npm - @zenstackhq/plugin-policy - Versions diffs - 3.3.0-beta.2 → 3.3.0-beta.4 - Mend

@zenstackhq/plugin-policy 3.3.0-beta.2 → 3.3.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -65,14 +65,14 @@ var import_ts_pattern2 = require("ts-pattern");
 // src/expression-evaluator.ts
 var import_common_helpers = require("@zenstackhq/common-helpers");
-var import_ts_pattern = require("ts-pattern");
 var import_schema = require("@zenstackhq/orm/schema");
+var import_ts_pattern = require("ts-pattern");
 var ExpressionEvaluator = class {
   static {
     __name(this, "ExpressionEvaluator");
   }
   evaluate(expression, context) {
-    const result = (0, import_ts_pattern.match)(expression).when(import_schema.ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(import_schema.ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(import_schema.ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(import_schema.ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(import_schema.ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(import_schema.ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(import_schema.ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(import_schema.ExpressionUtils.isThis, () => context.thisValue).when(import_schema.ExpressionUtils.isNull, () => null).exhaustive();
+    const result = (0, import_ts_pattern.match)(expression).when(import_schema.ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(import_schema.ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(import_schema.ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(import_schema.ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(import_schema.ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(import_schema.ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(import_schema.ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(import_schema.ExpressionUtils.isBinding, (expr2) => this.evaluateBinding(expr2, context)).when(import_schema.ExpressionUtils.isThis, () => context.thisValue).when(import_schema.ExpressionUtils.isNull, () => null).exhaustive();
     return result ?? null;
   }
   evaluateCall(expr2, context) {
@@ -96,6 +96,9 @@ var ExpressionEvaluator = class {
     return expr2.value;
   }
   evaluateField(expr2, context) {
+    if (context.bindingScope && expr2.field in context.bindingScope) {
+      return context.bindingScope[expr2.field];
+    }
     return context.thisValue?.[expr2.field];
   }
   evaluateArray(expr2, context) {
@@ -129,15 +132,33 @@ var ExpressionEvaluator = class {
     (0, import_common_helpers.invariant)(Array.isArray(left), "expected array");
     return (0, import_ts_pattern.match)(op).with("?", () => left.some((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).with("!", () => left.every((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).with("^", () => !left.some((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).exhaustive();
   }
+  evaluateBinding(expr2, context) {
+    if (!context.bindingScope || !(expr2.name in context.bindingScope)) {
+      throw new Error(`Unresolved binding: ${expr2.name}`);
+    }
+    return context.bindingScope[expr2.name];
+  }
 };
 // src/types.ts
@@ -152,11 +173,11 @@ var import_orm2 = require("@zenstackhq/orm");
 var import_schema2 = require("@zenstackhq/orm/schema");
 var import_kysely = require("kysely");
 function trueNode(dialect) {
-  return import_kysely.ValueNode.createImmediate(dialect.transformPrimitive(true, "Boolean", false));
+  return import_kysely.ValueNode.createImmediate(dialect.transformInput(true, "Boolean", false));
 }
 __name(trueNode, "trueNode");
 function falseNode(dialect) {
-  return import_kysely.ValueNode.createImmediate(dialect.transformPrimitive(false, "Boolean", false));
+  return import_kysely.ValueNode.createImmediate(dialect.transformInput(false, "Boolean", false));
 }
 __name(falseNode, "falseNode");
 function isTrueNode(node) {
@@ -290,6 +311,7 @@ var ExpressionTransformer = class {
   }
   client;
   dialect;
+  eb = (0, import_kysely2.expressionBuilder)();
   constructor(client) {
     this.client = client;
     this.dialect = (0, import_orm3.getCrudDialect)(this.schema, this.clientOptions);
@@ -314,13 +336,15 @@ var ExpressionTransformer = class {
     if (!handler) {
       throw new Error(`Unsupported expression kind: ${expression.kind}`);
     }
-    return handler.value.call(this, expression, context);
+    const result = handler.value.call(this, expression, context);
