refactor(policy): simplify fetchPolicyCodes guard and align test expectations

Azzerty23 · claude · Azzerty23 · commit 4dcdcecf891d · 2026-05-02T13:36:55.000+02:00
Move the fetchPolicyCodes===false early-return before policy filtering so the
diagnostic query is skipped entirely for update/delete, making those operations
behave identically to a model with no error codes (NOT_FOUND). Update test
expectations accordingly and add an explicit equivalence test.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/plugins/policy/src/policy-handler.ts b/packages/plugins/policy/src/policy-handler.ts
@@ -272,9 +272,10 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
     ) {
         if (this.isManyToManyJoinTable(model)) return;
         if (this.tryGetConstantPolicy(model, operation) === true) return;
-        const codedPolicies = this.getModelPolicies(model, operation).filter((p) => p.code);
+        if (this.options.fetchPolicyCodes === false) return;
+        const policiesWithCode = this.getModelPolicies(model, operation).filter((p) => p.code);
         // Skip if no policies carry an error code — nothing to surface.
-        if (codedPolicies.length === 0) return;
+        if (policiesWithCode.length === 0) return;
 
         const whereCondition = originalWhere ?? trueNode(this.dialect);
 
@@ -283,10 +284,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             .select(this.eb.lit(1).as('_'))
             .where(() => new ExpressionWrapper(whereCondition));
 
-        const fetchCodes = this.options.fetchPolicyCodes !== false;
-        const selectedPolicies = fetchCodes ? codedPolicies : [];
-
-        const codeSelections = selectedPolicies.map((policy, i) => {
+        const codeSelections = policiesWithCode.map((policy, i) => {
             const condition = this.compilePolicyCondition(model, undefined, operation, policy);
             const violationCondition = policy.kind === 'allow' ? logicalNot(this.dialect, condition) : condition;
             const inner = this.eb
@@ -302,7 +300,10 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             kind: 'SelectQueryNode',
             selections: [
                 SelectionNode.create(
-                    AliasNode.create(this.eb.exists(rowExistsInner).toOperationNode(), IdentifierNode.create('$exists')),
+                    AliasNode.create(
+                        this.eb.exists(rowExistsInner).toOperationNode(),
+                        IdentifierNode.create('$exists'),
+                    ),
                 ),
                 ...codeSelections,
             ],
@@ -311,8 +312,8 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         const row = result.rows[0] ?? {};
         if (!row.$exists) return;
 
-        const policyCodes = fetchCodes
-            ? selectedPolicies.filter((_, i) => row[`$c${i}`]).map((p) => p.code!)
+        const policyCodes = policiesWithCode
+            ? policiesWithCode.filter((_, i) => row[`$c${i}`]).map((p) => p.code!)
             : undefined;
 
         throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS, undefined, policyCodes);
@@ -1139,12 +1140,12 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         valuesTable: ReturnType<BaseCrudDialect<Schema>['buildValuesTableSelect']>,
         proceed: ProceedKyselyQueryFunction,
     ): Promise<string[]> {
-        const codedPolicies = this.getModelPolicies(model, 'create').filter((p) => p.code);
-        if (codedPolicies.length === 0) {
+        const policiesWithCode = this.getModelPolicies(model, 'create').filter((p) => p.code);
+        if (policiesWithCode.length === 0) {
             return [];
         }
 
-        const selections = codedPolicies.map((policy, i) => {
+        const selections = policiesWithCode.map((policy, i) => {
             const condition = this.compilePolicyCondition(model, undefined, 'create', policy);
             // For allow rules, negate: EXISTS(NOT condition) = true when any proposed row violates allow.
             // For deny rules, keep as-is: EXISTS(condition) = true when deny fires.
@@ -1158,7 +1159,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             );
         });
 
-        return this.evaluatePolicyDiagnostics(codedPolicies, selections, proceed);
+        return this.evaluatePolicyDiagnostics(policiesWithCode, selections, proceed);
     }
 
     private async findViolatingPostUpdatePolicyCodes(
@@ -1167,8 +1168,8 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         beforeUpdateInfo: Awaited<ReturnType<typeof this.loadBeforeUpdateEntities>>,
         proceed: ProceedKyselyQueryFunction,
     ): Promise<string[]> {
-        const codedPolicies = this.getModelPolicies(model, 'post-update').filter((p) => p.code);
-        if (codedPolicies.length === 0) {
+        const policiesWithCode = this.getModelPolicies(model, 'post-update').filter((p) => p.code);
+        if (policiesWithCode.length === 0) {
             return [];
         }
 
