@zenstackhq/runtime 2.15.1 → 3.0.0-alpha.0

package/enhancements/edge/policy/policy-utils.js

@@ -1,1357 +0,0 @@
-"use strict";
-/* eslint-disable @typescript-eslint/no-explicit-any */
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.PolicyUtil = void 0;
-const deepmerge_1 = __importDefault(require("deepmerge"));
-const is_plain_object_1 = require("is-plain-object");
-const lower_case_first_1 = require("lower-case-first");
-const traverse_1 = __importDefault(require("traverse"));
-const upper_case_first_1 = require("upper-case-first");
-const zod_1 = require("zod");
-const zod_validation_error_1 = require("zod-validation-error");
-const constants_1 = require("../../../constants");
-const cross_1 = require("../../../cross");
-const version_1 = require("../../../version");
-const query_utils_1 = require("../query-utils");
-const utils_1 = require("../utils");
-/**
- * Access policy enforcement utilities
- */
-class PolicyUtil extends query_utils_1.QueryUtils {
-    constructor(db, options, context, shouldLogQuery = false) {
-        super(db, options);
-        this.db = db;
-        this.shouldLogQuery = shouldLogQuery;
-        //#endregion
-        //#region Auth guard
-        this.FULL_OPEN_MODEL_POLICY = {
-            modelLevel: {
-                read: { guard: true },
-                create: { guard: true, inputChecker: true },
-                update: { guard: true },
-                delete: { guard: true },
-                postUpdate: { guard: true },
-            },
-        };
-        this.user = context === null || context === void 0 ? void 0 : context.user;
-        ({
-            modelMeta: this.modelMeta,
-            policy: this.policy,
-            zodSchemas: this.zodSchemas,
-            prismaModule: this.prismaModule,
-        } = options);
-    }
-    //#region Logical operators
-    /**
-     * Creates a conjunction of a list of query conditions.
-     */
-    and(...conditions) {
-        const filtered = conditions.filter((c) => c !== undefined);
-        if (filtered.length === 0) {
-            return this.makeTrue();
-        }
-        else if (filtered.length === 1) {
-            return this.reduce(filtered[0]);
-        }
-        else {
-            return this.reduce({ AND: filtered });
-        }
-    }
-    /**
-     * Creates a disjunction of a list of query conditions.
-     */
-    or(...conditions) {
-        const filtered = conditions.filter((c) => c !== undefined);
-        if (filtered.length === 0) {
-            return this.makeFalse();
-        }
-        else if (filtered.length === 1) {
-            return this.reduce(filtered[0]);
-        }
-        else {
-            return this.reduce({ OR: filtered });
-        }
-    }
-    /**
-     * Creates a negation of a query condition.
-     */
-    not(condition) {
-        if (condition === undefined) {
-            return this.makeTrue();
-        }
-        else if (typeof condition === 'boolean') {
-            return this.reduce(!condition);
-        }
-        else {
-            return this.reduce({ NOT: condition });
-        }
-    }
-    // Static True/False conditions
-    // https://www.prisma.io/docs/concepts/components/prisma-client/null-and-undefined#the-effect-of-null-and-undefined-on-conditionals
-    singleKey(obj, key) {
-        if (!obj) {
-            return false;
-        }
-        else {
-            return Object.keys(obj).length === 1 && Object.keys(obj)[0] === key;
-        }
-    }
-    isTrue(condition) {
-        if (condition === null || condition === undefined || !(0, is_plain_object_1.isPlainObject)(condition)) {
-            return false;
-        }
-        // {} is true
-        if (Object.keys(condition).length === 0) {
-            return true;
-        }
-        // { OR: TRUE } is true
-        if (this.singleKey(condition, 'OR') && typeof condition.OR === 'object' && this.isTrue(condition.OR)) {
-            return true;
-        }
-        // { NOT: FALSE } is true
-        if (this.singleKey(condition, 'NOT') && typeof condition.NOT === 'object' && this.isFalse(condition.NOT)) {
-            return true;
-        }
-        // { AND: [] } is true
-        if (this.singleKey(condition, 'AND') && Array.isArray(condition.AND) && condition.AND.length === 0) {
-            return true;
-        }
-        return false;
-    }
-    isFalse(condition) {
-        if (condition === null || condition === undefined || !(0, is_plain_object_1.isPlainObject)(condition)) {
-            return false;
-        }
-        // { AND: FALSE } is false
-        if (this.singleKey(condition, 'AND') && typeof condition.AND === 'object' && this.isFalse(condition.AND)) {
-            return true;
-        }
-        // { NOT: TRUE } is false
-        if (this.singleKey(condition, 'NOT') && typeof condition.NOT === 'object' && this.isTrue(condition.NOT)) {
-            return true;
-        }
-        // { OR: [] } is false
-        if (this.singleKey(condition, 'OR') && Array.isArray(condition.OR) && condition.OR.length === 0) {
-            return true;
-        }
-        return false;
-    }
-    makeTrue() {
-        return { AND: [] };
-    }
-    makeFalse() {
-        return { OR: [] };
-    }
-    reduce(condition) {
-        if (condition === true || condition === undefined) {
-            return this.makeTrue();
-        }
-        if (condition === false) {
-            return this.makeFalse();
-        }
-        if (condition === null) {
-            return condition;
-        }
-        const result = {};
-        for (const [key, value] of Object.entries(condition)) {
-            if (value === null || value === undefined) {
-                result[key] = value;
-                continue;
-            }
-            switch (key) {
-                case 'AND': {
-                    const children = (0, cross_1.enumerate)(value)
-                        .map((c) => this.reduce(c))
-                        .filter((c) => c !== undefined && !this.isTrue(c));
-                    if (children.length === 0) {
-                        // { ..., AND: [] }
-                        result[key] = [];
-                    }
-                    else if (children.some((c) => this.isFalse(c))) {
-                        // { ..., AND: { OR: [] } }
-                        result[key] = this.makeFalse();
-                    }
-                    else {
-                        result[key] = !Array.isArray(value) && children.length === 1 ? children[0] : children;
-                    }
-                    break;
-                }
-                case 'OR': {
-                    const children = (0, cross_1.enumerate)(value)
-                        .map((c) => this.reduce(c))
-                        .filter((c) => c !== undefined && !this.isFalse(c));
-                    if (children.length === 0) {
-                        // { ..., OR: [] }
-                        result[key] = [];
-                    }
-                    else if (children.some((c) => this.isTrue(c))) {
-                        // { ..., OR: { AND: [] } }
-                        result[key] = this.makeTrue();
-                    }
-                    else {
-                        result[key] = !Array.isArray(value) && children.length === 1 ? children[0] : children;
-                    }
-                    break;
-                }
-                case 'NOT': {
-                    const children = (0, cross_1.enumerate)(value).map((c) => this.reduce(c));
-                    result[key] = !Array.isArray(value) && children.length === 1 ? children[0] : children;
-                    break;
-                }
-                default: {
-                    if (!(0, is_plain_object_1.isPlainObject)(value)) {
-                        // don't visit into non-plain object values - could be Date, array, etc.
