fix(orm): restore HasMany includes when PK/FK has a field access policy (#2674)

Author: lsmith77

packages/orm/src/client/crud/dialects/lateral-join-dialect-base.ts

@@ -9,6 +9,7 @@ import {
     getDelegateDescendantModels,
     getManyToManyRelation,
     isRelationField,
+    joinKeyRef,
     requireField,
     requireIdFields,
     requireModel,
@@ -139,14 +140,17 @@ export abstract class LateralJoinDialectBase<Schema extends SchemaDef> extends B
             const relationIds = requireIdFields(this.schema, relationModel);
             invariant(parentIds.length === 1, 'many-to-many relation must have exactly one id field');
             invariant(relationIds.length === 1, 'many-to-many relation must have exactly one id field');
+            // Use raw-alias refs so field access policies wrapping PK/FK in CASE WHEN NULL do not break the join.
+            const relationIdRef = joinKeyRef(this.schema, relationModel, relationModelAlias, relationIds[0]!);
+            const parentIdRef = joinKeyRef(this.schema, model, parentAlias, parentIds[0]!);
             query = query.where((eb) =>
                 eb(
-                    eb.ref(`${relationModelAlias}.${relationIds[0]}`),
+                    eb.ref(relationIdRef),
                     'in',
                     eb
                         .selectFrom(m2m.joinTable)
                         .select(`${m2m.joinTable}.${m2m.otherFkName}`)
-                        .whereRef(`${parentAlias}.${parentIds[0]}`, '=', `${m2m.joinTable}.${m2m.parentFkName}`),
+                        .whereRef(parentIdRef, '=', `${m2m.joinTable}.${m2m.parentFkName}`),
                 ),
             );
         } else {

packages/orm/src/client/crud/dialects/sqlite.ts

@@ -21,6 +21,7 @@ import {
     getDelegateDescendantModels,
     getManyToManyRelation,
     getRelationForeignKeyFieldPairs,
+    joinKeyRef,
     requireField,
     requireIdFields,
     requireModel,
@@ -359,32 +360,39 @@ export class SqliteCrudDialect<Schema extends SchemaDef> extends BaseCrudDialect
             const relationIds = requireIdFields(this.schema, relationModel);
             invariant(parentIds.length === 1, 'many-to-many relation must have exactly one id field');
             invariant(relationIds.length === 1, 'many-to-many relation must have exactly one id field');
+            // Use raw-alias refs so field access policies wrapping PK/FK in CASE WHEN NULL do not break the join.
+            const relationIdRef = joinKeyRef(this.schema, relationModel, relationModelAlias, relationIds[0]!);
+            const parentIdRef = joinKeyRef(this.schema, model, parentAlias, parentIds[0]!);
             selectModelQuery = selectModelQuery.where((eb) =>
                 eb(
-                    eb.ref(`${relationModelAlias}.${relationIds[0]}`),
+                    eb.ref(relationIdRef),
                     'in',
                     eb
                         .selectFrom(m2m.joinTable)
                         .select(`${m2m.joinTable}.${m2m.otherFkName}`)
-                        .whereRef(`${parentAlias}.${parentIds[0]}`, '=', `${m2m.joinTable}.${m2m.parentFkName}`),
+                        .whereRef(parentIdRef, '=', `${m2m.joinTable}.${m2m.parentFkName}`),
                 ),
             );
         } else {
             const { keyPairs, ownedByModel } = getRelationForeignKeyFieldPairs(this.schema, model, relationField);
             keyPairs.forEach(({ fk, pk }) => {
                 if (ownedByModel) {
-                    // the parent model owns the fk
+                    // BelongsTo: model owns the FK, relation has the PK.
+                    // Use raw alias only for the PK side. The FK side stays as a plain ref so that
+                    // denying the FK intentionally hides the relation (the join evaluates to NULL).
                     selectModelQuery = selectModelQuery.whereRef(
-                        `${relationModelAlias}.${pk}`,
+                        joinKeyRef(this.schema, relationModel, relationModelAlias, pk),
                         '=',
                         `${parentAlias}.${fk}`,
                     );
                 } else {
-                    // the relation side owns the fk
+                    // HasMany: relation owns the FK, model has the PK.
+                    // Use raw alias on both sides: the child's FK may be denied (to hide which parent
+                    // it belongs to) but the parent must still be able to fetch its children.
                     selectModelQuery = selectModelQuery.whereRef(
-                        `${relationModelAlias}.${fk}`,
+                        joinKeyRef(this.schema, relationModel, relationModelAlias, fk),
                         '=',
-                        `${parentAlias}.${pk}`,
+                        joinKeyRef(this.schema, model, parentAlias, pk),
                     );
                 }
             });

packages/orm/src/client/query-utils.ts

@@ -234,6 +234,34 @@ export function isTypeDef(schema: SchemaDef, type: string) {
     return !!schema.typeDefs?.[type];
 }
 