@@ -1201,7 +1202,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             return eb.exists(inner).toOperationNode();
         };
 
-        const selections = codedPolicies.map((policy, i) => {
+        const selections = policiesWithCode.map((policy, i) => {
             const condition = this.compilePolicyCondition(model, undefined, 'post-update', policy);
             // For allow rules, negate: EXISTS(NOT condition) = true when any updated row violates allow.
             // For deny rules, keep as-is: EXISTS(condition) = true when deny fires.
@@ -1211,19 +1212,19 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             );
         });
 
-        return this.evaluatePolicyDiagnostics(codedPolicies, selections, proceed);
+        return this.evaluatePolicyDiagnostics(policiesWithCode, selections, proceed);
     }
 
     // Single diagnostic query: one EXISTS column per coded policy.
     // EXISTS=true means a violation: deny condition fired, or allow condition wasn't met (negated in caller).
     private async evaluatePolicyDiagnostics(
-        codedPolicies: Policy[],
+        policiesWithCode: Policy[],
         selections: SelectionNode[],
         proceed: ProceedKyselyQueryFunction,
     ): Promise<string[]> {
         const result = await proceed({ kind: 'SelectQueryNode', selections } satisfies SelectQueryNode);
         const row = result.rows[0] ?? {};
-        return codedPolicies.filter((_, i) => row[`$c${i}`]).map((p) => p.code!);
+        return policiesWithCode.filter((_, i) => row[`$c${i}`]).map((p) => p.code!);
     }
 
     private async processReadBack(node: CrudQueryNode, result: QueryResult<any>, proceed: ProceedKyselyQueryFunction) {
diff --git a/tests/e2e/orm/policy/crud/error-codes.test.ts b/tests/e2e/orm/policy/crud/error-codes.test.ts
@@ -553,16 +553,15 @@ model Foo {
 `,
             { plugins: [new PolicyPlugin({ fetchPolicyCodes: false })] },
         );
-        // create: error is still thrown but policyCodes is empty (y=0 triggers deny)
+        // create: pre-create check still fires → REJECTED_BY_POLICY, but no codes (y=0 triggers deny)
         await expect(db.foo.create({ data: { x: 1, y: 0 } })).toBeRejectedByPolicy(undefined, []);
         const row = await db.foo.create({ data: { x: 1, y: 1 } });
         // negRow: x=-1 (denied for update/delete), but y=1 so create succeeds
         const negRow = await db.foo.create({ data: { x: -1, y: 1 } });
-        // update: error is still thrown but policyCodes is empty
-        await expect(db.foo.update({ where: { id: negRow.id }, data: { x: 0 } })).toBeRejectedByPolicy(undefined, []);
-        // delete: error is still thrown but policyCodes is empty
-        await expect(db.foo.delete({ where: { id: negRow.id } })).toBeRejectedByPolicy(undefined, []);
-        // post-update: error is still thrown but policyCodes is empty
+        // update/delete: diagnostic query skipped entirely — behaves as if no codes → NOT_FOUND
+        await expect(db.foo.update({ where: { id: negRow.id }, data: { x: 0 } })).toBeRejectedNotFound();
+        await expect(db.foo.delete({ where: { id: negRow.id } })).toBeRejectedNotFound();
+        // post-update: postUpdateCheck fires independently of fetchPolicyCodes → REJECTED_BY_POLICY, no codes
         await expect(db.foo.update({ where: { id: row.id }, data: { x: -1 } })).toBeRejectedByPolicy(undefined, []);
         await expect(db.foo.update({ where: { id: row.id }, data: { x: 2 } })).resolves.toMatchObject({ x: 2 });
     });
@@ -596,19 +595,16 @@ model Foo {
         await expect(db.foo.create({ data: { x: 1, y: 0 } })).toBeRejectedByPolicy(undefined, ['NEGATIVE_Y_CREATE']);
         const row = await db.foo.create({ data: { x: 1, y: 1 } });
         const negRow = await db.foo.create({ data: { x: -1, y: 1 } });
-        // update: flag suppresses codes
+        // update: flag skips diagnostic query entirely → NOT_FOUND (same as no codes defined)
         await expect(
             db.foo.update({ where: { id: negRow.id }, data: { x: 0 }, fetchPolicyCodes: false }),
-        ).toBeRejectedByPolicy(undefined, []);
+        ).toBeRejectedNotFound();
         // update: without flag, codes surface
         await expect(db.foo.update({ where: { id: negRow.id }, data: { x: 0 } })).toBeRejectedByPolicy(undefined, [
             'NEGATIVE_X_UPDATE',
         ]);
-        // delete: flag suppresses codes
-        await expect(db.foo.delete({ where: { id: negRow.id }, fetchPolicyCodes: false })).toBeRejectedByPolicy(
-            undefined,
-            [],
-        );
+        // delete: flag skips diagnostic query entirely → NOT_FOUND
+        await expect(db.foo.delete({ where: { id: negRow.id }, fetchPolicyCodes: false })).toBeRejectedNotFound();
         // delete: without flag, codes surface
         await expect(db.foo.delete({ where: { id: negRow.id } })).toBeRejectedByPolicy(undefined, [
             'NEGATIVE_X_DELETE',
@@ -623,6 +619,46 @@ model Foo {
         ]);
     });
 