-                        result[key] = value;
-                    }
-                    else {
-                        result[key] = this.reduce(value);
-                    }
-                    break;
-                }
-            }
-        }
-        // finally normalize constant true/false conditions
-        if (this.isTrue(result)) {
-            return this.makeTrue();
-        }
-        else if (this.isFalse(result)) {
-            return this.makeFalse();
-        }
-        else {
-            return result;
-        }
-    }
-    getModelPolicyDef(model) {
-        if (this.options.kinds && !this.options.kinds.includes('policy')) {
-            // policy enhancement not enabled, return an fully open guard
-            return this.FULL_OPEN_MODEL_POLICY;
-        }
-        const def = this.policy.policy[(0, lower_case_first_1.lowerCaseFirst)(model)];
-        if (!def) {
-            throw this.unknownError(`unable to load policy guard for ${model}`);
-        }
-        return def;
-    }
-    getModelGuardForOperation(model, operation) {
-        var _a;
-        const def = this.getModelPolicyDef(model);
-        return (_a = def.modelLevel[operation].guard) !== null && _a !== void 0 ? _a : true;
-    }
-    /**
-     * Gets pregenerated authorization guard object for a given model and operation.
-     *
-     * @returns true if operation is unconditionally allowed, false if unconditionally denied,
-     * otherwise returns a guard object
-     */
-    getAuthGuard(db, model, operation, preValue) {
-        const guard = this.getModelGuardForOperation(model, operation);
-        // constant guard
-        if (typeof guard === 'boolean') {
-            return this.reduce(guard);
-        }
-        // invoke guard function
-        const r = guard({ user: this.user, preValue }, db);
-        return this.reduce(r);
-    }
-    /**
-     * Get field-level read auth guard
-     */
-    getFieldReadAuthGuard(db, model, field) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        const guard = (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.read) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.guard;
-        if (guard === undefined) {
-            // field access is allowed by default
-            return this.makeTrue();
-        }
-        if (typeof guard === 'boolean') {
-            return this.reduce(guard);
-        }
-        const r = guard({ user: this.user }, db);
-        return this.reduce(r);
-    }
-    /**
-     * Get field-level read auth guard that overrides the model-level
-     */
-    getFieldOverrideReadAuthGuard(db, model, field) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        const guard = (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.read) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.overrideGuard;
-        if (guard === undefined) {
-            // field access is denied by default in override mode
-            return this.makeFalse();
-        }
-        if (typeof guard === 'boolean') {
-            return this.reduce(guard);
-        }
-        const r = guard({ user: this.user }, db);
-        return this.reduce(r);
-    }
-    /**
-     * Get field-level update auth guard
-     */
-    getFieldUpdateAuthGuard(db, model, field) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        const guard = (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.update) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.guard;
-        if (guard === undefined) {
-            // field access is allowed by default
-            return this.makeTrue();
-        }
-        if (typeof guard === 'boolean') {
-            return this.reduce(guard);
-        }
-        const r = guard({ user: this.user }, db);
-        return this.reduce(r);
-    }
-    /**
-     * Get field-level update auth guard that overrides the model-level
-     */
-    getFieldOverrideUpdateAuthGuard(db, model, field) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        const guard = (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.update) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.overrideGuard;
-        if (guard === undefined) {
-            // field access is denied by default in override mode
-            return this.makeFalse();
-        }
-        if (typeof guard === 'boolean') {
-            return this.reduce(guard);
-        }
-        const r = guard({ user: this.user }, db);
-        return this.reduce(r);
-    }
-    /**
-     * Checks if the given model has a policy guard for the given operation.
-     */
-    hasAuthGuard(model, operation) {
-        const guard = this.getModelGuardForOperation(model, operation);
-        return typeof guard !== 'boolean' || guard !== true;
-    }
-    /**
-     * Checks if the given model has any field-level override policy guard for the given operation.
-     */
-    hasOverrideAuthGuard(model, operation) {
-        var _a;
-        if (operation !== 'read' && operation !== 'update') {
-            return false;
-        }
-        const def = this.getModelPolicyDef(model);
-        if ((_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a[operation]) {
-            return Object.values(def.fieldLevel[operation]).some((f) => f.overrideGuard !== undefined || f.overrideEntityChecker !== undefined);
-        }
-        else {
-            return false;
-        }
-    }
-    /**
-     * Checks model creation policy based on static analysis to the input args.
-     *
-     * @returns boolean if static analysis is enough to determine the result, undefined if not
-     */
-    checkInputGuard(model, args, operation) {
-        const def = this.getModelPolicyDef(model);
-        const guard = def.modelLevel[operation].inputChecker;
-        if (guard === undefined) {
-            return undefined;
-        }
-        if (typeof guard === 'boolean') {
-            return guard;
-        }
-        return guard(args, { user: this.user });
-    }
-    /**
-     * Injects model auth guard as where clause.
-     */
-    injectAuthGuardAsWhere(db, args, model, operation) {
-        var _a;
-        let guard = this.getAuthGuard(db, model, operation);
-        if (operation === 'update' && args) {
-            // merge field-level policy guards
-            const fieldUpdateGuard = this.getFieldUpdateGuards(db, model, this.getFieldsWithDefinedValues((_a = args.data) !== null && _a !== void 0 ? _a : args));
-            if (fieldUpdateGuard.rejectedByField) {
-                // rejected
-                args.where = this.makeFalse();
-                return false;
-            }
-            else {
-                if (fieldUpdateGuard.guard) {
-                    // merge field-level guard
-                    guard = this.and(guard, fieldUpdateGuard.guard);
-                }
-                if (fieldUpdateGuard.overrideGuard) {
-                    // merge field-level override guard on the top level
-                    guard = this.or(guard, fieldUpdateGuard.overrideGuard);
-                }
-            }
-        }
-        if (operation === 'read') {
-            // merge field-level read override guards
-            const fieldReadOverrideGuard = this.getFieldReadGuards(db, model, args);
-            if (fieldReadOverrideGuard) {
-                guard = this.or(guard, fieldReadOverrideGuard);
-            }
-        }
-        if (this.isFalse(guard)) {
-            args.where = this.makeFalse();
-            return false;
-        }
-        let mergedGuard = guard;
-        if (args.where) {
-            // inject into fields:
-            //   to-many: some/none/every
-            //   to-one: direct-conditions/is/isNot
-            //   regular fields
-            mergedGuard = this.buildReadGuardForFields(db, model, args.where, guard);
-        }
-        args.where = this.and(args.where, mergedGuard);
-        return true;
-    }
-    // Injects guard for relation fields nested in `payload`. The `modelGuard` parameter represents the model-level guard for `model`.
