fix(policy): skip m2m update-policy check for newly created side on connect

ymc9 · claude · ymc9 · commit 59d302d19941 · 2026-03-31T20:06:12.000-07:00
When creating a model with a nested many-to-many `connect`, the join table insert triggered an update-policy check on the just-created entity. Because the connection doesn't exist yet at check time, relation-based policies (e.g. `parents?[id == auth().id]`) always evaluated to false, causing a spurious "not updatable" error. Fix by embedding a lightweight marker in the insert query's end-modifier comment so the policy handler can identify the newly-created side and skip its circular update check. The connected side's update policy is still enforced. Adds regression test for issue #2531. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/packages/orm/src/client/crud/operations/base.ts b/packages/orm/src/client/crud/operations/base.ts
@@ -554,7 +554,8 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
         }
 
         if (fromRelation && m2m) {
-            // connect many-to-many relation
+            // connect many-to-many relation; mark the newly created model so the
+            // policy plugin can skip the circular update-policy check on it
             await this.handleManyToManyRelation(
                 kysely,
                 'connect',
@@ -565,6 +566,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 m2m.otherField,
                 [createdEntity],
                 m2m.joinTable,
+                m2m.otherModel,
             );
         }
 
@@ -647,6 +649,10 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
         return parentFkFields;
     }
 
+    // Marker embedded in the INSERT end modifier to signal to the policy plugin
+    // that one side of the join was just created in this operation.
+    static readonly M2M_CREATED_MODEL_MARKER_PREFIX = '/*ZS:M2M_CREATED:';
+
     private async handleManyToManyRelation<Action extends 'connect' | 'disconnect'>(
         kysely: AnyKysely,
         action: Action,
@@ -657,6 +663,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
         rightField: string,
         rightEntities: any[],
         joinTable: string,
+        newlyCreatedModel?: string,
     ): Promise<void> {
         if (rightEntities.length === 0) {
             return;
@@ -694,6 +701,14 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 )
                 // case for `INSERT IGNORE` syntax
                 .$if(this.dialect.insertIgnoreMethod === 'ignore', (qb) => qb.ignore())
+                // embed a marker so the policy plugin knows which model was just created
+                .$if(newlyCreatedModel !== undefined, (qb) =>
+                    qb.modifyEnd(
+                        sql.raw(
+                            `${BaseOperationHandler.M2M_CREATED_MODEL_MARKER_PREFIX}${newlyCreatedModel}*/`,
+                        ),
+                    ),
+                )
                 .execute();
         } else {
             const eb = expressionBuilder<any, any>();
@@ -829,7 +844,9 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 }
 
                 case 'connect': {
-                    await this.connectRelation(kysely, relationModel, subPayload, fromRelationContext);
+                    // contextModel was just created; pass it so the policy plugin can
+                    // skip the circular update-policy check on the newly created side
+                    await this.connectRelation(kysely, relationModel, subPayload, fromRelationContext, contextModel);
                     break;
                 }
 
@@ -839,7 +856,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                         if (!found) {
                             await this.create(kysely, relationModel, item.create, fromRelationContext);
                         } else {
-                            await this.connectRelation(kysely, relationModel, found, fromRelationContext);
+                            await this.connectRelation(kysely, relationModel, found, fromRelationContext, contextModel);
                         }
                     }
                     break;
@@ -1910,7 +1927,13 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
 
     // #region relation manipulation
 
-    protected async connectRelation(kysely: AnyKysely, model: string, data: any, fromRelation: FromRelationContext) {
+    protected async connectRelation(
+        kysely: AnyKysely,
+        model: string,
+        data: any,
+        fromRelation: FromRelationContext,
+        newlyCreatedModel?: string,
+    ) {
         const _data = this.normalizeRelationManipulationInput(model, data);
         if (_data.length === 0) {
             return;
@@ -1933,6 +1956,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 m2m.otherField!,
                 allIds,
                 m2m.joinTable,
+                newlyCreatedModel,
             );
         } else {
             const { ownedByModel, keyPairs } = getRelationForeignKeyFieldPairs(
diff --git a/packages/plugins/policy/src/policy-handler.ts b/packages/plugins/policy/src/policy-handler.ts
@@ -784,6 +784,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         for (const values of valueRows) {
             if (isManyToManyJoinTable) {
                 await this.enforcePreCreatePolicyForManyToManyJoinTable(
+                    node,
                     mutationModel,
                     fields,
                     values.map((v) => v.node),
@@ -801,6 +802,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
     }
 
     private async enforcePreCreatePolicyForManyToManyJoinTable(
+        node: InsertQueryNode,
         tableName: string,
         fields: string[],
         values: OperationNode[],
@@ -823,15 +825,24 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         invariant(aValue !== null && aValue !== undefined, 'A value cannot be null or undefined');
         invariant(bValue !== null && bValue !== undefined, 'B value cannot be null or undefined');
 