+    (0, import_common_helpers2.invariant)("kind" in result, `expression handler must return an OperationNode: transforming ${expression.kind}`);
+    return result;
   }
   _literal(expr2) {
     return this.transformValue(expr2.value, typeof expr2.value === "string" ? "String" : typeof expr2.value === "boolean" ? "Boolean" : "Int");
   }
   _array(expr2, context) {
-    return import_kysely2.ValueListNode.create(expr2.items.map((item) => this.transform(item, context)));
+    return this.dialect.buildArrayValue(expr2.items.map((item) => new import_kysely2.ExpressionWrapper(this.transform(item, context))), expr2.type).toOperationNode();
   }
   _field(expr2, context) {
     if (context.contextValue) {
@@ -450,7 +474,8 @@ var ExpressionTransformer = class {
       const evaluator = new ExpressionEvaluator();
       const receiver = evaluator.evaluate(expr2.left, {
         thisValue: context.contextValue,
-        auth: this.auth
+        auth: this.auth,
+        bindingScope: this.getEvaluationBindingScope(context.bindingScope)
       });
       const baseType = this.isAuthMember(expr2.left) ? this.authType : context.modelOrType;
       const memberType = this.getMemberType(baseType, expr2.left);
@@ -466,18 +491,31 @@ var ExpressionTransformer = class {
       (0, import_common_helpers2.invariant)(fieldDef.relation, `field is not a relation: ${JSON.stringify(expr2.left)}`);
       newContextModel = fieldDef.type;
     } else {
-      (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isMember(expr2.left) && import_schema3.ExpressionUtils.isField(expr2.left.receiver), "left operand must be member access with field receiver");
-      const fieldDef2 = import_orm3.QueryUtils.requireField(this.schema, context.modelOrType, expr2.left.receiver.field);
-      newContextModel = fieldDef2.type;
+      (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isMember(expr2.left) && (import_schema3.ExpressionUtils.isField(expr2.left.receiver) || import_schema3.ExpressionUtils.isBinding(expr2.left.receiver)), "left operand must be member access with field receiver");
+      if (import_schema3.ExpressionUtils.isField(expr2.left.receiver)) {
+        const fieldDef2 = import_orm3.QueryUtils.requireField(this.schema, context.modelOrType, expr2.left.receiver.field);
+        newContextModel = fieldDef2.type;
+      } else {
+        const binding = this.requireBindingScope(expr2.left.receiver, context);
+        newContextModel = binding.type;
+      }
       for (const member of expr2.left.members) {
         const memberDef = import_orm3.QueryUtils.requireField(this.schema, newContextModel, member);
         newContextModel = memberDef.type;
       }
     }
+    const bindingScope = expr2.binding ? {
+      ...context.bindingScope ?? {},
+      [expr2.binding]: {
+        type: newContextModel,
+        alias: newContextModel
+      }
+    } : context.bindingScope;
     let predicateFilter = this.transform(expr2.right, {
       ...context,
       modelOrType: newContextModel,
-      alias: void 0
+      alias: void 0,
+      bindingScope
     });
     if (expr2.op === "!") {
       predicateFilter = logicalNot(this.dialect, predicateFilter);
@@ -504,18 +542,30 @@ var ExpressionTransformer = class {
     if (!visitor.find(expr2.right)) {
       const value = new ExpressionEvaluator().evaluate(expr2, {
         auth: this.auth,
-        thisValue: context.contextValue
+        thisValue: context.contextValue,
+        bindingScope: this.getEvaluationBindingScope(context.bindingScope)
       });
       return this.transformValue(value, "Boolean");
     } else {
       (0, import_common_helpers2.invariant)(Array.isArray(receiver), "array value is expected");
-      const components = receiver.map((item) => this.transform(expr2.right, {
-        operation: context.operation,
-        thisType: context.thisType,
-        thisAlias: context.thisAlias,
-        modelOrType: context.modelOrType,
-        contextValue: item
-      }));
+      const components = receiver.map((item) => {
+        const bindingScope = expr2.binding ? {
+          ...context.bindingScope ?? {},
+          [expr2.binding]: {
+            type: context.modelOrType,
+            alias: context.thisAlias ?? context.modelOrType,
+            value: item
+          }
+        } : context.bindingScope;
+        return this.transform(expr2.right, {
+          operation: context.operation,
+          thisType: context.thisType,
