const table = this.extractTableName(node.table);
@@ -1079,20 +1062,17 @@ var PolicyHandler = class extends OperationNodeTransformer {
       return super.transformJoin(node);
     }
     this.tryRejectNonexistentModel(table.model);
-    const filter = this.buildPolicyFilter(table.model, table.alias, "read");
-    const nestedSelect = {
-      kind: "SelectQueryNode",
-      from: FromNode2.create([
-        node.table
-      ]),
-      selections: [
-        SelectionNode2.createSelectAll()
-      ],
-      where: WhereNode2.create(filter)
-    };
+    if (!QueryUtils2.getModel(this.client.$schema, table.model)) {
+      return super.transformJoin(node);
+    }
+    const result = super.transformJoin(node);
+    const { hasPolicies, query: nestedQuery } = this.createSelectAllFieldsWithPolicies(table.model, table.alias, "read");
+    if (!hasPolicies) {
+      return result;
+    }
     return {
-      ...node,
-      table: AliasNode3.create(ParensNode2.create(nestedSelect), IdentifierNode2.create(table.alias ?? table.model))
+      ...result,
+      table: nestedQuery
     };
   }
   transformInsertQuery(node) {
@@ -1124,7 +1104,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     if (returning) {
       const { mutationModel } = this.getMutationModel(node);
       const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
-      returning = ReturningNode.create(idFields.map((f) => SelectionNode2.create(ColumnNode2.create(f))));
+      returning = ReturningNode.create(idFields.map((f) => SelectionNode2.create(ColumnNode3.create(f))));
     }
     return {
       ...result,
@@ -1136,6 +1116,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     const { mutationModel, alias } = this.getMutationModel(node);
     let filter = this.buildPolicyFilter(mutationModel, alias, "update");
     if (node.from) {
+      this.tryRejectNonexistingTables(node.from.froms);
       const joinFilter = this.createPolicyFilterForFrom(node.from);
       if (joinFilter) {
         filter = conjunction(this.dialect, [
@@ -1147,7 +1128,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     let returning = result.returning;
     if (returning || this.hasPostUpdatePolicies(mutationModel)) {
       const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
-      returning = ReturningNode.create(idFields.map((f) => SelectionNode2.create(ColumnNode2.create(f))));
+      returning = ReturningNode.create(idFields.map((f) => SelectionNode2.create(ColumnNode3.create(f))));
     }
     return {
       ...result,
@@ -1163,6 +1144,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     const { mutationModel, alias } = this.getMutationModel(node);
     let filter = this.buildPolicyFilter(mutationModel, alias, "delete");
     if (node.using) {
+      this.tryRejectNonexistingTables(node.using.tables);
       const joinFilter = this.createPolicyFilterForTables(node.using.tables);
       if (joinFilter) {
         filter = conjunction(this.dialect, [
@@ -1180,6 +1162,139 @@ var PolicyHandler = class extends OperationNodeTransformer {
     };
   }
   // #endregion
+  // #region post-update
+  async loadBeforeUpdateEntities(model, where, proceed) {
+    const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
+    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
+      return void 0;
+    }
+    const policyFilter = this.buildPolicyFilter(model, model, "update");
+    const combinedFilter = where ? conjunction(this.dialect, [
+      where.where,
+      policyFilter
+    ]) : policyFilter;
+    const query = {
+      kind: "SelectQueryNode",
+      from: FromNode2.create([
+        TableNode3.create(model)
+      ]),
+      where: WhereNode2.create(combinedFilter),
+      selections: [
+        ...beforeUpdateAccessFields.map((f) => SelectionNode2.create(ColumnNode3.create(f)))
+      ]
