npm - @zenstackhq/plugin-policy - Versions diffs - 3.3.0-beta.2 → 3.3.0-beta.3 - Mend

@zenstackhq/plugin-policy 3.3.0-beta.2 → 3.3.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -10,7 +10,7 @@ import { ExpressionWrapper as ExpressionWrapper2, ValueNode as ValueNode4 } from
 import { invariant as invariant3 } from "@zenstackhq/common-helpers";
 import { getCrudDialect as getCrudDialect2, QueryUtils as QueryUtils2, RejectedByPolicyReason, SchemaUtils as SchemaUtils2 } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils4 } from "@zenstackhq/orm/schema";
-import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode3, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
+import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode3, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper, FromNode as FromNode2, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
 import { match as match3 } from "ts-pattern";
 // src/column-collector.ts
@@ -41,14 +41,14 @@ import { match as match2 } from "ts-pattern";
 // src/expression-evaluator.ts
 import { invariant } from "@zenstackhq/common-helpers";
-import { match } from "ts-pattern";
 import { ExpressionUtils } from "@zenstackhq/orm/schema";
+import { match } from "ts-pattern";
 var ExpressionEvaluator = class {
   static {
     __name(this, "ExpressionEvaluator");
   }
   evaluate(expression, context) {
-    const result = match(expression).when(ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(ExpressionUtils.isThis, () => context.thisValue).when(ExpressionUtils.isNull, () => null).exhaustive();
+    const result = match(expression).when(ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(ExpressionUtils.isBinding, (expr2) => this.evaluateBinding(expr2, context)).when(ExpressionUtils.isThis, () => context.thisValue).when(ExpressionUtils.isNull, () => null).exhaustive();
     return result ?? null;
   }
   evaluateCall(expr2, context) {
@@ -72,6 +72,9 @@ var ExpressionEvaluator = class {
     return expr2.value;
   }
   evaluateField(expr2, context) {
+    if (context.bindingScope && expr2.field in context.bindingScope) {
+      return context.bindingScope[expr2.field];
+    }
     return context.thisValue?.[expr2.field];
   }
   evaluateArray(expr2, context) {
@@ -105,15 +108,33 @@ var ExpressionEvaluator = class {
     invariant(Array.isArray(left), "expected array");
     return match(op).with("?", () => left.some((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).with("!", () => left.every((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).with("^", () => !left.some((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).exhaustive();
   }
+  evaluateBinding(expr2, context) {
+    if (!context.bindingScope || !(expr2.name in context.bindingScope)) {
+      throw new Error(`Unresolved binding: ${expr2.name}`);
+    }
+    return context.bindingScope[expr2.name];
+  }
 };
 // src/types.ts
@@ -128,11 +149,11 @@ import { ORMError, ORMErrorReason } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils2 } from "@zenstackhq/orm/schema";
 import { AliasNode, AndNode, BinaryOperationNode, ColumnNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode, TableNode, UnaryOperationNode, ValueNode } from "kysely";
 function trueNode(dialect) {
-  return ValueNode.createImmediate(dialect.transformPrimitive(true, "Boolean", false));
+  return ValueNode.createImmediate(dialect.transformInput(true, "Boolean", false));
 }
 __name(trueNode, "trueNode");
 function falseNode(dialect) {
-  return ValueNode.createImmediate(dialect.transformPrimitive(false, "Boolean", false));
+  return ValueNode.createImmediate(dialect.transformInput(false, "Boolean", false));
 }
 __name(falseNode, "falseNode");
 function isTrueNode(node) {
@@ -426,7 +447,8 @@ var ExpressionTransformer = class {
       const evaluator = new ExpressionEvaluator();
       const receiver = evaluator.evaluate(expr2.left, {
         thisValue: context.contextValue,
-        auth: this.auth
+        auth: this.auth,
+        bindingScope: this.getEvaluationBindingScope(context.bindingScope)
       });
       const baseType = this.isAuthMember(expr2.left) ? this.authType : context.modelOrType;
       const memberType = this.getMemberType(baseType, expr2.left);
@@ -442,18 +464,31 @@ var ExpressionTransformer = class {