+/**
+ * Prefix added to PK/FK columns in field-policy subqueries so join conditions
+ * can reference the raw (never-nulled) value even when the field itself is
+ * covered by a @deny rule that wraps it in CASE WHEN … THEN NULL.
+ */
+export const JOIN_KEY_RAW_PREFIX = '__zs_raw_';
+
+/**
+ * Returns true when the field has at least one @deny or @allow attribute declared,
+ * meaning the policy handler may wrap it in CASE WHEN … THEN NULL in SELECT
+ * subqueries and the join condition must use the raw-alias instead.
+ */
+export function fieldHasConditionalReadPolicy(schema: SchemaDef, model: string, field: string): boolean {
+    const fieldDef = getField(schema, model, field);
+    return fieldDef?.attributes?.some((a) => a.name === '@deny' || a.name === '@allow') ?? false;
+}
+
+/**
+ * Returns the column reference to use on the given side of a join condition.
+ * When the field carries a @deny or @allow policy the policy handler adds a raw alias
+ * (JOIN_KEY_RAW_PREFIX + fieldName) so the join is not broken by CASE WHEN NULL.
+ */
+export function joinKeyRef(schema: SchemaDef, model: string, tableAlias: string, field: string): string {
+    return fieldHasConditionalReadPolicy(schema, model, field)
+        ? `${tableAlias}.${JOIN_KEY_RAW_PREFIX}${field}`
+        : `${tableAlias}.${field}`;
+}
+
 export function buildJoinPairs(
     schema: SchemaDef,
     model: string,
@@ -242,14 +270,25 @@ export function buildJoinPairs(
     relationModelAlias: string,
 ): [string, string][] {
     const { keyPairs, ownedByModel } = getRelationForeignKeyFieldPairs(schema, model, relationField);
+    const relationModel = requireField(schema, model, relationField).type;
 
     return keyPairs.map(({ fk, pk }) => {
         if (ownedByModel) {
-            // the parent model owns the fk
-            return [`${relationModelAlias}.${pk}`, `${modelAlias}.${fk}`];
+            // BelongsTo: model owns the FK, relation has the PK.
+            // Use raw alias only for the PK side. The FK side stays as a plain ref so that
+            // denying the FK intentionally hides the relation (the join evaluates to NULL).
+            return [
+                joinKeyRef(schema, relationModel, relationModelAlias, pk),
+                `${modelAlias}.${fk}`,
+            ];
         } else {
-            // the relation side owns the fk
-            return [`${relationModelAlias}.${fk}`, `${modelAlias}.${pk}`];
+            // HasMany: relation owns the FK, model has the PK.
+            // Use raw alias on both sides: the child's FK may be denied (to hide which parent it
+            // belongs to) but the parent must still be able to fetch its children.
+            return [
+                joinKeyRef(schema, relationModel, relationModelAlias, fk),
+                joinKeyRef(schema, model, modelAlias, pk),
+            ];
         }
     });
 }

packages/plugins/policy/src/policy-handler.ts

@@ -697,6 +697,19 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             );
             hasPolicies = hasPolicies || fieldHasPolicies;
             selections.push(selection);
+
+            // When a PK or FK field is wrapped in CASE WHEN … THEN NULL by a field access policy,
+            // also expose the raw value under a stable alias so join conditions are not broken.
+            // Used for PK (HasMany parent) and FK (HasMany child). BelongsTo parent FK is kept as
+            // a plain ref intentionally: denying that FK is designed to hide the relation entirely.
+            if (fieldHasPolicies && (fieldDef.id || fieldDef.foreignKeyFor)) {
+                const rawAlias = `${QueryUtils.JOIN_KEY_RAW_PREFIX}${fieldDef.name}`;
+                selections.push(
+                    SelectionNode.create(
+                        AliasNode.create(ColumnNode.create(fieldDef.name), IdentifierNode.create(rawAlias)),
+                    ),
+                );
+            }
         }
 