+    };
+    const result = await proceed(query);
+    return {
+      fields: beforeUpdateAccessFields,
+      rows: result.rows
+    };
+  }
+  getFieldsAccessForBeforeUpdatePolicies(model) {
+    const policies = this.getModelPolicies(model, "post-update");
+    if (policies.length === 0) {
+      return void 0;
+    }
+    const fields = /* @__PURE__ */ new Set();
+    const fieldCollector = new class extends SchemaUtils2.ExpressionVisitor {
+      visitMember(e) {
+        if (isBeforeInvocation(e.receiver)) {
+          invariant3(e.members.length === 1, "before() can only be followed by a scalar field access");
+          fields.add(e.members[0]);
+        }
+        super.visitMember(e);
+      }
+    }();
+    for (const policy of policies) {
+      fieldCollector.visit(policy.condition);
+    }
+    if (fields.size === 0) {
+      return void 0;
+    }
+    QueryUtils2.requireIdFields(this.client.$schema, model).forEach((f) => fields.add(f));
+    return Array.from(fields).sort();
+  }
+  hasPostUpdatePolicies(model) {
+    const policies = this.getModelPolicies(model, "post-update");
+    return policies.length > 0;
+  }
+  // #endregion
+  // #region field-level policies
+  createSelectAllFieldsWithPolicies(model, alias, operation) {
+    let hasPolicies = false;
+    const modelDef = QueryUtils2.requireModel(this.client.$schema, model);
+    let selections = [];
+    for (const fieldDef of Object.values(modelDef.fields).filter(
+      // exclude relation/computed/inherited fields
+      (f) => !f.relation && !f.computed && !f.originModel
+    )) {
+      const { hasPolicies: fieldHasPolicies, selection } = this.createFieldSelectionWithPolicy(model, fieldDef.name, operation);
+      hasPolicies = hasPolicies || fieldHasPolicies;
+      selections.push(selection);
+    }
+    if (!hasPolicies) {
+      selections = [
+        SelectionNode2.create(SelectAllNode.create())
+      ];
+    }
+    const modelPolicyFilter = this.buildPolicyFilter(model, alias, operation);
+    if (!isTrueNode(modelPolicyFilter)) {
+      hasPolicies = true;
+    }
+    const nestedQuery = {
+      kind: "SelectQueryNode",
+      from: FromNode2.create([
+        TableNode3.create(model)
+      ]),
+      where: isTrueNode(modelPolicyFilter) ? void 0 : WhereNode2.create(modelPolicyFilter),
+      selections
+    };
+    return {
+      hasPolicies,
+      query: AliasNode3.create(ParensNode2.create(nestedQuery), IdentifierNode2.create(alias ?? model))
+    };
+  }
+  createFieldSelectionWithPolicy(model, field, operation) {
+    const filter = this.buildFieldPolicyFilter(model, field, operation);
+    if (isTrueNode(filter)) {
+      return {
+        hasPolicies: false,
+        selection: SelectionNode2.create(ColumnNode3.create(field))
+      };
+    }
+    const eb = expressionBuilder2();
+    const selection = eb.case().when(new ExpressionWrapper(filter)).then(eb.ref(field)).else(null).end().as(field).toOperationNode();
+    return {
+      hasPolicies: true,
+      selection: SelectionNode2.create(selection)
+    };
+  }
+  hasFieldLevelPolicies(model, operation) {
+    const modelDef = QueryUtils2.getModel(this.client.$schema, model);
+    if (!modelDef) {
+      return false;
+    }
+    return Object.keys(modelDef.fields).some((field) => this.getFieldPolicies(model, field, operation).length > 0);
+  }
+  buildFieldPolicyFilter(model, field, operation) {
+    const policies = this.getFieldPolicies(model, field, operation);
+    const allows = policies.filter((policy) => policy.kind === "allow").map((policy) => this.compilePolicyCondition(model, model, operation, policy));
+    const denies = policies.filter((policy) => policy.kind === "deny").map((policy) => this.compilePolicyCondition(model, model, operation, policy));
+    let combinedPolicy;
+    if (allows.length === 0) {