       invariant2(fieldDef.relation, `field is not a relation: ${JSON.stringify(expr2.left)}`);
       newContextModel = fieldDef.type;
     } else {
-      invariant2(ExpressionUtils3.isMember(expr2.left) && ExpressionUtils3.isField(expr2.left.receiver), "left operand must be member access with field receiver");
-      const fieldDef2 = QueryUtils.requireField(this.schema, context.modelOrType, expr2.left.receiver.field);
-      newContextModel = fieldDef2.type;
+      invariant2(ExpressionUtils3.isMember(expr2.left) && (ExpressionUtils3.isField(expr2.left.receiver) || ExpressionUtils3.isBinding(expr2.left.receiver)), "left operand must be member access with field receiver");
+      if (ExpressionUtils3.isField(expr2.left.receiver)) {
+        const fieldDef2 = QueryUtils.requireField(this.schema, context.modelOrType, expr2.left.receiver.field);
+        newContextModel = fieldDef2.type;
+      } else {
+        const binding = this.requireBindingScope(expr2.left.receiver, context);
+        newContextModel = binding.type;
+      }
       for (const member of expr2.left.members) {
         const memberDef = QueryUtils.requireField(this.schema, newContextModel, member);
         newContextModel = memberDef.type;
       }
     }
+    const bindingScope = expr2.binding ? {
+      ...context.bindingScope ?? {},
+      [expr2.binding]: {
+        type: newContextModel,
+        alias: newContextModel
+      }
+    } : context.bindingScope;
     let predicateFilter = this.transform(expr2.right, {
       ...context,
       modelOrType: newContextModel,
-      alias: void 0
+      alias: void 0,
+      bindingScope
     });
     if (expr2.op === "!") {
       predicateFilter = logicalNot(this.dialect, predicateFilter);
@@ -480,18 +515,30 @@ var ExpressionTransformer = class {
     if (!visitor.find(expr2.right)) {
       const value = new ExpressionEvaluator().evaluate(expr2, {
         auth: this.auth,
-        thisValue: context.contextValue
+        thisValue: context.contextValue,
+        bindingScope: this.getEvaluationBindingScope(context.bindingScope)
       });
       return this.transformValue(value, "Boolean");
     } else {
       invariant2(Array.isArray(receiver), "array value is expected");
-      const components = receiver.map((item) => this.transform(expr2.right, {
-        operation: context.operation,
-        thisType: context.thisType,
-        thisAlias: context.thisAlias,
-        modelOrType: context.modelOrType,
-        contextValue: item
-      }));
+      const components = receiver.map((item) => {
+        const bindingScope = expr2.binding ? {
+          ...context.bindingScope ?? {},
+          [expr2.binding]: {
+            type: context.modelOrType,
+            alias: context.thisAlias ?? context.modelOrType,
+            value: item
+          }
+        } : context.bindingScope;
+        return this.transform(expr2.right, {
+          operation: context.operation,
+          thisType: context.thisType,
+          thisAlias: context.thisAlias,
+          modelOrType: context.modelOrType,
+          contextValue: item,
+          bindingScope
+        });
+      });
       return match2(expr2.op).with("?", () => disjunction(this.dialect, components)).with("!", () => conjunction(this.dialect, components)).with("^", () => logicalNot(this.dialect, disjunction(this.dialect, components))).exhaustive();
     }
   }
@@ -558,7 +605,7 @@ var ExpressionTransformer = class {
     } else if (value === false) {
       return falseNode(this.dialect);
     } else {
-      const transformed = this.dialect.transformPrimitive(value, type, false) ?? null;
+      const transformed = this.dialect.transformInput(value, type, false) ?? null;
       if (!Array.isArray(transformed)) {
         return ValueNode2.createImmediate(transformed);
       } else {
@@ -621,6 +668,12 @@ var ExpressionTransformer = class {
     throw createUnsupportedError(`Unsupported argument expression: ${arg.kind}`);
   }
   _member(expr2, context) {
+    if (ExpressionUtils3.isBinding(expr2.receiver)) {
+      const scope = this.requireBindingScope(expr2.receiver, context);
+      if (scope.value !== void 0) {
+        return this.valueMemberAccess(scope.value, expr2, scope.type);
+      }
+    }
     if (this.isAuthCall(expr2.receiver)) {