-    // The function returns a modified copy of `modelGuard` with field-level policies combined.
-    buildReadGuardForFields(db, model, payload, modelGuard) {
-        if (!payload || typeof payload !== 'object' || Object.keys(payload).length === 0) {
-            return modelGuard;
-        }
-        const allFieldGuards = [];
-        const allFieldOverrideGuards = [];
-        for (const [field, subPayload] of Object.entries(payload)) {
-            if (!subPayload) {
-                continue;
-            }
-            allFieldGuards.push(this.getFieldReadAuthGuard(db, model, field));
-            allFieldOverrideGuards.push(this.getFieldOverrideReadAuthGuard(db, model, field));
-            const fieldInfo = (0, cross_1.resolveField)(this.modelMeta, model, field);
-            if (fieldInfo === null || fieldInfo === void 0 ? void 0 : fieldInfo.isDataModel) {
-                if (fieldInfo.isArray) {
-                    this.injectReadGuardForToManyField(db, fieldInfo, subPayload);
-                }
-                else {
-                    this.injectReadGuardForToOneField(db, fieldInfo, subPayload);
-                }
-            }
-        }
-        // all existing field-level guards must be true
-        const mergedGuard = this.and(...allFieldGuards);
-        // all existing field-level override guards must be true for override to take effect; override is disabled by default
-        const mergedOverrideGuard = allFieldOverrideGuards.length === 0 ? this.makeFalse() : this.and(...allFieldOverrideGuards);
-        // (original-guard && field-level-guard) || field-level-override-guard
-        const updatedGuard = this.or(this.and(modelGuard, mergedGuard), mergedOverrideGuard);
-        return updatedGuard;
-    }
-    injectReadGuardForToManyField(db, fieldInfo, payload) {
-        const guard = this.getAuthGuard(db, fieldInfo.type, 'read');
-        if (payload.some) {
-            const mergedGuard = this.buildReadGuardForFields(db, fieldInfo.type, payload.some, guard);
-            // turn "some" into: { some: { AND: [guard, payload.some] } }
-            payload.some = this.and(payload.some, mergedGuard);
-        }
-        if (payload.none) {
-            const mergedGuard = this.buildReadGuardForFields(db, fieldInfo.type, payload.none, guard);
-            // turn none into: { none: { AND: [guard, payload.none] } }
-            payload.none = this.and(payload.none, mergedGuard);
-        }
-        if (payload.every &&
-            typeof payload.every === 'object' &&
-            // ignore empty every clause
-            Object.keys(payload.every).length > 0) {
-            const mergedGuard = this.buildReadGuardForFields(db, fieldInfo.type, payload.every, guard);
-            // turn "every" into: { none: { AND: [guard, { NOT: payload.every }] } }
-            if (!payload.none) {
-                payload.none = {};
-            }
-            payload.none = this.and(payload.none, mergedGuard, this.not(payload.every));
-            delete payload.every;
-        }
-    }
-    injectReadGuardForToOneField(db, fieldInfo, payload) {
-        const guard = this.getAuthGuard(db, fieldInfo.type, 'read');
-        // is|isNot and flat fields conditions are mutually exclusive
-        // is and isNot can be null value
-        if (payload.is !== undefined || payload.isNot !== undefined) {
-            if (payload.is) {
-                const mergedGuard = this.buildReadGuardForFields(db, fieldInfo.type, payload.is, guard);
-                // merge guard with existing "is": { is: { AND: [originalIs, guard] } }
-                payload.is = this.and(payload.is, mergedGuard);
-            }
-            if (payload.isNot) {
-                const mergedGuard = this.buildReadGuardForFields(db, fieldInfo.type, payload.isNot, guard);
-                // merge guard with existing "isNot":  { isNot: { AND: [originalIsNot, guard] } }
-                payload.isNot = this.and(payload.isNot, mergedGuard);
-            }
-        }
-        else {
-            const mergedGuard = this.buildReadGuardForFields(db, fieldInfo.type, payload, guard);
-            // turn direct conditions into: { is: { AND: [ originalConditions, guard ] } }
-            const combined = this.and((0, cross_1.clone)(payload), mergedGuard);
-            Object.keys(payload).forEach((key) => delete payload[key]);
-            payload.is = combined;
-        }
-    }
-    /**
-     * Injects auth guard for read operations.
-     */
-    injectForRead(db, model, args) {
-        // make select and include visible to the injection
-        const injected = { select: args.select, include: args.include };
-        if (!this.injectAuthGuardAsWhere(db, injected, model, 'read')) {
-            args.where = this.makeFalse();
-            return false;
-        }
-        if (args.where) {
-            // inject into fields:
-            //   to-many: some/none/every
-            //   to-one: direct-conditions/is/isNot
-            //   regular fields
-            const mergedGuard = this.buildReadGuardForFields(db, model, args.where, {});
-            args.where = this.mergeWhereClause(args.where, mergedGuard);
-        }
-        if (args.where) {
-            if (injected.where && Object.keys(injected.where).length > 0) {
-                // merge injected guard with the user-provided where clause
-                args.where = this.mergeWhereClause(args.where, injected.where);
-            }
-        }
-        else if (injected.where) {
-            // no user-provided where clause, use the injected one
-            args.where = injected.where;
-        }
-        // recursively inject read guard conditions into nested select, include, and _count
-        const hoistedConditions = this.injectNestedReadConditions(db, model, args);
-        // the injection process may generate conditions that need to be hoisted to the toplevel,
-        // if so, merge it with the existing where
-        if (hoistedConditions.length > 0) {
-            if (!args.where) {
-                args.where = this.and(...hoistedConditions);
-            }
-            else {
-                args.where = this.mergeWhereClause(args.where, this.and(...hoistedConditions));
-            }
-        }
-        return true;
-    }
-    //#endregion
-    //#region Checker
-    /**
-     * Gets checker constraints for the given model and operation.