+          thisAlias: context.thisAlias,
+          modelOrType: context.modelOrType,
+          contextValue: item,
+          bindingScope
+        });
+      });
       return (0, import_ts_pattern2.match)(expr2.op).with("?", () => disjunction(this.dialect, components)).with("!", () => conjunction(this.dialect, components)).with("^", () => logicalNot(this.dialect, disjunction(this.dialect, components))).exhaustive();
     }
   }
@@ -581,9 +631,11 @@ var ExpressionTransformer = class {
       return trueNode(this.dialect);
     } else if (value === false) {
       return falseNode(this.dialect);
+    } else if (Array.isArray(value)) {
+      return this.dialect.buildArrayValue(value.map((v) => new import_kysely2.ExpressionWrapper(this.transformValue(v, type))), type).toOperationNode();
     } else {
-      const transformed = this.dialect.transformPrimitive(value, type, false) ?? null;
-      if (!Array.isArray(transformed)) {
+      const transformed = this.dialect.transformInput(value, type, false) ?? null;
+      if (typeof transformed !== "string") {
         return import_kysely2.ValueNode.createImmediate(transformed);
       } else {
         return import_kysely2.ValueNode.create(transformed);
@@ -607,8 +659,7 @@ var ExpressionTransformer = class {
     if (!func) {
       throw createUnsupportedError(`Function not implemented: ${expr2.function}`);
     }
-    const eb = (0, import_kysely2.expressionBuilder)();
-    return func(eb, (expr2.args ?? []).map((arg) => this.transformCallArg(eb, arg, context)), {
+    return func(this.eb, (expr2.args ?? []).map((arg) => this.transformCallArg(arg, context)), {
       client: this.client,
       dialect: this.dialect,
       model: context.modelOrType,
@@ -628,23 +679,20 @@ var ExpressionTransformer = class {
     }
     return func;
   }
-  transformCallArg(eb, arg, context) {
-    if (import_schema3.ExpressionUtils.isLiteral(arg)) {
-      return eb.val(arg.value);
-    }
+  transformCallArg(arg, context) {
     if (import_schema3.ExpressionUtils.isField(arg)) {
-      return eb.ref(arg.field);
-    }
-    if (import_schema3.ExpressionUtils.isCall(arg)) {
-      return this.transformCall(arg, context);
-    }
-    if (this.isAuthMember(arg)) {
-      const valNode = this.valueMemberAccess(this.auth, arg, this.authType);
-      return valNode ? eb.val(valNode.value) : eb.val(null);
+      return this.eb.ref(arg.field);
+    } else {
+      return new import_kysely2.ExpressionWrapper(this.transform(arg, context));
     }
-    throw createUnsupportedError(`Unsupported argument expression: ${arg.kind}`);
   }
   _member(expr2, context) {
+    if (import_schema3.ExpressionUtils.isBinding(expr2.receiver)) {
+      const scope = this.requireBindingScope(expr2.receiver, context);
+      if (scope.value !== void 0) {
+        return this.valueMemberAccess(scope.value, expr2, scope.type);
+      }
+    }
     if (this.isAuthCall(expr2.receiver)) {
       return this.valueMemberAccess(this.auth, expr2, this.authType);
     }
@@ -653,9 +701,10 @@ var ExpressionTransformer = class {
       (0, import_common_helpers2.invariant)(expr2.members.length === 1, "before() can only be followed by a scalar field access");
       return import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(expr2.members[0]), import_kysely2.TableNode.create("$before"));
     }
-    (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isField(expr2.receiver) || import_schema3.ExpressionUtils.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
+    (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isField(expr2.receiver) || import_schema3.ExpressionUtils.isThis(expr2.receiver) || import_schema3.ExpressionUtils.isBinding(expr2.receiver), 'expect receiver to be field expression, collection predicate binding, or "this"');
     let members = expr2.members;
     let receiver;
+    let startType;
     const { memberFilter, memberSelect, ...restContext } = context;
     if (import_schema3.ExpressionUtils.isThis(expr2.receiver)) {
       if (expr2.members.length === 1) {
@@ -670,17 +719,40 @@ var ExpressionTransformer = class {
         const firstMemberFieldDef = import_orm3.QueryUtils.requireField(this.schema, context.thisType, expr2.members[0]);
         receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, restContext);
         members = expr2.members.slice(1);
+        startType = firstMemberFieldDef.type;
+      }
