npm - @zenstackhq/plugin-policy - Versions diffs - 3.3.0-beta.2 → 3.3.0-beta.4 - Mend

@zenstackhq/plugin-policy 3.3.0-beta.2 → 3.3.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -4,13 +4,13 @@ var __name = (target, value) => __defProp(target, "name", { value, configurable:
 // src/functions.ts
 import { invariant as invariant4 } from "@zenstackhq/common-helpers";
 import { CRUD, QueryUtils as QueryUtils3 } from "@zenstackhq/orm";
-import { ExpressionWrapper as ExpressionWrapper2, ValueNode as ValueNode4 } from "kysely";
+import { ExpressionWrapper as ExpressionWrapper3, ValueNode as ValueNode4 } from "kysely";
 // src/policy-handler.ts
 import { invariant as invariant3 } from "@zenstackhq/common-helpers";
 import { getCrudDialect as getCrudDialect2, QueryUtils as QueryUtils2, RejectedByPolicyReason, SchemaUtils as SchemaUtils2 } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils4 } from "@zenstackhq/orm/schema";
-import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode3, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
+import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode3, DeleteQueryNode, expressionBuilder as expressionBuilder2, ExpressionWrapper as ExpressionWrapper2, FromNode as FromNode2, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, ReferenceNode as ReferenceNode3, ReturningNode, SelectAllNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql, TableNode as TableNode3, UpdateQueryNode, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
 import { match as match3 } from "ts-pattern";
 // src/column-collector.ts
@@ -36,19 +36,19 @@ var ColumnCollector = class extends KyselyUtils.DefaultOperationNodeVisitor {
 import { invariant as invariant2 } from "@zenstackhq/common-helpers";
 import { getCrudDialect, QueryUtils, SchemaUtils } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils3 } from "@zenstackhq/orm/schema";
-import { AliasNode as AliasNode2, BinaryOperationNode as BinaryOperationNode2, ColumnNode as ColumnNode2, expressionBuilder, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode2, SelectionNode, SelectQueryNode, TableNode as TableNode2, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
+import { AliasNode as AliasNode2, BinaryOperationNode as BinaryOperationNode2, ColumnNode as ColumnNode2, expressionBuilder, ExpressionWrapper, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode2, SelectionNode, SelectQueryNode, TableNode as TableNode2, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
 import { match as match2 } from "ts-pattern";
 // src/expression-evaluator.ts
 import { invariant } from "@zenstackhq/common-helpers";
-import { match } from "ts-pattern";
 import { ExpressionUtils } from "@zenstackhq/orm/schema";
+import { match } from "ts-pattern";
 var ExpressionEvaluator = class {
   static {
     __name(this, "ExpressionEvaluator");
   }
   evaluate(expression, context) {
-    const result = match(expression).when(ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(ExpressionUtils.isThis, () => context.thisValue).when(ExpressionUtils.isNull, () => null).exhaustive();
+    const result = match(expression).when(ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(ExpressionUtils.isBinding, (expr2) => this.evaluateBinding(expr2, context)).when(ExpressionUtils.isThis, () => context.thisValue).when(ExpressionUtils.isNull, () => null).exhaustive();
     return result ?? null;
   }
   evaluateCall(expr2, context) {
@@ -72,6 +72,9 @@ var ExpressionEvaluator = class {
     return expr2.value;
   }
   evaluateField(expr2, context) {
+    if (context.bindingScope && expr2.field in context.bindingScope) {
+      return context.bindingScope[expr2.field];
+    }
     return context.thisValue?.[expr2.field];
   }
   evaluateArray(expr2, context) {
@@ -105,15 +108,33 @@ var ExpressionEvaluator = class {
     invariant(Array.isArray(left), "expected array");
     return match(op).with("?", () => left.some((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).with("!", () => left.every((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).with("^", () => !left.some((item) => this.evaluate(expr2.right, {
       ...context,
-      thisValue: item
+      thisValue: item,
+      bindingScope: expr2.binding ? {
+        ...context.bindingScope ?? {},
+        [expr2.binding]: item
+      } : context.bindingScope
     }))).exhaustive();
   }
+  evaluateBinding(expr2, context) {
+    if (!context.bindingScope || !(expr2.name in context.bindingScope)) {
+      throw new Error(`Unresolved binding: ${expr2.name}`);
+    }