       return this.valueMemberAccess(this.auth, expr2, this.authType);
     }
@@ -629,9 +682,10 @@ var ExpressionTransformer = class {
       invariant2(expr2.members.length === 1, "before() can only be followed by a scalar field access");
       return ReferenceNode2.create(ColumnNode2.create(expr2.members[0]), TableNode2.create("$before"));
     }
-    invariant2(ExpressionUtils3.isField(expr2.receiver) || ExpressionUtils3.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
+    invariant2(ExpressionUtils3.isField(expr2.receiver) || ExpressionUtils3.isThis(expr2.receiver) || ExpressionUtils3.isBinding(expr2.receiver), 'expect receiver to be field expression, collection predicate binding, or "this"');
     let members = expr2.members;
     let receiver;
+    let startType;
     const { memberFilter, memberSelect, ...restContext } = context;
     if (ExpressionUtils3.isThis(expr2.receiver)) {
       if (expr2.members.length === 1) {
@@ -646,17 +700,40 @@ var ExpressionTransformer = class {
         const firstMemberFieldDef = QueryUtils.requireField(this.schema, context.thisType, expr2.members[0]);
         receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, restContext);
         members = expr2.members.slice(1);
+        startType = firstMemberFieldDef.type;
+      }
+    } else if (ExpressionUtils3.isBinding(expr2.receiver)) {
+      if (expr2.members.length === 1) {
+        const bindingScope = this.requireBindingScope(expr2.receiver, context);
+        return this._field(ExpressionUtils3.field(expr2.members[0]), {
+          ...context,
+          modelOrType: bindingScope.type,
+          alias: bindingScope.alias,
+          thisType: context.thisType,
+          contextValue: void 0
+        });
+      } else {
+        const bindingScope = this.requireBindingScope(expr2.receiver, context);
+        const firstMemberFieldDef = QueryUtils.requireField(this.schema, bindingScope.type, expr2.members[0]);
+        receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, {
+          ...restContext,
+          modelOrType: bindingScope.type,
+          alias: bindingScope.alias
+        });
+        members = expr2.members.slice(1);
+        startType = firstMemberFieldDef.type;
       }
     } else {
       receiver = this.transform(expr2.receiver, restContext);
     }
     invariant2(SelectQueryNode.is(receiver), "expected receiver to be select query");
-    let startType;
-    if (ExpressionUtils3.isField(expr2.receiver)) {
-      const receiverField = QueryUtils.requireField(this.schema, context.modelOrType, expr2.receiver.field);
-      startType = receiverField.type;
-    } else {
-      startType = context.thisType;
+    if (startType === void 0) {
+      if (ExpressionUtils3.isField(expr2.receiver)) {
+        const receiverField = QueryUtils.requireField(this.schema, context.modelOrType, expr2.receiver.field);
+        startType = receiverField.type;
+      } else {
+        startType = context.thisType;
+      }
     }
     const memberFields = [];
     let currType = startType;
@@ -707,6 +784,11 @@ var ExpressionTransformer = class {
       ]
     };
   }
+  requireBindingScope(expr2, context) {
+    const binding = context.bindingScope?.[expr2.name];
+    invariant2(binding, `binding not found: ${expr2.name}`);
+    return binding;
+  }
   valueMemberAccess(receiver, expr2, receiverType) {
     if (!receiver) {
       return ValueNode2.createImmediate(null);
@@ -772,6 +854,19 @@ var ExpressionTransformer = class {
     }
     return this.buildDelegateBaseFieldSelect(context.modelOrType, tableName, column, fieldDef.originModel);
   }
+  // convert transformer's binding scope to equivalent expression evaluator binding scope
+  getEvaluationBindingScope(scope) {
+    if (!scope) {
+      return void 0;
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(scope)) {
+      if (value.value !== void 0) {
+        result[key] = value.value;
+      }
+    }
+    return Object.keys(result).length > 0 ? result : void 0;
+  }
   buildDelegateBaseFieldSelect(model, modelAlias, field, baseModel) {
     const idFields = QueryUtils.requireIdFields(this.client.$schema, model);
     return {
@@ -896,6 +991,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   client;
   dialect;
+  eb = expressionBuilder2();
   constructor(client) {