+    } else if (import_schema3.ExpressionUtils.isBinding(expr2.receiver)) {
+      if (expr2.members.length === 1) {
+        const bindingScope = this.requireBindingScope(expr2.receiver, context);
+        return this._field(import_schema3.ExpressionUtils.field(expr2.members[0]), {
+          ...context,
+          modelOrType: bindingScope.type,
+          alias: bindingScope.alias,
+          thisType: context.thisType,
+          contextValue: void 0
+        });
+      } else {
+        const bindingScope = this.requireBindingScope(expr2.receiver, context);
+        const firstMemberFieldDef = import_orm3.QueryUtils.requireField(this.schema, bindingScope.type, expr2.members[0]);
+        receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, {
+          ...restContext,
+          modelOrType: bindingScope.type,
+          alias: bindingScope.alias
+        });
+        members = expr2.members.slice(1);
+        startType = firstMemberFieldDef.type;
       }
     } else {
       receiver = this.transform(expr2.receiver, restContext);
     }
     (0, import_common_helpers2.invariant)(import_kysely2.SelectQueryNode.is(receiver), "expected receiver to be select query");
-    let startType;
-    if (import_schema3.ExpressionUtils.isField(expr2.receiver)) {
-      const receiverField = import_orm3.QueryUtils.requireField(this.schema, context.modelOrType, expr2.receiver.field);
-      startType = receiverField.type;
-    } else {
-      startType = context.thisType;
+    if (startType === void 0) {
+      if (import_schema3.ExpressionUtils.isField(expr2.receiver)) {
+        const receiverField = import_orm3.QueryUtils.requireField(this.schema, context.modelOrType, expr2.receiver.field);
+        startType = receiverField.type;
+      } else {
+        startType = context.thisType;
+      }
     }
     const memberFields = [];
     let currType = startType;
@@ -731,6 +803,11 @@ var ExpressionTransformer = class {
       ]
     };
   }
+  requireBindingScope(expr2, context) {
+    const binding = context.bindingScope?.[expr2.name];
+    (0, import_common_helpers2.invariant)(binding, `binding not found: ${expr2.name}`);
+    return binding;
+  }
   valueMemberAccess(receiver, expr2, receiverType) {
     if (!receiver) {
       return import_kysely2.ValueNode.createImmediate(null);
@@ -796,6 +873,19 @@ var ExpressionTransformer = class {
     }
     return this.buildDelegateBaseFieldSelect(context.modelOrType, tableName, column, fieldDef.originModel);
   }
+  // convert transformer's binding scope to equivalent expression evaluator binding scope
+  getEvaluationBindingScope(scope) {
+    if (!scope) {
+      return void 0;
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(scope)) {
+      if (value.value !== void 0) {
+        result[key] = value.value;
+      }
+    }
+    return Object.keys(result).length > 0 ? result : void 0;
+  }
   buildDelegateBaseFieldSelect(model, modelAlias, field, baseModel) {
     const idFields = import_orm3.QueryUtils.requireIdFields(this.client.$schema, model);
     return {
@@ -920,6 +1010,7 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
   }
   client;
   dialect;
+  eb = (0, import_kysely3.expressionBuilder)();
   constructor(client) {
     super(), this.client = client;
     this.dialect = (0, import_orm4.getCrudDialect)(this.client.$schema, this.client.$options);
@@ -943,52 +1034,21 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     if (import_kysely3.UpdateQueryNode.is(node)) {
       await this.preUpdateCheck(mutationModel, node, proceed);
     }
-    const hasPostUpdatePolicies = import_kysely3.UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
+    const needsPostUpdateCheck = import_kysely3.UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
     let beforeUpdateInfo;
-    if (hasPostUpdatePolicies) {
-      beforeUpdateInfo = await this.loadBeforeUpdateEntities(mutationModel, node.where, proceed);
+    if (needsPostUpdateCheck) {
+      beforeUpdateInfo = await this.loadBeforeUpdateEntities(
+        mutationModel,
+        node.where,
+        proceed,
+        // force load pre-update entities if dialect doesn't support returning,
+        // so we can rely on pre-update ids to read back updated entities
+        !this.dialect.supportsReturning
+      );
     }
     const result = await proceed(this.transformNode(node));
-    if (hasPostUpdatePolicies && result.rows.length > 0) {
-      if (beforeUpdateInfo) {