         if (!hasPolicies) {

tests/regression/test/issue-2674.test.ts

@@ -0,0 +1,150 @@
+import { createPolicyTestClient } from '@zenstackhq/testtools';
+import { describe, expect, it } from 'vitest';
+
+// https://github.com/zenstackhq/zenstack/issues/2674
+describe('Regression for issue #2674', () => {
+    it('@deny on PK should not break include (HasMany)', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id   String @id @default(cuid())
+    role String
+    @@allow('all', true)
+}
+
+model Post {
+    id       Int       @id @default(autoincrement()) @deny('all', auth().role != 'ADMIN')
+    title    String    @unique
+    comments Comment[]
+    @@allow('all', true)
+}
+
+model Comment {
+    id      Int    @id @default(autoincrement())
+    content String
+    postId  Int
+    post    Post   @relation(fields: [postId], references: [id])
+    @@allow('all', true)
+}
+            `,
+        );
+
+        const admin = { id: 'admin-1', role: 'ADMIN' };
+        const user = { id: 'user-1', role: 'USER' };
+
+        await db.$setAuth(admin).post.create({
+            data: {
+                title: 'Test Post',
+                comments: { create: [{ content: 'Comment 1' }, { content: 'Comment 2' }] },
+            },
+        });
+
+        // Admin sees everything normally
+        const adminResult = await db.$setAuth(admin).post.findUnique({
+            where: { title: 'Test Post' },
+            include: { comments: true },
+        });
+        expect(adminResult?.id).toBeGreaterThan(0);
+        expect(adminResult?.comments).toHaveLength(2);
+
+        // USER role: id is denied (returns null) but include should still populate comments
+        const userResult = await db.$setAuth(user).post.findUnique({
+            where: { title: 'Test Post' },
+            include: { comments: true },
+        });
+        expect(userResult?.id).toBeNull();
+        expect(userResult?.comments).toHaveLength(2);
+    });
+
+    it('@deny on FK hides the BelongsTo relation (by design)', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id   String @id @default(cuid())
+    role String
+    @@allow('all', true)
+}
+
+model Post {
+    id       Int       @id @default(autoincrement())
+    title    String
+    comments Comment[]
+    @@allow('all', true)
+}
+
+model Comment {
+    id      Int    @id @default(autoincrement())
+    content String
+    postId  Int    @deny('all', auth().role != 'ADMIN')
+    post    Post   @relation(fields: [postId], references: [id])
+    @@allow('all', true)
+}
+            `,
+        );
+
+        const admin = { id: 'admin-1', role: 'ADMIN' };
+        const user = { id: 'user-1', role: 'USER' };
+
+        const post = await db.$setAuth(admin).post.create({
+            data: { title: 'Test Post' },
+        });
+
+        const comment = await db.$setAuth(admin).comment.create({
+            data: { content: 'A comment', postId: post.id },
+        });
+
+        // USER role: postId is denied — both the FK value and the relation are hidden (by design)
+        const userResult = await db.$setAuth(user).comment.findUnique({
+            where: { id: comment.id },
+            include: { post: true },
+        });
+        expect(userResult?.postId).toBeNull();
+        expect(userResult?.post).toBeNull();
+    });
+
+    it('@deny on both PK and FK should not break include', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id   String @id @default(cuid())
+    role String
+    @@allow('all', true)
+}
+
+model Post {
+    id       Int       @id @default(autoincrement()) @deny('all', auth().role != 'ADMIN')
+    title    String    @unique
+    comments Comment[]
+    @@allow('all', true)
+}
+
+model Comment {
+    id      Int    @id @default(autoincrement())
+    content String
+    postId  Int    @deny('all', auth().role != 'ADMIN')
+    post    Post   @relation(fields: [postId], references: [id])
+    @@allow('all', true)
+}
+            `,
+        );
+
+        const admin = { id: 'admin-1', role: 'ADMIN' };
+        const user = { id: 'user-1', role: 'USER' };
+
+        await db.$setAuth(admin).post.create({
+            data: {
+                title: 'Test Post',
+                comments: { create: [{ content: 'C1' }, { content: 'C2' }] },
+            },
+        });
+
+        // Find by non-denied field (title) so the WHERE is not affected by @deny on id
+        const userResult = await db.$setAuth(user).post.findUnique({
+            where: { title: 'Test Post' },
+            include: { comments: true },
+        });
+        expect(userResult?.id).toBeNull();
+        expect(userResult?.comments).toHaveLength(2);
+        expect(userResult?.comments[0]?.postId).toBeNull();
+    });
+});