-     */
-    getCheckerConstraint(model, operation) {
-        if (this.options.kinds && !this.options.kinds.includes('policy')) {
-            // policy enhancement not enabled, return a constant true checker result
-            return true;
-        }
-        const def = this.getModelPolicyDef(model);
-        const checker = def.modelLevel[operation].permissionChecker;
-        if (checker === undefined) {
-            throw new Error(`Generated permission checkers not found. Please make sure the "generatePermissionChecker" option is set to true in the "@core/enhancer" plugin.`);
-        }
-        if (typeof checker === 'boolean') {
-            return checker;
-        }
-        if (typeof checker !== 'function') {
-            throw this.unknownError(`invalid ${operation} checker function for ${model}`);
-        }
-        // call checker function
-        let result = checker({ user: this.user });
-        // the constraint may contain "delegate" ones that should be resolved
-        // by evaluating the corresponding checker of the delegated models
-        const isVariableConstraint = (value) => {
-            return value && typeof value === 'object' && value.kind === 'variable';
-        };
-        const isDelegateConstraint = (value) => {
-            return value && typeof value === 'object' && value.kind === 'delegate';
-        };
-        // here we prefix the constraint variables coming from delegated checkers
-        // with the relation field name to avoid conflicts
-        const prefixConstraintVariables = (constraint, prefix) => {
-            return (0, traverse_1.default)(constraint).map(function (value) {
-                if (isVariableConstraint(value)) {
-                    this.update(Object.assign(Object.assign({}, value), { name: `${prefix}${value.name}` }), true);
-                }
-            });
-        };
-        // eslint-disable-next-line @typescript-eslint/no-this-alias
-        const that = this;
-        result = (0, traverse_1.default)(result).forEach(function (value) {
-            if (isDelegateConstraint(value)) {
-                const { model: delegateModel, relation, operation: delegateOp } = value;
-                let newValue = that.getCheckerConstraint(delegateModel, delegateOp !== null && delegateOp !== void 0 ? delegateOp : operation);
-                newValue = prefixConstraintVariables(newValue, `${relation}.`);
-                this.update(newValue, true);
-            }
-        });
-        return result;
-    }
-    //#endregion
-    /**
-     * Gets unique constraints for the given model.
-     */
-    getUniqueConstraints(model) {
-        var _a, _b;
-        return (_b = (_a = this.modelMeta.models[(0, lower_case_first_1.lowerCaseFirst)(model)]) === null || _a === void 0 ? void 0 : _a.uniqueConstraints) !== null && _b !== void 0 ? _b : {};
-    }
-    injectNestedReadConditions(db, model, args) {
-        var _a;
-        const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
-        if (!injectTarget) {
-            return [];
-        }
-        if (injectTarget._count !== undefined) {
-            // _count needs to respect read policies of related models
-            if (injectTarget._count === true) {
-                // include count for all relations, expand to all fields
-                // so that we can inject guard conditions for each of them
-                injectTarget._count = { select: {} };
-                const modelFields = (0, cross_1.getFields)(this.modelMeta, model);
-                if (modelFields) {
-                    for (const [k, v] of Object.entries(modelFields)) {
-                        if (v.isDataModel && v.isArray) {
-                            // create an entry for to-many relation
-                            injectTarget._count.select[k] = {};
-                        }
-                    }
-                }
-            }
-            // inject conditions for each relation
-            for (const field of Object.keys(injectTarget._count.select)) {
-                if (typeof injectTarget._count.select[field] !== 'object') {
-                    injectTarget._count.select[field] = {};
-                }
-                const fieldInfo = (0, cross_1.resolveField)(this.modelMeta, model, field);
-                if (!fieldInfo) {
-                    continue;
-                }
-                // inject into the "where" clause inside select
-                this.injectAuthGuardAsWhere(db, injectTarget._count.select[field], fieldInfo.type, 'read');
-            }
-        }
-        // collect filter conditions that should be hoisted to the toplevel
-        const hoistedConditions = [];
-        for (const field of (0, cross_1.getModelFields)(injectTarget)) {
-            if (injectTarget[field] === false) {
-                continue;
-            }
-            const fieldInfo = (0, cross_1.resolveField)(this.modelMeta, model, field);
-            if (!fieldInfo || !fieldInfo.isDataModel) {
-                // only care about relation fields
-                continue;
-            }
-            let hoisted;
-            if (fieldInfo.isArray ||
-                // Injecting where at include/select level for nullable to-one relation is supported since Prisma 4.8.0
-                // https://github.com/prisma/prisma/discussions/20350
-                fieldInfo.isOptional) {
-                if (typeof injectTarget[field] !== 'object') {
-                    injectTarget[field] = {};
-                }
-                // inject extra condition for to-many or nullable to-one relation
-                this.injectAuthGuardAsWhere(db, injectTarget[field], fieldInfo.type, 'read');
-                // recurse
-                const subHoisted = this.injectNestedReadConditions(db, fieldInfo.type, injectTarget[field]);
-                if (subHoisted.length > 0) {
-                    // we can convert it to a where at this level
-                    injectTarget[field].where = this.and(injectTarget[field].where, ...subHoisted);
-                }
-            }
-            else {
-                // hoist non-nullable to-one filter to the parent level
-                let injected = this.safeClone(injectTarget[field]);
-                if (typeof injected !== 'object') {
-                    injected = {};
-                }
-                this.injectAuthGuardAsWhere(db, injected, fieldInfo.type, 'read');
-                hoisted = injected.where;
-                // recurse
-                const subHoisted = this.injectNestedReadConditions(db, fieldInfo.type, injectTarget[field]);
-                if (subHoisted.length > 0) {
-                    hoisted = this.and(hoisted, ...subHoisted);
-                }
-            }
-            if (hoisted && !this.isTrue(hoisted)) {
-                hoistedConditions.push({ [field]: hoisted });
-            }
-        }
-        return hoistedConditions;
-    }
-    /**
-     * Given a model and a unique filter, checks the operation is allowed by policies and field validations.
-     * Rejects with an error if not allowed.
-     *
-     * This method is only called by mutation operations.