     super(), this.client = client;
     this.dialect = getCrudDialect2(this.client.$schema, this.client.$options);
@@ -919,52 +1015,21 @@ var PolicyHandler = class extends OperationNodeTransformer {
     if (UpdateQueryNode.is(node)) {
       await this.preUpdateCheck(mutationModel, node, proceed);
     }
-    const hasPostUpdatePolicies = UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
+    const needsPostUpdateCheck = UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
     let beforeUpdateInfo;
-    if (hasPostUpdatePolicies) {
-      beforeUpdateInfo = await this.loadBeforeUpdateEntities(mutationModel, node.where, proceed);
+    if (needsPostUpdateCheck) {
+      beforeUpdateInfo = await this.loadBeforeUpdateEntities(
+        mutationModel,
+        node.where,
+        proceed,
+        // force load pre-update entities if dialect doesn't support returning,
+        // so we can rely on pre-update ids to read back updated entities
+        !this.dialect.supportsReturning
+      );
     }
     const result = await proceed(this.transformNode(node));
-    if (hasPostUpdatePolicies && result.rows.length > 0) {
-      if (beforeUpdateInfo) {
-        invariant3(beforeUpdateInfo.rows.length === result.rows.length);
-        const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
-        for (const postRow of result.rows) {
-          const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
-          if (!beforeRow) {
-            throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match by id. If you have post-update policies on a model, updating id fields is not supported.");
-          }
-        }
-      }
-      const idConditions = this.buildIdConditions(mutationModel, result.rows);
-      const postUpdateFilter = this.buildPolicyFilter(mutationModel, void 0, "post-update");
-      const eb = expressionBuilder2();
-      const beforeUpdateTable = beforeUpdateInfo ? {
-        kind: "SelectQueryNode",
-        from: FromNode2.create([
-          ParensNode2.create(ValuesNode.create(beforeUpdateInfo.rows.map((r) => PrimitiveValueListNode.create(beforeUpdateInfo.fields.map((f) => r[f])))))
-        ]),
-        selections: beforeUpdateInfo.fields.map((name, index) => {
-          const def = QueryUtils2.requireField(this.client.$schema, mutationModel, name);
-          const castedColumnRef = sql`CAST(${eb.ref(`column${index + 1}`)} as ${sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
-          return SelectionNode2.create(castedColumnRef.toOperationNode());
-        })
-      } : void 0;
-      const postUpdateQuery = eb.selectFrom(mutationModel).select(() => [
-        eb(eb.fn("COUNT", [
-          eb.lit(1)
-        ]), "=", result.rows.length).as("$condition")
-      ]).where(() => new ExpressionWrapper(conjunction(this.dialect, [
-        idConditions,
-        postUpdateFilter
-      ]))).$if(!!beforeUpdateInfo, (qb) => qb.leftJoin(() => new ExpressionWrapper(beforeUpdateTable).as("$before"), (join) => {
-        const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
-        return idFields.reduce((acc, f) => acc.onRef(`${mutationModel}.${f}`, "=", `$before.${f}`), join);
-      }));
-      const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
-      if (!postUpdateResult.rows[0]?.$condition) {
-        throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
-      }
+    if ((result.numAffectedRows ?? 0) > 0 && needsPostUpdateCheck) {
+      await this.postUpdateCheck(mutationModel, beforeUpdateInfo, result, proceed);
     }
     if (!node.returning || this.onlyReturningId(node)) {
       return this.postProcessMutationResult(result, node);
@@ -1003,12 +1068,69 @@ var PolicyHandler = class extends OperationNodeTransformer {
       modelLevelFilter,
       node.where?.where ?? trueNode(this.dialect)
     ]);
-    const preUpdateCheckQuery = expressionBuilder2().selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(eb.cast(new ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)), "integer")), eb.lit(0)).as("$filteredCount")).where(() => new ExpressionWrapper(updateFilter));
+    const preUpdateCheckQuery = this.eb.selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(this.dialect.castInt(new ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)))), eb.lit(0)).as("$filteredCount")).where(() => new ExpressionWrapper(updateFilter));