+    return context.bindingScope[expr2.name];
+  }
 };
 // src/types.ts
@@ -128,11 +149,11 @@ import { ORMError, ORMErrorReason } from "@zenstackhq/orm";
 import { ExpressionUtils as ExpressionUtils2 } from "@zenstackhq/orm/schema";
 import { AliasNode, AndNode, BinaryOperationNode, ColumnNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode, TableNode, UnaryOperationNode, ValueNode } from "kysely";
 function trueNode(dialect) {
-  return ValueNode.createImmediate(dialect.transformPrimitive(true, "Boolean", false));
+  return ValueNode.createImmediate(dialect.transformInput(true, "Boolean", false));
 }
 __name(trueNode, "trueNode");
 function falseNode(dialect) {
-  return ValueNode.createImmediate(dialect.transformPrimitive(false, "Boolean", false));
+  return ValueNode.createImmediate(dialect.transformInput(false, "Boolean", false));
 }
 __name(falseNode, "falseNode");
 function isTrueNode(node) {
@@ -266,6 +287,7 @@ var ExpressionTransformer = class {
   }
   client;
   dialect;
+  eb = expressionBuilder();
   constructor(client) {
     this.client = client;
     this.dialect = getCrudDialect(this.schema, this.clientOptions);
@@ -290,13 +312,15 @@ var ExpressionTransformer = class {
     if (!handler) {
       throw new Error(`Unsupported expression kind: ${expression.kind}`);
     }
-    return handler.value.call(this, expression, context);
+    const result = handler.value.call(this, expression, context);
+    invariant2("kind" in result, `expression handler must return an OperationNode: transforming ${expression.kind}`);
+    return result;
   }
   _literal(expr2) {
     return this.transformValue(expr2.value, typeof expr2.value === "string" ? "String" : typeof expr2.value === "boolean" ? "Boolean" : "Int");
   }
   _array(expr2, context) {
-    return ValueListNode.create(expr2.items.map((item) => this.transform(item, context)));
+    return this.dialect.buildArrayValue(expr2.items.map((item) => new ExpressionWrapper(this.transform(item, context))), expr2.type).toOperationNode();
   }
   _field(expr2, context) {
     if (context.contextValue) {
@@ -426,7 +450,8 @@ var ExpressionTransformer = class {
       const evaluator = new ExpressionEvaluator();
       const receiver = evaluator.evaluate(expr2.left, {
         thisValue: context.contextValue,
-        auth: this.auth
+        auth: this.auth,
+        bindingScope: this.getEvaluationBindingScope(context.bindingScope)
       });
       const baseType = this.isAuthMember(expr2.left) ? this.authType : context.modelOrType;
       const memberType = this.getMemberType(baseType, expr2.left);
@@ -442,18 +467,31 @@ var ExpressionTransformer = class {
       invariant2(fieldDef.relation, `field is not a relation: ${JSON.stringify(expr2.left)}`);
       newContextModel = fieldDef.type;
     } else {
-      invariant2(ExpressionUtils3.isMember(expr2.left) && ExpressionUtils3.isField(expr2.left.receiver), "left operand must be member access with field receiver");
-      const fieldDef2 = QueryUtils.requireField(this.schema, context.modelOrType, expr2.left.receiver.field);
-      newContextModel = fieldDef2.type;
+      invariant2(ExpressionUtils3.isMember(expr2.left) && (ExpressionUtils3.isField(expr2.left.receiver) || ExpressionUtils3.isBinding(expr2.left.receiver)), "left operand must be member access with field receiver");
+      if (ExpressionUtils3.isField(expr2.left.receiver)) {
+        const fieldDef2 = QueryUtils.requireField(this.schema, context.modelOrType, expr2.left.receiver.field);
+        newContextModel = fieldDef2.type;
+      } else {
+        const binding = this.requireBindingScope(expr2.left.receiver, context);
+        newContextModel = binding.type;
+      }
       for (const member of expr2.left.members) {
         const memberDef = QueryUtils.requireField(this.schema, newContextModel, member);
         newContextModel = memberDef.type;
       }
     }
+    const bindingScope = expr2.binding ? {
+      ...context.bindingScope ?? {},
+      [expr2.binding]: {
+        type: newContextModel,
+        alias: newContextModel
+      }
+    } : context.bindingScope;
     let predicateFilter = this.transform(expr2.right, {
       ...context,
       modelOrType: newContextModel,
-      alias: void 0
+      alias: void 0,
+      bindingScope
     });
     if (expr2.op === "!") {
       predicateFilter = logicalNot(this.dialect, predicateFilter);
@@ -480,18 +518,30 @@ var ExpressionTransformer = class {
     if (!visitor.find(expr2.right)) {
       const value = new ExpressionEvaluator().evaluate(expr2, {
         auth: this.auth,