-     */
-    checkPolicyForUnique(model, uniqueFilter, operation, db, fieldsToUpdate, preValue) {
-        return __awaiter(this, void 0, void 0, function* () {
-            let guard = this.getAuthGuard(db, model, operation, preValue);
-            if (this.isFalse(guard) && !this.hasOverrideAuthGuard(model, operation)) {
-                throw this.deniedByPolicy(model, operation, `entity ${(0, utils_1.formatObject)(uniqueFilter, false)} failed policy check`, constants_1.CrudFailureReason.ACCESS_POLICY_VIOLATION);
-            }
-            let entityChecker;
-            if (operation === 'update' && fieldsToUpdate.length > 0) {
-                // merge field-level policy guards
-                const fieldUpdateGuard = this.getFieldUpdateGuards(db, model, fieldsToUpdate);
-                if (fieldUpdateGuard.rejectedByField) {
-                    // rejected
-                    throw this.deniedByPolicy(model, 'update', `entity ${(0, utils_1.formatObject)(uniqueFilter, false)} failed update policy check for field "${fieldUpdateGuard.rejectedByField}"`, constants_1.CrudFailureReason.ACCESS_POLICY_VIOLATION);
-                }
-                if (fieldUpdateGuard.guard) {
-                    // merge field-level guard with AND
-                    guard = this.and(guard, fieldUpdateGuard.guard);
-                }
-                if (fieldUpdateGuard.overrideGuard) {
-                    // merge field-level override guard with OR
-                    guard = this.or(guard, fieldUpdateGuard.overrideGuard);
-                }
-                // field-level entity checker
-                entityChecker = fieldUpdateGuard.entityChecker;
-            }
-            // Zod schema is to be checked for "create" and "postUpdate"
-            const schema = ['create', 'postUpdate'].includes(operation) ? this.getZodSchema(model) : undefined;
-            // combine field-level entity checker with model-level
-            const modelEntityChecker = this.getEntityChecker(model, operation);
-            entityChecker = this.combineEntityChecker(entityChecker, modelEntityChecker, 'and');
-            if (this.isTrue(guard) && !schema && !entityChecker) {
-                // unconditionally allowed
-                return;
-            }
-            let select = schema
-                ? // need to validate against schema, need to fetch all fields
-                    undefined
-                : // only fetch id fields
-                    this.makeIdSelection(model);
-            if (entityChecker === null || entityChecker === void 0 ? void 0 : entityChecker.selector) {
-                if (!select) {
-                    select = this.makeAllScalarFieldSelect(model);
-                }
-                select = Object.assign(Object.assign({}, select), entityChecker.selector);
-            }
-            let where = this.safeClone(uniqueFilter);
-            // query args may have be of combined-id form, need to flatten it to call findFirst
-            this.flattenGeneratedUniqueField(model, where);
-            // query with policy guard
-            where = this.and(where, guard);
-            const query = { select, where };
-            if (this.shouldLogQuery) {
-                this.logger.info(`[policy] checking ${model} for ${operation}, \`findFirst\`:\n${(0, utils_1.formatObject)(query)}`);
-            }
-            const result = yield db[model].findFirst(query);
-            if (!result) {
-                throw this.deniedByPolicy(model, operation, `entity ${(0, utils_1.formatObject)(uniqueFilter, false)} failed policy check`, constants_1.CrudFailureReason.ACCESS_POLICY_VIOLATION);
-            }
-            if (entityChecker) {
-                if (this.logger.enabled('info')) {
-                    this.logger.info(`[policy] running entity checker on ${model} for ${operation}`);
-                }
-                if (!entityChecker.func(result, { user: this.user, preValue })) {
-                    throw this.deniedByPolicy(model, operation, `entity ${(0, utils_1.formatObject)(uniqueFilter, false)} failed policy check`, constants_1.CrudFailureReason.ACCESS_POLICY_VIOLATION);
-                }
-            }
-            if (schema) {
-                // TODO: push down schema check to the database
-                this.validateZodSchema(model, undefined, result, true, (err) => {
-                    throw this.deniedByPolicy(model, operation, `entity ${(0, utils_1.formatObject)(uniqueFilter, false)} failed validation: [${(0, zod_validation_error_1.fromZodError)(err)}]`, constants_1.CrudFailureReason.DATA_VALIDATION_VIOLATION, err);
-                });
-            }
-        });
-    }
-    getEntityChecker(model, operation, field) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        if (field) {
-            return (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a[operation]) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.entityChecker;
-        }
-        else {
-            return def.modelLevel[operation].entityChecker;
-        }
-    }
-    getUpdateOverrideEntityCheckerForField(model, field) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        return (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.update) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.overrideEntityChecker;
-    }
-    getFieldReadGuards(db, model, args) {
-        const allFields = Object.values((0, cross_1.getFields)(this.modelMeta, model));
-        // all scalar fields by default
-        let fields = allFields.filter((f) => !f.isDataModel);
-        if (args.select) {
-            // explicitly selected fields
-            fields = allFields.filter((f) => { var _a; return ((_a = args.select) === null || _a === void 0 ? void 0 : _a[f.name]) === true; });
-        }
-        else if (args.include) {
-            // included relations
-            fields.push(...allFields.filter((f) => !fields.includes(f) && args.include[f.name]));
-        }
-        if (fields.length === 0) {
-            // this can happen if only selecting pseudo fields like "_count"
-            return undefined;
-        }
-        const allFieldGuards = fields.map((field) => this.getFieldOverrideReadAuthGuard(db, model, field.name));
-        return this.and(...allFieldGuards);
-    }
-    getFieldUpdateGuards(db, model, fieldsToUpdate) {
-        const allFieldGuards = [];
-        const allOverrideFieldGuards = [];
-        let entityChecker;
-        for (const field of fieldsToUpdate) {
-            const fieldInfo = (0, cross_1.resolveField)(this.modelMeta, model, field);
-            if (fieldInfo === null || fieldInfo === void 0 ? void 0 : fieldInfo.isDataModel) {
-                // relation field update should be treated as foreign key update,
-                // fetch and merge all foreign key guards
-                if (fieldInfo.isRelationOwner && fieldInfo.foreignKeyMapping) {
-                    const foreignKeys = Object.values(fieldInfo.foreignKeyMapping);
-                    for (const fk of foreignKeys) {
-                        const fieldGuard = this.getFieldUpdateAuthGuard(db, model, fk);
-                        if (this.isFalse(fieldGuard)) {
-                            return { guard: fieldGuard, rejectedByField: fk };
-                        }
-                        // add field guard
-                        allFieldGuards.push(fieldGuard);
-                        // add field override guard
-                        const overrideFieldGuard = this.getFieldOverrideUpdateAuthGuard(db, model, fk);
-                        allOverrideFieldGuards.push(overrideFieldGuard);
-                    }
-                }
-            }
-            else {
-                const fieldGuard = this.getFieldUpdateAuthGuard(db, model, field);
-                if (this.isFalse(fieldGuard)) {
-                    return { guard: fieldGuard, rejectedByField: field };
-                }
-                // add field guard
-                allFieldGuards.push(fieldGuard);
-                // add field override guard
-                const overrideFieldGuard = this.getFieldOverrideUpdateAuthGuard(db, model, field);
-                allOverrideFieldGuards.push(overrideFieldGuard);
-            }
-            // merge regular and override entity checkers with OR
-            let checker = this.getEntityChecker(model, 'update', field);
-            const overrideChecker = this.getUpdateOverrideEntityCheckerForField(model, field);
-            checker = this.combineEntityChecker(checker, overrideChecker, 'or');
-            // accumulate entity checker across fields
-            entityChecker = this.combineEntityChecker(entityChecker, checker, 'and');
-        }
-        const allFieldsCombined = this.and(...allFieldGuards);
-        const allOverrideFieldsCombined = allOverrideFieldGuards.length !== 0 ? this.and(...allOverrideFieldGuards) : undefined;
-        return {
-            guard: allFieldsCombined,
-            overrideGuard: allOverrideFieldsCombined,
-            rejectedByField: undefined,
-            entityChecker,
-        };
-    }
-    combineEntityChecker(left, right, combiner) {
-        var _a, _b;
-        if (!left) {
-            return right;
-        }
-        if (!right) {
-            return left;
-        }
-        const func = combiner === 'and'
-            ? (entity, context) => left.func(entity, context) && right.func(entity, context)
-            : (entity, context) => left.func(entity, context) || right.func(entity, context);
-        return {
-            func,
-            selector: (0, deepmerge_1.default)((_a = left.selector) !== null && _a !== void 0 ? _a : {}, (_b = right.selector) !== null && _b !== void 0 ? _b : {}),
-        };
-    }
-    /**
-     * Tries rejecting a request based on static "false" policy.