-        (0, import_common_helpers3.invariant)(beforeUpdateInfo.rows.length === result.rows.length);
-        const idFields = import_orm4.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
-        for (const postRow of result.rows) {
-          const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
-          if (!beforeRow) {
-            throw createRejectedByPolicyError(mutationModel, import_orm4.RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match by id. If you have post-update policies on a model, updating id fields is not supported.");
-          }
-        }
-      }
-      const idConditions = this.buildIdConditions(mutationModel, result.rows);
-      const postUpdateFilter = this.buildPolicyFilter(mutationModel, void 0, "post-update");
-      const eb = (0, import_kysely3.expressionBuilder)();
-      const beforeUpdateTable = beforeUpdateInfo ? {
-        kind: "SelectQueryNode",
-        from: import_kysely3.FromNode.create([
-          import_kysely3.ParensNode.create(import_kysely3.ValuesNode.create(beforeUpdateInfo.rows.map((r) => import_kysely3.PrimitiveValueListNode.create(beforeUpdateInfo.fields.map((f) => r[f])))))
-        ]),
-        selections: beforeUpdateInfo.fields.map((name, index) => {
-          const def = import_orm4.QueryUtils.requireField(this.client.$schema, mutationModel, name);
-          const castedColumnRef = import_kysely3.sql`CAST(${eb.ref(`column${index + 1}`)} as ${import_kysely3.sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
-          return import_kysely3.SelectionNode.create(castedColumnRef.toOperationNode());
-        })
-      } : void 0;
-      const postUpdateQuery = eb.selectFrom(mutationModel).select(() => [
-        eb(eb.fn("COUNT", [
-          eb.lit(1)
-        ]), "=", result.rows.length).as("$condition")
-      ]).where(() => new import_kysely3.ExpressionWrapper(conjunction(this.dialect, [
-        idConditions,
-        postUpdateFilter
-      ]))).$if(!!beforeUpdateInfo, (qb) => qb.leftJoin(() => new import_kysely3.ExpressionWrapper(beforeUpdateTable).as("$before"), (join) => {
-        const idFields = import_orm4.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
-        return idFields.reduce((acc, f) => acc.onRef(`${mutationModel}.${f}`, "=", `$before.${f}`), join);
-      }));
-      const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
-      if (!postUpdateResult.rows[0]?.$condition) {
-        throw createRejectedByPolicyError(mutationModel, import_orm4.RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
-      }
+    if ((result.numAffectedRows ?? 0) > 0 && needsPostUpdateCheck) {
+      await this.postUpdateCheck(mutationModel, beforeUpdateInfo, result, proceed);
     }
     if (!node.returning || this.onlyReturningId(node)) {
       return this.postProcessMutationResult(result, node);
@@ -1027,12 +1087,69 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       modelLevelFilter,
       node.where?.where ?? trueNode(this.dialect)
     ]);
-    const preUpdateCheckQuery = (0, import_kysely3.expressionBuilder)().selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(eb.cast(new import_kysely3.ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)), "integer")), eb.lit(0)).as("$filteredCount")).where(() => new import_kysely3.ExpressionWrapper(updateFilter));
+    const preUpdateCheckQuery = this.eb.selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(this.dialect.castInt(new import_kysely3.ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)))), eb.lit(0)).as("$filteredCount")).where(() => new import_kysely3.ExpressionWrapper(updateFilter));
     const preUpdateResult = await proceed(preUpdateCheckQuery.toOperationNode());
     if (preUpdateResult.rows[0].$filteredCount > 0) {
       throw createRejectedByPolicyError(mutationModel, import_orm4.RejectedByPolicyReason.NO_ACCESS, "some rows cannot be updated due to field policies");
     }
   }
+  async postUpdateCheck(model, beforeUpdateInfo, updateResult, proceed) {
+    let postUpdateRows;
+    if (this.dialect.supportsReturning) {
+      postUpdateRows = updateResult.rows;
+    } else {
+      (0, import_common_helpers3.invariant)(beforeUpdateInfo, "beforeUpdateInfo must be defined for dialects not supporting returning");
+      const idConditions2 = this.buildIdConditions(model, beforeUpdateInfo.rows);
+      const idFields = import_orm4.QueryUtils.requireIdFields(this.client.$schema, model);
+      const postUpdateQuery2 = {