     const preUpdateResult = await proceed(preUpdateCheckQuery.toOperationNode());
     if (preUpdateResult.rows[0].$filteredCount > 0) {
       throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some rows cannot be updated due to field policies");
     }
   }
+  async postUpdateCheck(model, beforeUpdateInfo, updateResult, proceed) {
+    let postUpdateRows;
+    if (this.dialect.supportsReturning) {
+      postUpdateRows = updateResult.rows;
+    } else {
+      invariant3(beforeUpdateInfo, "beforeUpdateInfo must be defined for dialects not supporting returning");
+      const idConditions2 = this.buildIdConditions(model, beforeUpdateInfo.rows);
+      const idFields = QueryUtils2.requireIdFields(this.client.$schema, model);
+      const postUpdateQuery2 = {
+        kind: "SelectQueryNode",
+        from: FromNode2.create([
+          TableNode3.create(model)
+        ]),
+        where: WhereNode2.create(idConditions2),
+        selections: idFields.map((field) => SelectionNode2.create(ColumnNode3.create(field)))
+      };
+      const postUpdateQueryResult = await proceed(postUpdateQuery2);
+      postUpdateRows = postUpdateQueryResult.rows;
+    }
+    if (beforeUpdateInfo) {
+      if (beforeUpdateInfo.rows.length !== postUpdateRows.length) {
+        throw createRejectedByPolicyError(model, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match. If you have post-update policies on a model, updating id fields is not supported.");
+      }
+      const idFields = QueryUtils2.requireIdFields(this.client.$schema, model);
+      for (const postRow of postUpdateRows) {
+        const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
+        if (!beforeRow) {
+          throw createRejectedByPolicyError(model, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match. If you have post-update policies on a model, updating id fields is not supported.");
+        }
+      }
+    }
+    const idConditions = this.buildIdConditions(model, postUpdateRows);
+    const postUpdateFilter = this.buildPolicyFilter(model, void 0, "post-update");
+    const eb = expressionBuilder2();
+    const needsBeforeUpdateJoin = !!beforeUpdateInfo?.fields;
+    let beforeUpdateTable = void 0;
+    if (needsBeforeUpdateJoin) {
+      const fieldDefs = beforeUpdateInfo.fields.map((name) => QueryUtils2.requireField(this.client.$schema, model, name));
+      const rows = beforeUpdateInfo.rows.map((r) => beforeUpdateInfo.fields.map((f) => r[f]));
+      beforeUpdateTable = this.dialect.buildValuesTableSelect(fieldDefs, rows).toOperationNode();
+    }
+    const postUpdateQuery = eb.selectFrom(model).select(() => [
+      eb(eb.fn("COUNT", [
+        eb.lit(1)
+      ]), "=", Number(updateResult.numAffectedRows ?? 0)).as("$condition")
+    ]).where(() => new ExpressionWrapper(conjunction(this.dialect, [
+      idConditions,
+      postUpdateFilter
+    ]))).$if(needsBeforeUpdateJoin, (qb) => qb.leftJoin(() => new ExpressionWrapper(beforeUpdateTable).as("$before"), (join) => {
+      const idFields = QueryUtils2.requireIdFields(this.client.$schema, model);
+      return idFields.reduce((acc, f) => acc.onRef(`${model}.${f}`, "=", `$before.${f}`), join);
+    }));
+    const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
+    if (!postUpdateResult.rows[0]?.$condition) {
+      throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
+    }
+  }
   // #endregion
   // #region Transformations
   transformSelectQuery(node) {
@@ -1076,6 +1198,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     };
   }
   transformInsertQuery(node) {
+    let processedNode = node;
     let onConflict = node.onConflict;
     if (onConflict?.updates) {
       const { mutationModel, alias } = this.getMutationModel(node);
@@ -1094,11 +1217,36 @@ var PolicyHandler = class extends OperationNodeTransformer {
           updateWhere: WhereNode2.create(filter)
         };
       }
+      processedNode = {
+        ...node,
+        onConflict
+      };
+    }
+    let onDuplicateKey = node.onDuplicateKey;
+    if (onDuplicateKey?.updates) {
+      const { mutationModel } = this.getMutationModel(node);
+      const filterWithTableRef = this.buildPolicyFilter(mutationModel, void 0, "update");