-     */
-    tryReject(db, model, operation) {
-        const guard = this.getAuthGuard(db, model, operation);
-        if (this.isFalse(guard) && !this.hasOverrideAuthGuard(model, operation)) {
-            throw this.deniedByPolicy(model, operation, undefined, constants_1.CrudFailureReason.ACCESS_POLICY_VIOLATION);
-        }
-    }
-    /**
-     * Checks if a model exists given a unique filter.
-     */
-    checkExistence(db_1, model_1, uniqueFilter_1) {
-        return __awaiter(this, arguments, void 0, function* (db, model, uniqueFilter, throwIfNotFound = false) {
-            uniqueFilter = this.safeClone(uniqueFilter);
-            this.flattenGeneratedUniqueField(model, uniqueFilter);
-            if (this.shouldLogQuery) {
-                this.logger.info(`[policy] checking ${model} existence, \`findFirst\`:\n${(0, utils_1.formatObject)(uniqueFilter)}`);
-            }
-            const existing = yield db[model].findFirst({
-                where: uniqueFilter,
-                select: this.makeIdSelection(model),
-            });
-            if (!existing && throwIfNotFound) {
-                throw this.notFound(model);
-            }
-            return existing;
-        });
-    }
-    /**
-     * Returns an entity given a unique filter with read policy checked. Reject if not readable.
-     */
-    readBack(db, model, operation, selectInclude, uniqueFilter) {
-        return __awaiter(this, void 0, void 0, function* () {
-            uniqueFilter = this.safeClone(uniqueFilter);
-            this.flattenGeneratedUniqueField(model, uniqueFilter);
-            // make sure only select and include are picked
-            const selectIncludeClean = this.pick(selectInclude, 'select', 'include');
-            const readArgs = Object.assign(Object.assign({}, this.safeClone(selectIncludeClean)), { where: uniqueFilter });
-            const error = this.deniedByPolicy(model, operation, 'result is not allowed to be read back', constants_1.CrudFailureReason.RESULT_NOT_READABLE);
-            const injectResult = this.injectForRead(db, model, readArgs);
-            if (!injectResult) {
-                return { error, result: undefined };
-            }
-            // inject select needed for field-level read checks
-            this.injectReadCheckSelect(model, readArgs);
-            if (this.shouldLogQuery) {
-                this.logger.info(`[policy] checking read-back, \`findFirst\` ${model}:\n${(0, utils_1.formatObject)(readArgs)}`);
-            }
-            const result = yield db[model].findFirst(readArgs);
-            if (!result) {
-                if (this.shouldLogQuery) {
-                    this.logger.info(`[policy] cannot read back ${model}`);
-                }
-                return { error, result: undefined };
-            }
-            this.postProcessForRead(result, model, selectIncludeClean);
-            return { result, error: undefined };
-        });
-    }
-    /**
-     * Injects field selection needed for checking field-level read policy check and evaluating
-     * entity checker into query args.
-     */
-    injectReadCheckSelect(model, args) {
-        // we need to recurse into relation fields before injecting the current level, because
-        // injection into current level can result in relation being selected/included, which
-        // can then cause infinite recursion when we visit relation later
-        var _a;
-        // recurse into relation fields
-        const visitTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
-        if (visitTarget) {
-            for (const key of Object.keys(visitTarget)) {
-                const field = (0, cross_1.resolveField)(this.modelMeta, model, key);
-                if ((field === null || field === void 0 ? void 0 : field.isDataModel) && visitTarget[key]) {
-                    if (typeof visitTarget[key] !== 'object') {
-                        // v is "true", ensure it's an object
-                        visitTarget[key] = {};
-                    }
-                    this.injectReadCheckSelect(field.type, visitTarget[key]);
-                }
-            }
-        }
-        if (this.hasFieldLevelPolicy(model)) {
-            // recursively inject selection for fields needed for field-level read checks
-            const readFieldSelect = this.getFieldReadCheckSelector(model, args.select);
-            if (readFieldSelect) {
-                this.doInjectReadCheckSelect(model, args, { select: readFieldSelect });
-            }
-        }
-        const entityChecker = this.getEntityChecker(model, 'read');
-        if (entityChecker === null || entityChecker === void 0 ? void 0 : entityChecker.selector) {
-            this.doInjectReadCheckSelect(model, args, { select: entityChecker.selector });
-        }
-    }
-    doInjectReadCheckSelect(model, args, input) {
-        var _a;
-        // omit should be ignored to avoid interfering with field selection
-        if (args.omit) {
-            delete args.omit;
-        }
-        if (!(input === null || input === void 0 ? void 0 : input.select)) {
-            return;
-        }
-        // process scalar field selections first
-        for (const [k, v] of Object.entries(input.select)) {
-            const field = (0, cross_1.resolveField)(this.modelMeta, model, k);
-            if (!field || field.isDataModel) {
-                continue;
-            }
-            if (v === true) {
-                if (!args.select) {
-                    // do nothing since all scalar fields are selected by default
-                }
-                else if (args.include) {
-                    // do nothing since include implies selecting all scalar fields
-                }
-                else {
-                    args.select[k] = true;
-                }
-            }
-        }
-        // process relation selections
-        for (const [k, v] of Object.entries(input.select)) {
-            const field = (0, cross_1.resolveField)(this.modelMeta, model, k);
-            if (!field || !field.isDataModel) {
-                continue;
-            }
-            // prepare the next level of args
-            let nextArgs = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
-            if (!nextArgs) {
-                nextArgs = args.include = {};
-            }
-            if (!nextArgs[k] || typeof nextArgs[k] !== 'object') {
-                nextArgs[k] = {};
-            }
-            if (v && typeof v === 'object') {
-                // recurse into relation
-                this.doInjectReadCheckSelect(field.type, nextArgs[k], v);
-            }
-        }
-    }
-    makeAllScalarFieldSelect(model) {
-        const fields = this.getModelFields(model);
-        const result = {};
-        if (fields) {
-            Object.entries(fields).forEach(([k, v]) => {
-                if (!v.isDataModel) {
-                    result[k] = true;
-                }
-            });
-        }
-        return result;
-    }
-    //#endregion
-    //#region Errors
-    deniedByPolicy(model, operation, extra, reason, zodErrors) {
-        const args = { clientVersion: (0, version_1.getVersion)(), code: constants_1.PrismaErrorCode.CONSTRAINT_FAILED, meta: {} };
-        if (reason) {
-            args.meta.reason = reason;
-        }
-        if (zodErrors) {
-            args.meta.zodErrors = zodErrors;
-        }
-        return (0, utils_1.prismaClientKnownRequestError)(this.db, this.prismaModule, `denied by policy: ${model} entities failed '${operation}' check${extra ? ', ' + extra : ''}`, args);
-    }
-    notFound(model) {
-        return (0, utils_1.prismaClientKnownRequestError)(this.db, this.prismaModule, `entity not found for model ${model}`, {
-            clientVersion: (0, version_1.getVersion)(),
-            code: 'P2025',
-        });
-    }
-    //#endregion
-    //#region Misc
-    /**
-     * Gets field selection for fetching pre-update entity values for the given model.