-        thisValue: context.contextValue
+        thisValue: context.contextValue,
+        bindingScope: this.getEvaluationBindingScope(context.bindingScope)
       });
       return this.transformValue(value, "Boolean");
     } else {
       invariant2(Array.isArray(receiver), "array value is expected");
-      const components = receiver.map((item) => this.transform(expr2.right, {
-        operation: context.operation,
-        thisType: context.thisType,
-        thisAlias: context.thisAlias,
-        modelOrType: context.modelOrType,
-        contextValue: item
-      }));
+      const components = receiver.map((item) => {
+        const bindingScope = expr2.binding ? {
+          ...context.bindingScope ?? {},
+          [expr2.binding]: {
+            type: context.modelOrType,
+            alias: context.thisAlias ?? context.modelOrType,
+            value: item
+          }
+        } : context.bindingScope;
+        return this.transform(expr2.right, {
+          operation: context.operation,
+          thisType: context.thisType,
+          thisAlias: context.thisAlias,
+          modelOrType: context.modelOrType,
+          contextValue: item,
+          bindingScope
+        });
+      });
       return match2(expr2.op).with("?", () => disjunction(this.dialect, components)).with("!", () => conjunction(this.dialect, components)).with("^", () => logicalNot(this.dialect, disjunction(this.dialect, components))).exhaustive();
     }
   }
@@ -557,9 +607,11 @@ var ExpressionTransformer = class {
       return trueNode(this.dialect);
     } else if (value === false) {
       return falseNode(this.dialect);
+    } else if (Array.isArray(value)) {
+      return this.dialect.buildArrayValue(value.map((v) => new ExpressionWrapper(this.transformValue(v, type))), type).toOperationNode();
     } else {
-      const transformed = this.dialect.transformPrimitive(value, type, false) ?? null;
-      if (!Array.isArray(transformed)) {
+      const transformed = this.dialect.transformInput(value, type, false) ?? null;
+      if (typeof transformed !== "string") {
         return ValueNode2.createImmediate(transformed);
       } else {
         return ValueNode2.create(transformed);
@@ -583,8 +635,7 @@ var ExpressionTransformer = class {
     if (!func) {
       throw createUnsupportedError(`Function not implemented: ${expr2.function}`);
     }
-    const eb = expressionBuilder();
-    return func(eb, (expr2.args ?? []).map((arg) => this.transformCallArg(eb, arg, context)), {
+    return func(this.eb, (expr2.args ?? []).map((arg) => this.transformCallArg(arg, context)), {
       client: this.client,
       dialect: this.dialect,
       model: context.modelOrType,
@@ -604,23 +655,20 @@ var ExpressionTransformer = class {
     }
     return func;
   }
-  transformCallArg(eb, arg, context) {
-    if (ExpressionUtils3.isLiteral(arg)) {
-      return eb.val(arg.value);
-    }
+  transformCallArg(arg, context) {
     if (ExpressionUtils3.isField(arg)) {
-      return eb.ref(arg.field);
-    }
-    if (ExpressionUtils3.isCall(arg)) {
-      return this.transformCall(arg, context);
-    }
-    if (this.isAuthMember(arg)) {
-      const valNode = this.valueMemberAccess(this.auth, arg, this.authType);
-      return valNode ? eb.val(valNode.value) : eb.val(null);
+      return this.eb.ref(arg.field);
+    } else {
+      return new ExpressionWrapper(this.transform(arg, context));
     }
-    throw createUnsupportedError(`Unsupported argument expression: ${arg.kind}`);
   }
   _member(expr2, context) {
+    if (ExpressionUtils3.isBinding(expr2.receiver)) {
+      const scope = this.requireBindingScope(expr2.receiver, context);
+      if (scope.value !== void 0) {
+        return this.valueMemberAccess(scope.value, expr2, scope.type);
+      }
+    }
     if (this.isAuthCall(expr2.receiver)) {
       return this.valueMemberAccess(this.auth, expr2, this.authType);
     }
@@ -629,9 +677,10 @@ var ExpressionTransformer = class {
       invariant2(expr2.members.length === 1, "before() can only be followed by a scalar field access");
       return ReferenceNode2.create(ColumnNode2.create(expr2.members[0]), TableNode2.create("$before"));
     }
-    invariant2(ExpressionUtils3.isField(expr2.receiver) || ExpressionUtils3.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
+    invariant2(ExpressionUtils3.isField(expr2.receiver) || ExpressionUtils3.isThis(expr2.receiver) || ExpressionUtils3.isBinding(expr2.receiver), 'expect receiver to be field expression, collection predicate binding, or "this"');