+    it('fetchPolicyCodes:false for update/delete behaves identically to a model without error codes', async () => {
+        const schema = `
+model Foo {
+    id Int @id @default(autoincrement())
+    x  Int
+    @@deny('update', x <= 0, 'NEGATIVE_X_UPDATE')
+    @@allow('update', x > 0)
+    @@deny('delete', x <= 0, 'NEGATIVE_X_DELETE')
+    @@allow('delete', x > 0)
+    @@allow('create,read', true)
+}
+`;
+        const dbWithCodes = await createPolicyTestClient(schema);
+        const dbOptOut = await createPolicyTestClient(schema);
+
+        const [rowWithCodes, rowOptOut] = await Promise.all([
+            dbWithCodes.foo.create({ data: { x: -1 } }),
+            dbOptOut.foo.create({ data: { x: -1 } }),
+        ]);
+
+        // With codes: update throws REJECTED_BY_POLICY with the error code
+        await expect(dbWithCodes.foo.update({ where: { id: rowWithCodes.id }, data: { x: 0 } })).toBeRejectedByPolicy(
+            undefined,
+            ['NEGATIVE_X_UPDATE'],
+        );
+        // Opt-out: same update → NOT_FOUND, matching the no-codes baseline
+        await expect(
+            dbOptOut.foo.update({ where: { id: rowOptOut.id }, data: { x: 0 }, fetchPolicyCodes: false }),
+        ).toBeRejectedNotFound();
+
+        // With codes: delete throws REJECTED_BY_POLICY with the error code
+        await expect(dbWithCodes.foo.delete({ where: { id: rowWithCodes.id } })).toBeRejectedByPolicy(undefined, [
+            'NEGATIVE_X_DELETE',
+        ]);
+        // Opt-out: same delete → NOT_FOUND, matching the no-codes baseline
+        await expect(
+            dbOptOut.foo.delete({ where: { id: rowOptOut.id }, fetchPolicyCodes: false }),
+        ).toBeRejectedNotFound();
+    });
+
     it('query-level fetchPolicyCodes:true overrides plugin-level false', async () => {
         const db = await createTestClient(
             `
@@ -655,19 +691,19 @@ model Foo {
             db.foo.update({ where: { id: negRow.id }, data: { x: 0 }, fetchPolicyCodes: true }),
         ).toBeRejectedByPolicy(undefined, ['NEGATIVE_X_UPDATE']);
         // update: without override, codes are suppressed
-        await expect(db.foo.update({ where: { id: negRow.id }, data: { x: 0 } })).toBeRejectedByPolicy(undefined, []);
+        await expect(db.foo.update({ where: { id: negRow.id }, data: { x: 0 } })).toBeRejectedNotFound();
         // delete: query-level true re-enables codes despite plugin false
         await expect(db.foo.delete({ where: { id: negRow.id }, fetchPolicyCodes: true })).toBeRejectedByPolicy(
             undefined,
             ['NEGATIVE_X_DELETE'],
         );
         // delete: without override, codes are suppressed
-        await expect(db.foo.delete({ where: { id: negRow.id } })).toBeRejectedByPolicy(undefined, []);
+        await expect(db.foo.delete({ where: { id: negRow.id } })).toBeRejectedNotFound();
         // post-update: query-level true re-enables codes despite plugin false
         await expect(
             db.foo.update({ where: { id: row.id }, data: { x: -1 }, fetchPolicyCodes: true }),
         ).toBeRejectedByPolicy(undefined, ['NEGATIVE_AFTER_UPDATE']);
-        // post-update: without override, codes are suppressed
+        // post-update: without override, codes are suppressed and we get a policy rejection without codes (not NotFound)
         await expect(db.foo.update({ where: { id: row.id }, data: { x: -1 } })).toBeRejectedByPolicy(undefined, []);
     });
 });