+      const filter = this.stripTableReferences(filterWithTableRef, mutationModel);
+      const wrappedUpdates = onDuplicateKey.updates.map((update) => {
+        const columnName = ColumnNode3.is(update.column) ? update.column.column.name : void 0;
+        if (!columnName) {
+          return update;
+        }
+        const wrappedValue = sql`IF(${new ExpressionWrapper(filter)}, ${new ExpressionWrapper(update.value)}, ${sql.ref(columnName)})`.toOperationNode();
+        return {
+          ...update,
+          value: wrappedValue
+        };
+      });
+      onDuplicateKey = {
+        ...onDuplicateKey,
+        updates: wrappedUpdates
+      };
+      processedNode = {
+        ...processedNode,
+        onDuplicateKey
+      };
     }
-    const processedNode = onConflict ? {
-      ...node,
-      onConflict
-    } : node;
     const result = super.transformInsertQuery(processedNode);
     let returning = result.returning;
     if (returning) {
@@ -1126,7 +1274,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       }
     }
     let returning = result.returning;
-    if (returning || this.hasPostUpdatePolicies(mutationModel)) {
+    if (this.dialect.supportsReturning && (returning || this.hasPostUpdatePolicies(mutationModel))) {
       const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
       returning = ReturningNode.create(idFields.map((f) => SelectionNode2.create(ColumnNode3.create(f))));
     }
@@ -1163,9 +1311,9 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   // #endregion
   // #region post-update
-  async loadBeforeUpdateEntities(model, where, proceed) {
+  async loadBeforeUpdateEntities(model, where, proceed, forceLoad = false) {
     const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
-    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
+    if (!forceLoad && (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0)) {
       return void 0;
     }
     const policyFilter = this.buildPolicyFilter(model, model, "update");
@@ -1173,15 +1321,14 @@ var PolicyHandler = class extends OperationNodeTransformer {
       where.where,
       policyFilter
     ]) : policyFilter;
+    const selections = beforeUpdateAccessFields ?? QueryUtils2.requireIdFields(this.client.$schema, model);
     const query = {
       kind: "SelectQueryNode",
       from: FromNode2.create([
         TableNode3.create(model)
       ]),
       where: WhereNode2.create(combinedFilter),
-      selections: [
-        ...beforeUpdateAccessFields.map((f) => SelectionNode2.create(ColumnNode3.create(f)))
-      ]
+      selections: selections.map((f) => SelectionNode2.create(ColumnNode3.create(f)))
     };
     const result = await proceed(query);
     return {
@@ -1361,43 +1508,24 @@ var PolicyHandler = class extends OperationNodeTransformer {
     }
   }
   async enforcePreCreatePolicyForOne(model, fields, values, proceed) {
-    const allFields = Object.entries(QueryUtils2.requireModel(this.client.$schema, model).fields).filter(([, def]) => !def.relation);
+    const allFields = QueryUtils2.getModelFields(this.client.$schema, model, {
+      inherited: true
+    });
     const allValues = [];
-    for (const [name, _def] of allFields) {
-      const index = fields.indexOf(name);
+    for (const def of allFields) {
+      const index = fields.indexOf(def.name);
       if (index >= 0) {
-        allValues.push(values[index]);
+        allValues.push(new ExpressionWrapper(values[index]));
       } else {
-        allValues.push(ValueNode3.createImmediate(null));
+        allValues.push(this.eb.lit(null));
       }
     }
-    const eb = expressionBuilder2();
-    const constTable = {
-      kind: "SelectQueryNode",
-      from: FromNode2.create([
-        AliasNode3.create(ParensNode2.create(ValuesNode.create([
-          ValueListNode2.create(allValues)
-        ])), IdentifierNode2.create("$t"))
-      ]),
-      selections: allFields.map(([name, def], index) => {
-        const castedColumnRef = sql`CAST(${eb.ref(`column${index + 1}`)} as ${sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
-        return SelectionNode2.create(castedColumnRef.toOperationNode());
-      })
-    };
+    const valuesTable = this.dialect.buildValuesTableSelect(allFields, [
+      allValues
+    ]);