+        kind: "SelectQueryNode",
+        from: import_kysely3.FromNode.create([
+          import_kysely3.TableNode.create(model)
+        ]),
+        where: import_kysely3.WhereNode.create(idConditions2),
+        selections: idFields.map((field) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(field)))
+      };
+      const postUpdateQueryResult = await proceed(postUpdateQuery2);
+      postUpdateRows = postUpdateQueryResult.rows;
+    }
+    if (beforeUpdateInfo) {
+      if (beforeUpdateInfo.rows.length !== postUpdateRows.length) {
+        throw createRejectedByPolicyError(model, import_orm4.RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match. If you have post-update policies on a model, updating id fields is not supported.");
+      }
+      const idFields = import_orm4.QueryUtils.requireIdFields(this.client.$schema, model);
+      for (const postRow of postUpdateRows) {
+        const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
+        if (!beforeRow) {
+          throw createRejectedByPolicyError(model, import_orm4.RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match. If you have post-update policies on a model, updating id fields is not supported.");
+        }
+      }
+    }
+    const idConditions = this.buildIdConditions(model, postUpdateRows);
+    const postUpdateFilter = this.buildPolicyFilter(model, void 0, "post-update");
+    const eb = (0, import_kysely3.expressionBuilder)();
+    const needsBeforeUpdateJoin = !!beforeUpdateInfo?.fields;
+    let beforeUpdateTable = void 0;
+    if (needsBeforeUpdateJoin) {
+      const fieldDefs = beforeUpdateInfo.fields.map((name) => import_orm4.QueryUtils.requireField(this.client.$schema, model, name));
+      const rows = beforeUpdateInfo.rows.map((r) => beforeUpdateInfo.fields.map((f) => r[f]));
+      beforeUpdateTable = this.dialect.buildValuesTableSelect(fieldDefs, rows).toOperationNode();
+    }
+    const postUpdateQuery = eb.selectFrom(model).select(() => [
+      eb(eb.fn("COUNT", [
+        eb.lit(1)
+      ]), "=", Number(updateResult.numAffectedRows ?? 0)).as("$condition")
+    ]).where(() => new import_kysely3.ExpressionWrapper(conjunction(this.dialect, [
+      idConditions,
+      postUpdateFilter
+    ]))).$if(needsBeforeUpdateJoin, (qb) => qb.leftJoin(() => new import_kysely3.ExpressionWrapper(beforeUpdateTable).as("$before"), (join) => {
+      const idFields = import_orm4.QueryUtils.requireIdFields(this.client.$schema, model);
+      return idFields.reduce((acc, f) => acc.onRef(`${model}.${f}`, "=", `$before.${f}`), join);
+    }));
+    const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
+    if (!postUpdateResult.rows[0]?.$condition) {
+      throw createRejectedByPolicyError(model, import_orm4.RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
+    }
+  }
   // #endregion
   // #region Transformations
   transformSelectQuery(node) {
@@ -1100,6 +1217,7 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     };
   }
   transformInsertQuery(node) {
+    let processedNode = node;
     let onConflict = node.onConflict;
     if (onConflict?.updates) {
       const { mutationModel, alias } = this.getMutationModel(node);
@@ -1118,11 +1236,36 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
           updateWhere: import_kysely3.WhereNode.create(filter)
         };
       }
+      processedNode = {
+        ...node,
+        onConflict
+      };
+    }
+    let onDuplicateKey = node.onDuplicateKey;
+    if (onDuplicateKey?.updates) {
+      const { mutationModel } = this.getMutationModel(node);
+      const filterWithTableRef = this.buildPolicyFilter(mutationModel, void 0, "update");
+      const filter = this.stripTableReferences(filterWithTableRef, mutationModel);
+      const wrappedUpdates = onDuplicateKey.updates.map((update) => {
+        const columnName = import_kysely3.ColumnNode.is(update.column) ? update.column.column.name : void 0;
+        if (!columnName) {
+          return update;
+        }
+        const wrappedValue = import_kysely3.sql`IF(${new import_kysely3.ExpressionWrapper(filter)}, ${new import_kysely3.ExpressionWrapper(update.value)}, ${import_kysely3.sql.ref(columnName)})`.toOperationNode();
+        return {
+          ...update,
+          value: wrappedValue
+        };
+      });
+      onDuplicateKey = {
+        ...onDuplicateKey,
+        updates: wrappedUpdates
+      };
+      processedNode = {
+        ...processedNode,
+        onDuplicateKey