     let members = expr2.members;
     let receiver;
+    let startType;
     const { memberFilter, memberSelect, ...restContext } = context;
     if (ExpressionUtils3.isThis(expr2.receiver)) {
       if (expr2.members.length === 1) {
@@ -646,17 +695,40 @@ var ExpressionTransformer = class {
         const firstMemberFieldDef = QueryUtils.requireField(this.schema, context.thisType, expr2.members[0]);
         receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, restContext);
         members = expr2.members.slice(1);
+        startType = firstMemberFieldDef.type;
+      }
+    } else if (ExpressionUtils3.isBinding(expr2.receiver)) {
+      if (expr2.members.length === 1) {
+        const bindingScope = this.requireBindingScope(expr2.receiver, context);
+        return this._field(ExpressionUtils3.field(expr2.members[0]), {
+          ...context,
+          modelOrType: bindingScope.type,
+          alias: bindingScope.alias,
+          thisType: context.thisType,
+          contextValue: void 0
+        });
+      } else {
+        const bindingScope = this.requireBindingScope(expr2.receiver, context);
+        const firstMemberFieldDef = QueryUtils.requireField(this.schema, bindingScope.type, expr2.members[0]);
+        receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, {
+          ...restContext,
+          modelOrType: bindingScope.type,
+          alias: bindingScope.alias
+        });
+        members = expr2.members.slice(1);
+        startType = firstMemberFieldDef.type;
       }
     } else {
       receiver = this.transform(expr2.receiver, restContext);
     }
     invariant2(SelectQueryNode.is(receiver), "expected receiver to be select query");
-    let startType;
-    if (ExpressionUtils3.isField(expr2.receiver)) {
-      const receiverField = QueryUtils.requireField(this.schema, context.modelOrType, expr2.receiver.field);
-      startType = receiverField.type;
-    } else {
-      startType = context.thisType;
+    if (startType === void 0) {
+      if (ExpressionUtils3.isField(expr2.receiver)) {
+        const receiverField = QueryUtils.requireField(this.schema, context.modelOrType, expr2.receiver.field);
+        startType = receiverField.type;
+      } else {
+        startType = context.thisType;
+      }
     }
     const memberFields = [];
     let currType = startType;
@@ -707,6 +779,11 @@ var ExpressionTransformer = class {
       ]
     };
   }
+  requireBindingScope(expr2, context) {
+    const binding = context.bindingScope?.[expr2.name];
+    invariant2(binding, `binding not found: ${expr2.name}`);
+    return binding;
+  }
   valueMemberAccess(receiver, expr2, receiverType) {
     if (!receiver) {
       return ValueNode2.createImmediate(null);
@@ -772,6 +849,19 @@ var ExpressionTransformer = class {
     }
     return this.buildDelegateBaseFieldSelect(context.modelOrType, tableName, column, fieldDef.originModel);
   }
+  // convert transformer's binding scope to equivalent expression evaluator binding scope
+  getEvaluationBindingScope(scope) {
+    if (!scope) {
+      return void 0;
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(scope)) {
+      if (value.value !== void 0) {
+        result[key] = value.value;
+      }
+    }
+    return Object.keys(result).length > 0 ? result : void 0;
+  }
   buildDelegateBaseFieldSelect(model, modelAlias, field, baseModel) {
     const idFields = QueryUtils.requireIdFields(this.client.$schema, model);
     return {
@@ -896,6 +986,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   client;
   dialect;
+  eb = expressionBuilder2();
   constructor(client) {
     super(), this.client = client;
     this.dialect = getCrudDialect2(this.client.$schema, this.client.$options);
@@ -919,52 +1010,21 @@ var PolicyHandler = class extends OperationNodeTransformer {
     if (UpdateQueryNode.is(node)) {
       await this.preUpdateCheck(mutationModel, node, proceed);
     }
-    const hasPostUpdatePolicies = UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
+    const needsPostUpdateCheck = UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
     let beforeUpdateInfo;
-    if (hasPostUpdatePolicies) {
-      beforeUpdateInfo = await this.loadBeforeUpdateEntities(mutationModel, node.where, proceed);
+    if (needsPostUpdateCheck) {
+      beforeUpdateInfo = await this.loadBeforeUpdateEntities(
+        mutationModel,
+        node.where,
+        proceed,
+        // force load pre-update entities if dialect doesn't support returning,
+        // so we can rely on pre-update ids to read back updated entities