-     */
-    getPreValueSelect(model) {
-        const def = this.getModelPolicyDef(model);
-        return def.modelLevel.postUpdate.preUpdateSelector;
-    }
-    // get a merged selector object for all field-level read policies
-    getFieldReadCheckSelector(model, fieldSelection) {
-        var _a, _b, _c;
-        const def = this.getModelPolicyDef(model);
-        let result = {};
-        const fieldLevel = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.read;
-        if (fieldLevel) {
-            for (const [field, def] of Object.entries(fieldLevel)) {
-                if (!fieldSelection || fieldSelection[field]) {
-                    // field is selected, merge the field-level selector
-                    if ((_b = def.entityChecker) === null || _b === void 0 ? void 0 : _b.selector) {
-                        result = (0, deepmerge_1.default)(result, def.entityChecker.selector);
-                    }
-                    if ((_c = def.overrideEntityChecker) === null || _c === void 0 ? void 0 : _c.selector) {
-                        result = (0, deepmerge_1.default)(result, def.overrideEntityChecker.selector);
-                    }
-                }
-            }
-        }
-        return Object.keys(result).length > 0 ? result : undefined;
-    }
-    checkReadField(model, field, entity) {
-        var _a, _b, _c, _d, _e, _f;
-        const def = this.getModelPolicyDef(model);
-        // combine regular and override field-level entity checkers with OR
-        const checker = (_c = (_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.read) === null || _b === void 0 ? void 0 : _b[field]) === null || _c === void 0 ? void 0 : _c.entityChecker;
-        const overrideChecker = (_f = (_e = (_d = def.fieldLevel) === null || _d === void 0 ? void 0 : _d.read) === null || _e === void 0 ? void 0 : _e[field]) === null || _f === void 0 ? void 0 : _f.overrideEntityChecker;
-        const combinedChecker = this.combineEntityChecker(checker, overrideChecker, 'or');
-        if (combinedChecker === undefined) {
-            return true;
-        }
-        else {
-            return combinedChecker.func(entity, { user: this.user });
-        }
-    }
-    hasFieldValidation(model) {
-        var _a, _b;
-        return ((_b = (_a = this.policy.validation) === null || _a === void 0 ? void 0 : _a[(0, lower_case_first_1.lowerCaseFirst)(model)]) === null || _b === void 0 ? void 0 : _b.hasValidation) === true;
-    }
-    hasFieldLevelPolicy(model) {
-        var _a, _b;
-        const def = this.getModelPolicyDef(model);
-        return Object.keys((_b = (_a = def.fieldLevel) === null || _a === void 0 ? void 0 : _a.read) !== null && _b !== void 0 ? _b : {}).length > 0;
-    }
-    /**
-     * Gets Zod schema for the given model and access kind.
-     *
-     * @param kind kind of Zod schema to get for. If undefined, returns the full schema.
-     */
-    getZodSchema(model, excludePasswordFields = true, kind = undefined) {
-        if (!this.zodSchemas) {
-            return undefined;
-        }
-        if (!this.hasFieldValidation(model)) {
-            return undefined;
-        }
-        const schemaKey = `${(0, upper_case_first_1.upperCaseFirst)(model)}${kind ? 'Prisma' + (0, upper_case_first_1.upperCaseFirst)(kind) : ''}Schema`;
-        if (excludePasswordFields) {
-            // The `excludePasswordFields` mode is to handle the issue the fields marked with `@password` change at runtime,
-            // so they can only be fully validated when processing the input of "create" and "update" operations.
-            //
-            // When excluding them, we need to override them with plain string schemas. However, since the scheme is not always
-            // an `ZodObject` (this happens when there's `@@validate` refinement), we need to fetch the `ZodObject` schema before
-            // the refinement is applied, override the `@password` fields and then re-apply the refinement.
-            let schema;
-            const overridePasswordFields = (schema) => {
-                var _a, _b;
-                let result = schema;
-                const modelFields = (_a = this.modelMeta.models[(0, lower_case_first_1.lowerCaseFirst)(model)]) === null || _a === void 0 ? void 0 : _a.fields;
-                if (modelFields) {
-                    for (const [key, field] of Object.entries(modelFields)) {
-                        if ((_b = field.attributes) === null || _b === void 0 ? void 0 : _b.some((attr) => attr.name === '@password')) {
-                            // override `@password` field schema with a string schema
-                            let pwFieldSchema = zod_1.z.string();
-                            if (field.isOptional) {
-                                pwFieldSchema = pwFieldSchema.nullish();
-                            }
-                            result = result.merge(zod_1.z.object({ [key]: pwFieldSchema }));
-                        }
-                    }
-                }
-                return result;
-            };
-            // get the schema without refinement: `[Model]WithoutRefineSchema`
-            const withoutRefineSchemaKey = `${(0, upper_case_first_1.upperCaseFirst)(model)}${kind ? 'Prisma' + (0, upper_case_first_1.upperCaseFirst)(kind) : ''}WithoutRefineSchema`;
-            schema = this.zodSchemas.models[withoutRefineSchemaKey];
-            if (schema) {
-                // the schema has refinement, need to call refine function after schema merge
-                schema = overridePasswordFields(schema);
-                // refine function: `refine[Model]`
-                const refineFuncKey = `refine${(0, upper_case_first_1.upperCaseFirst)(model)}`;
-                const refineFunc = this.zodSchemas.models[refineFuncKey];
-                return typeof refineFunc === 'function' ? refineFunc(schema) : schema;
-            }
-            else {
-                // otherwise, directly override the `@password` fields
-                schema = this.zodSchemas.models[schemaKey];
-                return schema ? overridePasswordFields(schema) : undefined;
-            }
-        }
-        else {
-            // simply return the schema
-            return this.zodSchemas.models[schemaKey];
-        }
-    }
-    /**
-     * Validates the given data against the Zod schema for the given model and kind.
-     *
-     * @param model model
-     * @param kind validation kind. Pass undefined to validate against the full schema.
-     * @param data input data
-     * @param excludePasswordFields whether exclude schema validation for `@password` fields
-     * @param onError error callback
-     * @returns Zod-validated data
-     */
-    validateZodSchema(model, kind, data, excludePasswordFields, onError) {
-        const schema = this.getZodSchema(model, excludePasswordFields, kind);
-        if (!schema) {
-            return data;
-        }
-        const parseResult = schema.safeParse(data);
-        if (!parseResult.success) {
-            if (this.logger.enabled('info')) {
-                this.logger.info(`entity ${model} failed validation for operation ${kind}: ${(0, zod_validation_error_1.fromZodError)(parseResult.error)}`);
-            }
-            onError(parseResult.error);
-            return undefined;
-        }
-        return parseResult.data;
-    }
-    /**
-     * Post processing checks and clean-up for read model entities.