+      };
     }
-    const processedNode = onConflict ? {
-      ...node,
-      onConflict
-    } : node;
     const result = super.transformInsertQuery(processedNode);
     let returning = result.returning;
     if (returning) {
@@ -1150,7 +1293,7 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       }
     }
     let returning = result.returning;
-    if (returning || this.hasPostUpdatePolicies(mutationModel)) {
+    if (this.dialect.supportsReturning && (returning || this.hasPostUpdatePolicies(mutationModel))) {
       const idFields = import_orm4.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
       returning = import_kysely3.ReturningNode.create(idFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f))));
     }
@@ -1187,9 +1330,9 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
   }
   // #endregion
   // #region post-update
-  async loadBeforeUpdateEntities(model, where, proceed) {
+  async loadBeforeUpdateEntities(model, where, proceed, forceLoad = false) {
     const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
-    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
+    if (!forceLoad && (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0)) {
       return void 0;
     }
     const policyFilter = this.buildPolicyFilter(model, model, "update");
@@ -1197,15 +1340,14 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       where.where,
       policyFilter
     ]) : policyFilter;
+    const selections = beforeUpdateAccessFields ?? import_orm4.QueryUtils.requireIdFields(this.client.$schema, model);
     const query = {
       kind: "SelectQueryNode",
       from: import_kysely3.FromNode.create([
         import_kysely3.TableNode.create(model)
       ]),
       where: import_kysely3.WhereNode.create(combinedFilter),
-      selections: [
-        ...beforeUpdateAccessFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f)))
-      ]
+      selections: selections.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f)))
     };
     const result = await proceed(query);
     return {
@@ -1385,43 +1527,24 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     }
   }
   async enforcePreCreatePolicyForOne(model, fields, values, proceed) {
-    const allFields = Object.entries(import_orm4.QueryUtils.requireModel(this.client.$schema, model).fields).filter(([, def]) => !def.relation);
+    const allFields = import_orm4.QueryUtils.getModelFields(this.client.$schema, model, {
+      inherited: true
+    });
     const allValues = [];
-    for (const [name, _def] of allFields) {
-      const index = fields.indexOf(name);
+    for (const def of allFields) {
+      const index = fields.indexOf(def.name);
       if (index >= 0) {
-        allValues.push(values[index]);
+        allValues.push(new import_kysely3.ExpressionWrapper(values[index]));
       } else {
-        allValues.push(import_kysely3.ValueNode.createImmediate(null));
+        allValues.push(this.eb.lit(null));
       }
     }
-    const eb = (0, import_kysely3.expressionBuilder)();
-    const constTable = {
-      kind: "SelectQueryNode",
-      from: import_kysely3.FromNode.create([
-        import_kysely3.AliasNode.create(import_kysely3.ParensNode.create(import_kysely3.ValuesNode.create([
-          import_kysely3.ValueListNode.create(allValues)
-        ])), import_kysely3.IdentifierNode.create("$t"))
-      ]),
-      selections: allFields.map(([name, def], index) => {
-        const castedColumnRef = import_kysely3.sql`CAST(${eb.ref(`column${index + 1}`)} as ${import_kysely3.sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
-        return import_kysely3.SelectionNode.create(castedColumnRef.toOperationNode());
-      })
-    };
+    const valuesTable = this.dialect.buildValuesTableSelect(allFields, [
+      allValues
+    ]);
     const filter = this.buildPolicyFilter(model, void 0, "create");
-    const preCreateCheck = {
-      kind: "SelectQueryNode",
-      from: import_kysely3.FromNode.create([
-        import_kysely3.AliasNode.create(constTable, import_kysely3.IdentifierNode.create(model))
-      ]),
-      selections: [
-        import_kysely3.SelectionNode.create(import_kysely3.AliasNode.create(import_kysely3.BinaryOperationNode.create(import_kysely3.FunctionNode.create("COUNT", [
-          import_kysely3.ValueNode.createImmediate(1)
-        ]), import_kysely3.OperatorNode.create(">"), import_kysely3.ValueNode.createImmediate(0)), import_kysely3.IdentifierNode.create("$condition")))