+        !this.dialect.supportsReturning
+      );
     }
     const result = await proceed(this.transformNode(node));
-    if (hasPostUpdatePolicies && result.rows.length > 0) {
-      if (beforeUpdateInfo) {
-        invariant3(beforeUpdateInfo.rows.length === result.rows.length);
-        const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
-        for (const postRow of result.rows) {
-          const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
-          if (!beforeRow) {
-            throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match by id. If you have post-update policies on a model, updating id fields is not supported.");
-          }
-        }
-      }
-      const idConditions = this.buildIdConditions(mutationModel, result.rows);
-      const postUpdateFilter = this.buildPolicyFilter(mutationModel, void 0, "post-update");
-      const eb = expressionBuilder2();
-      const beforeUpdateTable = beforeUpdateInfo ? {
-        kind: "SelectQueryNode",
-        from: FromNode2.create([
-          ParensNode2.create(ValuesNode.create(beforeUpdateInfo.rows.map((r) => PrimitiveValueListNode.create(beforeUpdateInfo.fields.map((f) => r[f])))))
-        ]),
-        selections: beforeUpdateInfo.fields.map((name, index) => {
-          const def = QueryUtils2.requireField(this.client.$schema, mutationModel, name);
-          const castedColumnRef = sql`CAST(${eb.ref(`column${index + 1}`)} as ${sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
-          return SelectionNode2.create(castedColumnRef.toOperationNode());
-        })
-      } : void 0;
-      const postUpdateQuery = eb.selectFrom(mutationModel).select(() => [
-        eb(eb.fn("COUNT", [
-          eb.lit(1)
-        ]), "=", result.rows.length).as("$condition")
-      ]).where(() => new ExpressionWrapper(conjunction(this.dialect, [
-        idConditions,
-        postUpdateFilter
-      ]))).$if(!!beforeUpdateInfo, (qb) => qb.leftJoin(() => new ExpressionWrapper(beforeUpdateTable).as("$before"), (join) => {
-        const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
-        return idFields.reduce((acc, f) => acc.onRef(`${mutationModel}.${f}`, "=", `$before.${f}`), join);
-      }));
-      const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
-      if (!postUpdateResult.rows[0]?.$condition) {
-        throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
-      }
+    if ((result.numAffectedRows ?? 0) > 0 && needsPostUpdateCheck) {
+      await this.postUpdateCheck(mutationModel, beforeUpdateInfo, result, proceed);
     }
     if (!node.returning || this.onlyReturningId(node)) {
       return this.postProcessMutationResult(result, node);
@@ -1003,12 +1063,69 @@ var PolicyHandler = class extends OperationNodeTransformer {
       modelLevelFilter,
       node.where?.where ?? trueNode(this.dialect)
     ]);
-    const preUpdateCheckQuery = expressionBuilder2().selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(eb.cast(new ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)), "integer")), eb.lit(0)).as("$filteredCount")).where(() => new ExpressionWrapper(updateFilter));
+    const preUpdateCheckQuery = this.eb.selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(this.dialect.castInt(new ExpressionWrapper2(logicalNot(this.dialect, fieldLevelFilter)))), eb.lit(0)).as("$filteredCount")).where(() => new ExpressionWrapper2(updateFilter));
     const preUpdateResult = await proceed(preUpdateCheckQuery.toOperationNode());
     if (preUpdateResult.rows[0].$filteredCount > 0) {
       throw createRejectedByPolicyError(mutationModel, RejectedByPolicyReason.NO_ACCESS, "some rows cannot be updated due to field policies");
     }
   }
+  async postUpdateCheck(model, beforeUpdateInfo, updateResult, proceed) {
+    let postUpdateRows;
+    if (this.dialect.supportsReturning) {
+      postUpdateRows = updateResult.rows;
+    } else {
+      invariant3(beforeUpdateInfo, "beforeUpdateInfo must be defined for dialects not supporting returning");
+      const idConditions2 = this.buildIdConditions(model, beforeUpdateInfo.rows);
+      const idFields = QueryUtils2.requireIdFields(this.client.$schema, model);
+      const postUpdateQuery2 = {
+        kind: "SelectQueryNode",
+        from: FromNode2.create([
+          TableNode3.create(model)
+        ]),
+        where: WhereNode2.create(idConditions2),
+        selections: idFields.map((field) => SelectionNode2.create(ColumnNode3.create(field)))
+      };
+      const postUpdateQueryResult = await proceed(postUpdateQuery2);