+      combinedPolicy = trueNode(this.dialect);
+    } else {
+      combinedPolicy = disjunction(this.dialect, allows);
+    }
+    if (denies.length !== 0) {
+      const combinedDenies = conjunction(this.dialect, denies.map((d) => buildIsFalse(d, this.dialect)));
+      combinedPolicy = conjunction(this.dialect, [
+        combinedPolicy,
+        combinedDenies
+      ]);
+    }
+    return combinedPolicy;
+  }
+  // #endregion
   // #region helpers
   onlyReturningId(node) {
     if (!node.returning) {
@@ -1378,7 +1493,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   buildIdConditions(table, rows) {
     const idFields = QueryUtils2.requireIdFields(this.client.$schema, table);
-    return disjunction(this.dialect, rows.map((row) => conjunction(this.dialect, idFields.map((field) => BinaryOperationNode3.create(ReferenceNode3.create(ColumnNode2.create(field), TableNode3.create(table)), OperatorNode3.create("="), ValueNode3.create(row[field]))))));
+    return disjunction(this.dialect, rows.map((row) => conjunction(this.dialect, idFields.map((field) => BinaryOperationNode3.create(ReferenceNode3.create(ColumnNode3.create(field), TableNode3.create(table)), OperatorNode3.create("="), ValueNode3.create(row[field]))))));
   }
   getMutationModel(node) {
     const r = match3(node).when(InsertQueryNode.is, (node2) => ({
@@ -1471,7 +1586,6 @@ var PolicyHandler = class extends OperationNodeTransformer {
       const extractResult = this.extractTableName(table);
       if (extractResult) {
         const { model, alias } = extractResult;
-        this.tryRejectNonexistentModel(model);
         const filter = this.buildPolicyFilter(model, alias, "read");
         return acc ? conjunction(this.dialect, [
           acc,
@@ -1507,6 +1621,23 @@ var PolicyHandler = class extends OperationNodeTransformer {
     }
     return result;
   }
+  getFieldPolicies(model, field, operation) {
+    const fieldDef = QueryUtils2.requireField(this.client.$schema, model, field);
+    const result = [];
+    const extractOperations = /* @__PURE__ */ __name((expr2) => {
+      invariant3(ExpressionUtils4.isLiteral(expr2), "expecting a literal");
+      invariant3(typeof expr2.value === "string", "expecting a string literal");
+      return expr2.value.split(",").filter((v) => !!v).map((v) => v.trim());
+    }, "extractOperations");
+    if (fieldDef.attributes) {
+      result.push(...fieldDef.attributes.filter((attr) => attr.name === "@allow" || attr.name === "@deny").map((attr) => ({
+        kind: attr.name === "@allow" ? "allow" : "deny",
+        operations: extractOperations(attr.args[0].value),
+        condition: attr.args[1].value
+      })).filter((policy) => policy.operations.includes("all") || policy.operations.includes(operation)));
+    }
+    return result;
+  }
   resolveManyToManyJoinTable(tableName) {
     for (const model of Object.values(this.client.$schema.models)) {
       for (const field of Object.values(model.fields)) {
@@ -1564,6 +1695,27 @@ var PolicyHandler = class extends OperationNodeTransformer {
       throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
     }
   }
+  tryRejectNonexistingTables(tables) {
+    for (const table of tables) {
+      const extractResult = this.extractTableName(table);
+      if (extractResult) {
+        this.tryRejectNonexistentModel(extractResult.model);
+      }
+    }
+  }
+  // correction to kysely mutation result may be needed because we might have added
+  // returning clause to the query and caused changes to the result shape
+  postProcessMutationResult(result, node) {
+    if (node.returning) {
+      return result;
+    } else {
+      return {
+        ...result,
+        rows: [],
+        numAffectedRows: result.numAffectedRows ?? BigInt(result.rows.length)
+      };
+    }
+  }
 };
 
 // src/functions.ts