-      ],
-      where: import_kysely3.WhereNode.create(filter)
-    };
-    const result = await proceed(preCreateCheck);
+    const preCreateCheck = this.eb.selectFrom(valuesTable.as(model)).select(this.eb(this.eb.fn.count(this.eb.lit(1)), ">", 0).as("$condition")).where(() => new import_kysely3.ExpressionWrapper(filter));
+    const result = await proceed(preCreateCheck.toOperationNode());
     if (!result.rows[0]?.$condition) {
       throw createRejectedByPolicyError(model, import_orm4.RejectedByPolicyReason.NO_ACCESS);
     }
@@ -1446,18 +1569,19 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
         const fieldDef = import_orm4.QueryUtils.requireField(this.client.$schema, model, fields[i]);
         (0, import_common_helpers3.invariant)(item.kind === "ValueNode", "expecting a ValueNode");
         result.push({
-          node: import_kysely3.ValueNode.create(this.dialect.transformPrimitive(item.value, fieldDef.type, !!fieldDef.array)),
+          node: import_kysely3.ValueNode.create(this.dialect.transformInput(item.value, fieldDef.type, !!fieldDef.array)),
           raw: item.value
         });
       } else {
         let value = item;
         if (!isImplicitManyToManyJoinTable) {
           const fieldDef = import_orm4.QueryUtils.requireField(this.client.$schema, model, fields[i]);
-          value = this.dialect.transformPrimitive(item, fieldDef.type, !!fieldDef.array);
+          value = this.dialect.transformInput(item, fieldDef.type, !!fieldDef.array);
         }
         if (Array.isArray(value)) {
+          const fieldDef = import_orm4.QueryUtils.requireField(this.client.$schema, model, fields[i]);
           result.push({
-            node: import_kysely3.RawNode.createWithSql(this.dialect.buildArrayLiteralSQL(value)),
+            node: this.dialect.buildArrayValue(value, fieldDef.type).toOperationNode(),
             raw: value
           });
         } else {
@@ -1705,11 +1829,10 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       return void 0;
     }
     const checkForOperation = operation === "read" ? "read" : "update";
-    const eb = (0, import_kysely3.expressionBuilder)();
     const joinTable = alias ?? tableName;
-    const aQuery = eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new import_kysely3.ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
-    const bQuery = eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new import_kysely3.ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
-    return eb.and([
+    const aQuery = this.eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new import_kysely3.ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
+    const bQuery = this.eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new import_kysely3.ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
+    return this.eb.and([
       aQuery,
       bQuery
     ]).toOperationNode();
@@ -1740,6 +1863,26 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       };
     }
   }
+  // strips table references from an OperationNode
+  stripTableReferences(node, modelName) {
+    return new TableReferenceStripper().strip(node, modelName);
+  }
+};
+var TableReferenceStripper = class TableReferenceStripper2 extends import_kysely3.OperationNodeTransformer {
+  static {
+    __name(this, "TableReferenceStripper");
+  }
+  tableName = "";
+  strip(node, tableName) {
+    this.tableName = tableName;
+    return this.transformNode(node);
+  }
+  transformReference(node) {
+    if (import_kysely3.ColumnNode.is(node.column) && node.table?.table.identifier.name === this.tableName) {
+      return import_kysely3.ReferenceNode.create(this.transformNode(node.column));
+    }
+    return super.transformReference(node);
+  }
 };
 // src/functions.ts
@@ -1788,7 +1931,7 @@ var check = /* @__PURE__ */ __name((eb, args, { client, model, modelAlias, opera
   const policyHandler = new PolicyHandler(client);
   const op = arg2Node ? arg2Node.value : operation;
   const policyCondition = policyHandler.buildPolicyFilter(relationModel, void 0, op);
-  const result = eb.selectFrom(relationModel).where(joinCondition).select(new import_kysely4.ExpressionWrapper(policyCondition).as("$condition"));
+  const result = eb.selectFrom(eb.selectFrom(relationModel).where(joinCondition).select(new import_kysely4.ExpressionWrapper(policyCondition).as("$condition")).as("$sub")).selectAll();
   return result;
 }, "check");