+      postUpdateRows = postUpdateQueryResult.rows;
+    }
+    if (beforeUpdateInfo) {
+      if (beforeUpdateInfo.rows.length !== postUpdateRows.length) {
+        throw createRejectedByPolicyError(model, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match. If you have post-update policies on a model, updating id fields is not supported.");
+      }
+      const idFields = QueryUtils2.requireIdFields(this.client.$schema, model);
+      for (const postRow of postUpdateRows) {
+        const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
+        if (!beforeRow) {
+          throw createRejectedByPolicyError(model, RejectedByPolicyReason.OTHER, "Before-update and after-update rows do not match. If you have post-update policies on a model, updating id fields is not supported.");
+        }
+      }
+    }
+    const idConditions = this.buildIdConditions(model, postUpdateRows);
+    const postUpdateFilter = this.buildPolicyFilter(model, void 0, "post-update");
+    const eb = expressionBuilder2();
+    const needsBeforeUpdateJoin = !!beforeUpdateInfo?.fields;
+    let beforeUpdateTable = void 0;
+    if (needsBeforeUpdateJoin) {
+      const fieldDefs = beforeUpdateInfo.fields.map((name) => QueryUtils2.requireField(this.client.$schema, model, name));
+      const rows = beforeUpdateInfo.rows.map((r) => beforeUpdateInfo.fields.map((f) => r[f]));
+      beforeUpdateTable = this.dialect.buildValuesTableSelect(fieldDefs, rows).toOperationNode();
+    }
+    const postUpdateQuery = eb.selectFrom(model).select(() => [
+      eb(eb.fn("COUNT", [
+        eb.lit(1)
+      ]), "=", Number(updateResult.numAffectedRows ?? 0)).as("$condition")
+    ]).where(() => new ExpressionWrapper2(conjunction(this.dialect, [
+      idConditions,
+      postUpdateFilter
+    ]))).$if(needsBeforeUpdateJoin, (qb) => qb.leftJoin(() => new ExpressionWrapper2(beforeUpdateTable).as("$before"), (join) => {
+      const idFields = QueryUtils2.requireIdFields(this.client.$schema, model);
+      return idFields.reduce((acc, f) => acc.onRef(`${model}.${f}`, "=", `$before.${f}`), join);
+    }));
+    const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
+    if (!postUpdateResult.rows[0]?.$condition) {
+      throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
+    }
+  }
   // #endregion
   // #region Transformations
   transformSelectQuery(node) {
@@ -1076,6 +1193,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
     };
   }
   transformInsertQuery(node) {
+    let processedNode = node;
     let onConflict = node.onConflict;
     if (onConflict?.updates) {
       const { mutationModel, alias } = this.getMutationModel(node);
@@ -1094,11 +1212,36 @@ var PolicyHandler = class extends OperationNodeTransformer {
           updateWhere: WhereNode2.create(filter)
         };
       }
+      processedNode = {
+        ...node,
+        onConflict
+      };
+    }
+    let onDuplicateKey = node.onDuplicateKey;
+    if (onDuplicateKey?.updates) {
+      const { mutationModel } = this.getMutationModel(node);
+      const filterWithTableRef = this.buildPolicyFilter(mutationModel, void 0, "update");
+      const filter = this.stripTableReferences(filterWithTableRef, mutationModel);
+      const wrappedUpdates = onDuplicateKey.updates.map((update) => {
+        const columnName = ColumnNode3.is(update.column) ? update.column.column.name : void 0;
+        if (!columnName) {
+          return update;
+        }
+        const wrappedValue = sql`IF(${new ExpressionWrapper2(filter)}, ${new ExpressionWrapper2(update.value)}, ${sql.ref(columnName)})`.toOperationNode();
+        return {
+          ...update,
+          value: wrappedValue
+        };
+      });
+      onDuplicateKey = {
+        ...onDuplicateKey,
+        updates: wrappedUpdates
+      };
+      processedNode = {
+        ...processedNode,
+        onDuplicateKey
+      };
     }
-    const processedNode = onConflict ? {
-      ...node,
-      onConflict
-    } : node;
     const result = super.transformInsertQuery(processedNode);
     let returning = result.returning;
     if (returning) {
@@ -1126,7 +1269,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       }
     }
     let returning = result.returning;
-    if (returning || this.hasPostUpdatePolicies(mutationModel)) {
+    if (this.dialect.supportsReturning && (returning || this.hasPostUpdatePolicies(mutationModel))) {
       const idFields = QueryUtils2.requireIdFields(this.client.$schema, mutationModel);
       returning = ReturningNode.create(idFields.map((f) => SelectionNode2.create(ColumnNode3.create(f))));