     const filter = this.buildPolicyFilter(model, void 0, "create");
-    const preCreateCheck = {
-      kind: "SelectQueryNode",
-      from: FromNode2.create([
-        AliasNode3.create(constTable, IdentifierNode2.create(model))
-      ]),
-      selections: [
-        SelectionNode2.create(AliasNode3.create(BinaryOperationNode3.create(FunctionNode3.create("COUNT", [
-          ValueNode3.createImmediate(1)
-        ]), OperatorNode3.create(">"), ValueNode3.createImmediate(0)), IdentifierNode2.create("$condition")))
-      ],
-      where: WhereNode2.create(filter)
-    };
-    const result = await proceed(preCreateCheck);
+    const preCreateCheck = this.eb.selectFrom(valuesTable.as(model)).select(this.eb(this.eb.fn.count(this.eb.lit(1)), ">", 0).as("$condition")).where(() => new ExpressionWrapper(filter));
+    const result = await proceed(preCreateCheck.toOperationNode());
     if (!result.rows[0]?.$condition) {
       throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
     }
@@ -1422,18 +1550,18 @@ var PolicyHandler = class extends OperationNodeTransformer {
         const fieldDef = QueryUtils2.requireField(this.client.$schema, model, fields[i]);
         invariant3(item.kind === "ValueNode", "expecting a ValueNode");
         result.push({
-          node: ValueNode3.create(this.dialect.transformPrimitive(item.value, fieldDef.type, !!fieldDef.array)),
+          node: ValueNode3.create(this.dialect.transformInput(item.value, fieldDef.type, !!fieldDef.array)),
           raw: item.value
         });
       } else {
         let value = item;
         if (!isImplicitManyToManyJoinTable) {
           const fieldDef = QueryUtils2.requireField(this.client.$schema, model, fields[i]);
-          value = this.dialect.transformPrimitive(item, fieldDef.type, !!fieldDef.array);
+          value = this.dialect.transformInput(item, fieldDef.type, !!fieldDef.array);
         }
         if (Array.isArray(value)) {
           result.push({
-            node: RawNode.createWithSql(this.dialect.buildArrayLiteralSQL(value)),
+            node: this.dialect.buildArrayLiteralSQL(value).toOperationNode(),
             raw: value
           });
         } else {
@@ -1681,11 +1809,10 @@ var PolicyHandler = class extends OperationNodeTransformer {
       return void 0;
     }
     const checkForOperation = operation === "read" ? "read" : "update";
-    const eb = expressionBuilder2();
     const joinTable = alias ?? tableName;
-    const aQuery = eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
-    const bQuery = eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
-    return eb.and([
+    const aQuery = this.eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
+    const bQuery = this.eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
+    return this.eb.and([
       aQuery,
       bQuery
     ]).toOperationNode();
@@ -1716,6 +1843,26 @@ var PolicyHandler = class extends OperationNodeTransformer {
       };
     }
   }
+  // strips table references from an OperationNode
+  stripTableReferences(node, modelName) {
+    return new TableReferenceStripper().strip(node, modelName);
+  }
+};
+var TableReferenceStripper = class TableReferenceStripper2 extends OperationNodeTransformer {
+  static {
+    __name(this, "TableReferenceStripper");
+  }
+  tableName = "";
+  strip(node, tableName) {
+    this.tableName = tableName;
+    return this.transformNode(node);
+  }
+  transformReference(node) {
+    if (ColumnNode3.is(node.column) && node.table?.table.identifier.name === this.tableName) {
+      return ReferenceNode3.create(this.transformNode(node.column));
+    }
+    return super.transformReference(node);
+  }
 };
 // src/functions.ts
@@ -1764,7 +1911,7 @@ var check = /* @__PURE__ */ __name((eb, args, { client, model, modelAlias, opera
   const policyHandler = new PolicyHandler(client);
   const op = arg2Node ? arg2Node.value : operation;
   const policyCondition = policyHandler.buildPolicyFilter(relationModel, void 0, op);
-  const result = eb.selectFrom(relationModel).where(joinCondition).select(new ExpressionWrapper2(policyCondition).as("$condition"));
+  const result = eb.selectFrom(eb.selectFrom(relationModel).where(joinCondition).select(new ExpressionWrapper2(policyCondition).as("$condition")).as("$sub")).selectAll();
   return result;
 }, "check");