+        // If one side was just created in this operation, its update-policy check is
+        // inherently circular (it has no relations yet), so we skip it.  The create
+        // policy for that side was already verified earlier in the operation.
+        const newlyCreatedModel = this.extractNewlyCreatedModel(node);
+
         const eb = expressionBuilder<any, any>();
 
-        const filterA = this.buildPolicyFilter(m2m.firstModel, undefined, 'update');
+        const filterA = newlyCreatedModel === m2m.firstModel
+            ? trueNode(this.dialect)
+            : this.buildPolicyFilter(m2m.firstModel, undefined, 'update');
         const queryA = eb
             .selectFrom(m2m.firstModel)
             .where(eb(eb.ref(`${m2m.firstModel}.${m2m.firstIdField}`), '=', aValue))
             .select(() => new ExpressionWrapper(filterA).as('_'));
 
-        const filterB = this.buildPolicyFilter(m2m.secondModel, undefined, 'update');
+        const filterB = newlyCreatedModel === m2m.secondModel
+            ? trueNode(this.dialect)
+            : this.buildPolicyFilter(m2m.secondModel, undefined, 'update');
         const queryB = eb
             .selectFrom(m2m.secondModel)
             .where(eb(eb.ref(`${m2m.secondModel}.${m2m.secondIdField}`), '=', bValue))
@@ -850,7 +861,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         if (!result.rows[0]?.$conditionA) {
             throw createRejectedByPolicyError(
                 m2m.firstModel,
-                RejectedByPolicyReason.CANNOT_READ_BACK,
+                RejectedByPolicyReason.NO_ACCESS,
                 `many-to-many relation participant model "${m2m.firstModel}" not updatable`,
             );
         }
@@ -863,6 +874,19 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         }
     }
 
+    private extractNewlyCreatedModel(node: InsertQueryNode): string | undefined {
+        const prefix = '/*ZS:M2M_CREATED:';
+        for (const modifier of node.endModifiers ?? []) {
+            if (RawNode.is(modifier)) {
+                const fragment = modifier.sqlFragments[0];
+                if (fragment?.startsWith(prefix)) {
+                    return fragment.slice(prefix.length, -2); // strip prefix and trailing */
+                }
+            }
+        }
+        return undefined;
+    }
+
     private async enforcePreCreatePolicyForOne(
         model: string,
         fields: string[],
diff --git a/tests/regression/test/issue-2531.test.ts b/tests/regression/test/issue-2531.test.ts
@@ -0,0 +1,71 @@
+import { createPolicyTestClient } from '@zenstackhq/testtools';
+import { describe, expect, it } from 'vitest';
+
+// https://github.com/zenstackhq/zenstack/issues/2531
+// Many-to-many update check failing with connect:
+// Creating a Child with a nested `connect` on a many-to-many relation incorrectly
+// fails with "model not updatable" because the update policy check runs before
+// the connection is established.
+describe('Regression for issue #2531', () => {
+    const schema = `
+model User {
+    id       Int     @id @default(autoincrement())
+    name     String
+    children Child[]
+
+    @@allow('all', true)
+}
+
+model Child {
+    id      Int    @id @default(autoincrement())
+    name    String
+    parents User[]
+
+    @@allow('create', auth() != null)
+    @@allow('read,update', auth() != null && parents?[id == auth().id])
+}
+    `;
+
+    it('should allow creating a child with connect to a many-to-many parent', async () => {
+        const db = await createPolicyTestClient(schema, { usePrismaPush: true, debug: true });
+
+        const user = await db.user.create({ data: { name: 'Alice' } });
+
+        const authedDb = db.$setAuth(user);
+
+        // This should succeed: after the create+connect, the child will have
+        // the authenticated user as a parent, satisfying the read-back policy.
+        const child = await authedDb.child.create({
+            data: {
+                name: 'Child1',
+                parents: {
+                    connect: { id: user.id },
+                },
+            },
+        });
+
+        expect(child).toMatchObject({ name: 'Child1' });
+    });
+
+    it('should deny creating a child without connecting to the authenticated user', async () => {
+        const db = await createPolicyTestClient(schema, { usePrismaPush: true });
+
+        const user = await db.user.create({ data: { name: 'Alice' } });
+        const otherUser = await db.user.create({ data: { name: 'Bob' } });
+
+        const authedDb = db.$setAuth(user);
+
+        // Connecting to a different user's id should fail the read-back policy
+        // since the authenticated user is not a parent of the resulting child.
+        await expect(
+            authedDb.child.create({
+                data: {
+                    name: 'Child2',
+                    parents: {
+                        connect: { id: otherUser.id },
+                    },
+                },
+            }),
+        ).toBeRejectedByPolicy();
+    });
+});