     }
@@ -1163,9 +1306,9 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   // #endregion
   // #region post-update
-  async loadBeforeUpdateEntities(model, where, proceed) {
+  async loadBeforeUpdateEntities(model, where, proceed, forceLoad = false) {
     const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
-    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
+    if (!forceLoad && (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0)) {
       return void 0;
     }
     const policyFilter = this.buildPolicyFilter(model, model, "update");
@@ -1173,15 +1316,14 @@ var PolicyHandler = class extends OperationNodeTransformer {
       where.where,
       policyFilter
     ]) : policyFilter;
+    const selections = beforeUpdateAccessFields ?? QueryUtils2.requireIdFields(this.client.$schema, model);
     const query = {
       kind: "SelectQueryNode",
       from: FromNode2.create([
         TableNode3.create(model)
       ]),
       where: WhereNode2.create(combinedFilter),
-      selections: [
-        ...beforeUpdateAccessFields.map((f) => SelectionNode2.create(ColumnNode3.create(f)))
-      ]
+      selections: selections.map((f) => SelectionNode2.create(ColumnNode3.create(f)))
     };
     const result = await proceed(query);
     return {
@@ -1262,7 +1404,7 @@ var PolicyHandler = class extends OperationNodeTransformer {
       };
     }
     const eb = expressionBuilder2();
-    const selection = eb.case().when(new ExpressionWrapper(filter)).then(eb.ref(field)).else(null).end().as(field).toOperationNode();
+    const selection = eb.case().when(new ExpressionWrapper2(filter)).then(eb.ref(field)).else(null).end().as(field).toOperationNode();
     return {
       hasPolicies: true,
       selection: SelectionNode2.create(selection)
@@ -1342,9 +1484,9 @@ var PolicyHandler = class extends OperationNodeTransformer {
     invariant3(bValue !== null && bValue !== void 0, "B value cannot be null or undefined");
     const eb = expressionBuilder2();
     const filterA = this.buildPolicyFilter(m2m.firstModel, void 0, "update");
-    const queryA = eb.selectFrom(m2m.firstModel).where(eb(eb.ref(`${m2m.firstModel}.${m2m.firstIdField}`), "=", aValue)).select(() => new ExpressionWrapper(filterA).as("$t"));
+    const queryA = eb.selectFrom(m2m.firstModel).where(eb(eb.ref(`${m2m.firstModel}.${m2m.firstIdField}`), "=", aValue)).select(() => new ExpressionWrapper2(filterA).as("$t"));
     const filterB = this.buildPolicyFilter(m2m.secondModel, void 0, "update");
-    const queryB = eb.selectFrom(m2m.secondModel).where(eb(eb.ref(`${m2m.secondModel}.${m2m.secondIdField}`), "=", bValue)).select(() => new ExpressionWrapper(filterB).as("$t"));
+    const queryB = eb.selectFrom(m2m.secondModel).where(eb(eb.ref(`${m2m.secondModel}.${m2m.secondIdField}`), "=", bValue)).select(() => new ExpressionWrapper2(filterB).as("$t"));
     const queryNode = {
       kind: "SelectQueryNode",
       selections: [
@@ -1361,43 +1503,24 @@ var PolicyHandler = class extends OperationNodeTransformer {
     }
   }
   async enforcePreCreatePolicyForOne(model, fields, values, proceed) {
-    const allFields = Object.entries(QueryUtils2.requireModel(this.client.$schema, model).fields).filter(([, def]) => !def.relation);
+    const allFields = QueryUtils2.getModelFields(this.client.$schema, model, {
+      inherited: true
+    });
     const allValues = [];
-    for (const [name, _def] of allFields) {
-      const index = fields.indexOf(name);
+    for (const def of allFields) {
+      const index = fields.indexOf(def.name);
       if (index >= 0) {
-        allValues.push(values[index]);
+        allValues.push(new ExpressionWrapper2(values[index]));
       } else {
-        allValues.push(ValueNode3.createImmediate(null));
+        allValues.push(this.eb.lit(null));
       }
     }
-    const eb = expressionBuilder2();
-    const constTable = {
-      kind: "SelectQueryNode",
-      from: FromNode2.create([
-        AliasNode3.create(ParensNode2.create(ValuesNode.create([
-          ValueListNode2.create(allValues)
-        ])), IdentifierNode2.create("$t"))
-      ]),
-      selections: allFields.map(([name, def], index) => {
-        const castedColumnRef = sql`CAST(${eb.ref(`column${index + 1}`)} as ${sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
-        return SelectionNode2.create(castedColumnRef.toOperationNode());
-      })
-    };
+    const valuesTable = this.dialect.buildValuesTableSelect(allFields, [
+      allValues
+    ]);