-     */
-    postProcessForRead(data, model, queryArgs) {
-        // preserve the original data as it may be needed for checking field-level readability,
-        // while the "data" will be manipulated during traversal (deleting unreadable fields)
-        const origData = this.safeClone(data);
-        // use the concrete model if the data is a polymorphic entity
-        const realModel = this.getDelegateConcreteModel(model, data);
-        return this.doPostProcessForRead(data, realModel, origData, queryArgs, this.hasFieldLevelPolicy(realModel));
-    }
-    doPostProcessForRead(data, model, fullData, queryArgs, hasFieldLevelPolicy, path = '') {
-        var _a, _b, _c;
-        if (data === null || data === undefined) {
-            return data;
-        }
-        let filteredData = data;
-        let filteredFullData = fullData;
-        const entityChecker = this.getEntityChecker(model, 'read');
-        if (entityChecker) {
-            if (Array.isArray(data)) {
-                filteredData = [];
-                filteredFullData = [];
-                for (const [entityData, entityFullData] of (0, cross_1.zip)(data, fullData)) {
-                    if (!entityChecker.func(entityData, { user: this.user })) {
-                        if (this.shouldLogQuery) {
-                            this.logger.info(`[policy] dropping ${model} entity${path ? ' at ' + path : ''} due to entity checker`);
-                        }
-                    }
-                    else {
-                        filteredData.push(entityData);
-                        filteredFullData.push(entityFullData);
-                    }
-                }
-            }
-            else {
-                if (!entityChecker.func(data, { user: this.user })) {
-                    if (this.shouldLogQuery) {
-                        this.logger.info(`[policy] dropping ${model} entity${path ? ' at ' + path : ''} due to entity checker`);
-                    }
-                    return null;
-                }
-            }
-        }
-        for (const [entityData, entityFullData] of (0, cross_1.zip)(filteredData, filteredFullData)) {
-            if (typeof entityData !== 'object' || !entityData) {
-                continue;
-            }
-            for (const [field, fieldData] of Object.entries(entityData)) {
-                if (fieldData === undefined) {
-                    continue;
-                }
-                const fieldInfo = (0, cross_1.resolveField)(this.modelMeta, model, field);
-                if (!fieldInfo) {
-                    // could be _count, etc.
-                    continue;
-                }
-                if (((_a = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.omit) === null || _a === void 0 ? void 0 : _a[field]) === true) {
-                    // respect `{ omit: { [field]: true } }`
-                    delete entityData[field];
-                    continue;
-                }
-                if (hasFieldLevelPolicy) {
-                    // 1. remove fields selected for checking field-level policies but not selected by the original query args
-                    // 2. evaluate field-level policies and remove fields that are not readable
-                    if (!fieldInfo.isDataModel) {
-                        // scalar field, delete unselected ones
-                        const select = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.select;
-                        if (select && typeof select === 'object' && select[field] !== true) {
-                            // there's a select clause but this field is not included
-                            delete entityData[field];
-                            continue;
-                        }
-                    }
-                    else {
-                        // relation field, delete if not selected or included
-                        const include = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.include;
-                        const select = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.select;
-                        if (!(include === null || include === void 0 ? void 0 : include[field]) && !(select === null || select === void 0 ? void 0 : select[field])) {
-                            // relation field not included or selected
-                            delete entityData[field];
-                            continue;
-                        }
-                    }
-                    // delete unreadable fields
-                    if (!this.checkReadField(model, field, entityFullData)) {
-                        if (this.shouldLogQuery) {
-                            this.logger.info(`[policy] dropping unreadable field ${path ? path + '.' : ''}${field}`);
-                        }
-                        delete entityData[field];
-                        continue;
-                    }
-                }
-                if (fieldInfo.isDataModel) {
-                    // recurse into nested fields
-                    const nextArgs = (_c = ((_b = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.select) !== null && _b !== void 0 ? _b : queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.include)) === null || _c === void 0 ? void 0 : _c[field];
-                    const nestedResult = this.doPostProcessForRead(fieldData, fieldInfo.type, entityFullData[field], nextArgs, this.hasFieldLevelPolicy(fieldInfo.type), path ? path + '.' + field : field);
-                    if (nestedResult === undefined) {
-                        delete entityData[field];
-                    }
-                    else {
-                        entityData[field] = nestedResult;
-                    }
-                }
-            }
-        }
-        return filteredData;
-    }
-    /**
-     * Replace content of `target` object with `withObject` in-place.
-     */
-    replace(target, withObject) {
-        if (!target || typeof target !== 'object' || !withObject || typeof withObject !== 'object') {
-            return;
-        }
-        // remove missing keys
-        for (const key of Object.keys(target)) {
-            if (!(key in withObject)) {
-                delete target[key];
-            }
-        }
-        // overwrite keys
-        for (const [key, value] of Object.entries(withObject)) {
-            target[key] = value;
-        }
-    }
-    /**
-     * Picks properties from an object.
-     */
-    pick(value, ...props) {
-        const v = value;
-        return props.reduce(function (result, prop) {
-            if (prop in v) {
-                result[prop] = v[prop];
-            }
-            return result;
-        }, {});
-    }
-    mergeWhereClause(where, extra) {
-        var _a;
-        if (!where) {
-            throw new Error('invalid where clause');
-        }
-        if (this.isTrue(extra)) {
-            return where;
-        }
-        if (this.isFalse(extra)) {
-            return this.makeFalse();
-        }
-        // instead of simply wrapping with AND, we preserve the structure
-        // of the original where clause and merge `extra` into it so that
-        // unique query can continue working
-        if (where.AND) {
-            // merge into existing AND clause
-            const conditions = Array.isArray(where.AND) ? [...where.AND] : [where.AND];
-            conditions.push(extra);
-            const combined = this.and(...conditions);
-            // make sure the merging always goes under AND
-            return Object.assign(Object.assign({}, where), { AND: (_a = combined.AND) !== null && _a !== void 0 ? _a : combined });
-        }
-        else {
-            // insert an AND clause
-            return Object.assign(Object.assign({}, where), { AND: [extra] });
-        }
-    }
-    /**
-     * Given an entity data, returns an object only containing id fields.
-     */
-    getIdFieldValues(model, data) {
-        if (!data) {
-            return undefined;
-        }
-        const idFields = this.getIdFields(model);
-        return Object.fromEntries(idFields.map((f) => [f.name, data[f.name]]));
-    }
-}
-exports.PolicyUtil = PolicyUtil;
-//# sourceMappingURL=policy-utils.js.map