     const filter = this.buildPolicyFilter(model, void 0, "create");
-    const preCreateCheck = {
-      kind: "SelectQueryNode",
-      from: FromNode2.create([
-        AliasNode3.create(constTable, IdentifierNode2.create(model))
-      ]),
-      selections: [
-        SelectionNode2.create(AliasNode3.create(BinaryOperationNode3.create(FunctionNode3.create("COUNT", [
-          ValueNode3.createImmediate(1)
-        ]), OperatorNode3.create(">"), ValueNode3.createImmediate(0)), IdentifierNode2.create("$condition")))
-      ],
-      where: WhereNode2.create(filter)
-    };
-    const result = await proceed(preCreateCheck);
+    const preCreateCheck = this.eb.selectFrom(valuesTable.as(model)).select(this.eb(this.eb.fn.count(this.eb.lit(1)), ">", 0).as("$condition")).where(() => new ExpressionWrapper2(filter));
+    const result = await proceed(preCreateCheck.toOperationNode());
     if (!result.rows[0]?.$condition) {
       throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
     }
@@ -1422,18 +1545,19 @@ var PolicyHandler = class extends OperationNodeTransformer {
         const fieldDef = QueryUtils2.requireField(this.client.$schema, model, fields[i]);
         invariant3(item.kind === "ValueNode", "expecting a ValueNode");
         result.push({
-          node: ValueNode3.create(this.dialect.transformPrimitive(item.value, fieldDef.type, !!fieldDef.array)),
+          node: ValueNode3.create(this.dialect.transformInput(item.value, fieldDef.type, !!fieldDef.array)),
           raw: item.value
         });
       } else {
         let value = item;
         if (!isImplicitManyToManyJoinTable) {
           const fieldDef = QueryUtils2.requireField(this.client.$schema, model, fields[i]);
-          value = this.dialect.transformPrimitive(item, fieldDef.type, !!fieldDef.array);
+          value = this.dialect.transformInput(item, fieldDef.type, !!fieldDef.array);
         }
         if (Array.isArray(value)) {
+          const fieldDef = QueryUtils2.requireField(this.client.$schema, model, fields[i]);
           result.push({
-            node: RawNode.createWithSql(this.dialect.buildArrayLiteralSQL(value)),
+            node: this.dialect.buildArrayValue(value, fieldDef.type).toOperationNode(),
             raw: value
           });
         } else {
@@ -1681,11 +1805,10 @@ var PolicyHandler = class extends OperationNodeTransformer {
       return void 0;
     }
     const checkForOperation = operation === "read" ? "read" : "update";
-    const eb = expressionBuilder2();
     const joinTable = alias ?? tableName;
-    const aQuery = eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
-    const bQuery = eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
-    return eb.and([
+    const aQuery = this.eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new ExpressionWrapper2(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
+    const bQuery = this.eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new ExpressionWrapper2(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
+    return this.eb.and([
       aQuery,
       bQuery
     ]).toOperationNode();
@@ -1716,6 +1839,26 @@ var PolicyHandler = class extends OperationNodeTransformer {
       };
     }
   }
+  // strips table references from an OperationNode
+  stripTableReferences(node, modelName) {
+    return new TableReferenceStripper().strip(node, modelName);
+  }
+};
+var TableReferenceStripper = class TableReferenceStripper2 extends OperationNodeTransformer {
+  static {
+    __name(this, "TableReferenceStripper");
+  }
+  tableName = "";
+  strip(node, tableName) {
+    this.tableName = tableName;
+    return this.transformNode(node);
+  }
+  transformReference(node) {
+    if (ColumnNode3.is(node.column) && node.table?.table.identifier.name === this.tableName) {
+      return ReferenceNode3.create(this.transformNode(node.column));
+    }
+    return super.transformReference(node);
+  }
 };
 // src/functions.ts
@@ -1764,7 +1907,7 @@ var check = /* @__PURE__ */ __name((eb, args, { client, model, modelAlias, opera
   const policyHandler = new PolicyHandler(client);
   const op = arg2Node ? arg2Node.value : operation;
   const policyCondition = policyHandler.buildPolicyFilter(relationModel, void 0, op);
-  const result = eb.selectFrom(relationModel).where(joinCondition).select(new ExpressionWrapper2(policyCondition).as("$condition"));
+  const result = eb.selectFrom(eb.selectFrom(relationModel).where(joinCondition).select(new ExpressionWrapper3(policyCondition).as("$condition")).as("$sub")).selectAll();
   return result;
 }, "check");