Revert "fix(policy): skip m2m update-policy check for newly created side on connect"

This reverts commit 59d302d.

Author: ymc9

packages/orm/src/client/crud/operations/base.ts

@@ -554,8 +554,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
         }
 
         if (fromRelation && m2m) {
-            // connect many-to-many relation; mark the newly created model so the
-            // policy plugin can skip the circular update-policy check on it
+            // connect many-to-many relation
             await this.handleManyToManyRelation(
                 kysely,
                 'connect',
@@ -566,7 +565,6 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 m2m.otherField,
                 [createdEntity],
                 m2m.joinTable,
-                m2m.otherModel,
             );
         }
 
@@ -649,10 +647,6 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
         return parentFkFields;
     }
 
-    // Marker embedded in the INSERT end modifier to signal to the policy plugin
-    // that one side of the join was just created in this operation.
-    static readonly M2M_CREATED_MODEL_MARKER_PREFIX = '/*ZS:M2M_CREATED:';
-
     private async handleManyToManyRelation<Action extends 'connect' | 'disconnect'>(
         kysely: AnyKysely,
         action: Action,
@@ -663,7 +657,6 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
         rightField: string,
         rightEntities: any[],
         joinTable: string,
-        newlyCreatedModel?: string,
     ): Promise<void> {
         if (rightEntities.length === 0) {
             return;
@@ -701,14 +694,6 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 )
                 // case for `INSERT IGNORE` syntax
                 .$if(this.dialect.insertIgnoreMethod === 'ignore', (qb) => qb.ignore())
-                // embed a marker so the policy plugin knows which model was just created
-                .$if(newlyCreatedModel !== undefined, (qb) =>
-                    qb.modifyEnd(
-                        sql.raw(
-                            `${BaseOperationHandler.M2M_CREATED_MODEL_MARKER_PREFIX}${newlyCreatedModel}*/`,
-                        ),
-                    ),
-                )
                 .execute();
         } else {
             const eb = expressionBuilder<any, any>();
@@ -844,9 +829,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 }
 
                 case 'connect': {
-                    // contextModel was just created; pass it so the policy plugin can
-                    // skip the circular update-policy check on the newly created side
-                    await this.connectRelation(kysely, relationModel, subPayload, fromRelationContext, contextModel);
+                    await this.connectRelation(kysely, relationModel, subPayload, fromRelationContext);
                     break;
                 }
 
@@ -856,7 +839,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                         if (!found) {
                             await this.create(kysely, relationModel, item.create, fromRelationContext);
                         } else {
-                            await this.connectRelation(kysely, relationModel, found, fromRelationContext, contextModel);
+                            await this.connectRelation(kysely, relationModel, found, fromRelationContext);
                         }
                     }
                     break;
@@ -1927,13 +1910,7 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
 
     // #region relation manipulation
 
-    protected async connectRelation(
-        kysely: AnyKysely,
-        model: string,
-        data: any,
-        fromRelation: FromRelationContext,
-        newlyCreatedModel?: string,
-    ) {
+    protected async connectRelation(kysely: AnyKysely, model: string, data: any, fromRelation: FromRelationContext) {
         const _data = this.normalizeRelationManipulationInput(model, data);
         if (_data.length === 0) {
             return;
@@ -1956,7 +1933,6 @@ export abstract class BaseOperationHandler<Schema extends SchemaDef> {
                 m2m.otherField!,
                 allIds,
                 m2m.joinTable,
-                newlyCreatedModel,
             );
         } else {
             const { ownedByModel, keyPairs } = getRelationForeignKeyFieldPairs(

packages/plugins/policy/src/policy-handler.ts

@@ -784,7 +784,6 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         for (const values of valueRows) {
             if (isManyToManyJoinTable) {
                 await this.enforcePreCreatePolicyForManyToManyJoinTable(
-                    node,
                     mutationModel,
                     fields,
                     values.map((v) => v.node),
@@ -802,7 +801,6 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
     }
 
     private async enforcePreCreatePolicyForManyToManyJoinTable(
-        node: InsertQueryNode,
         tableName: string,
         fields: string[],
         values: OperationNode[],
@@ -825,24 +823,15 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         invariant(aValue !== null && aValue !== undefined, 'A value cannot be null or undefined');
         invariant(bValue !== null && bValue !== undefined, 'B value cannot be null or undefined');
 
-        // If one side was just created in this operation, its update-policy check is
-        // inherently circular (it has no relations yet), so we skip it.  The create
-        // policy for that side was already verified earlier in the operation.
-        const newlyCreatedModel = this.extractNewlyCreatedModel(node);
-
         const eb = expressionBuilder<any, any>();
 
-        const filterA = newlyCreatedModel === m2m.firstModel
-            ? trueNode(this.dialect)
-            : this.buildPolicyFilter(m2m.firstModel, undefined, 'update');
+        const filterA = this.buildPolicyFilter(m2m.firstModel, undefined, 'update');
         const queryA = eb
             .selectFrom(m2m.firstModel)
             .where(eb(eb.ref(`${m2m.firstModel}.${m2m.firstIdField}`), '=', aValue))
             .select(() => new ExpressionWrapper(filterA).as('_'));
 
-        const filterB = newlyCreatedModel === m2m.secondModel
-            ? trueNode(this.dialect)
-            : this.buildPolicyFilter(m2m.secondModel, undefined, 'update');
+        const filterB = this.buildPolicyFilter(m2m.secondModel, undefined, 'update');
         const queryB = eb
             .selectFrom(m2m.secondModel)
             .where(eb(eb.ref(`${m2m.secondModel}.${m2m.secondIdField}`), '=', bValue))
@@ -861,7 +850,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         if (!result.rows[0]?.$conditionA) {
             throw createRejectedByPolicyError(
                 m2m.firstModel,
-                RejectedByPolicyReason.NO_ACCESS,
+                RejectedByPolicyReason.CANNOT_READ_BACK,
                 `many-to-many relation participant model "${m2m.firstModel}" not updatable`,
             );
         }
@@ -874,19 +863,6 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         }
     }
 
-    private extractNewlyCreatedModel(node: InsertQueryNode): string | undefined {
-        const prefix = '/*ZS:M2M_CREATED:';
-        for (const modifier of node.endModifiers ?? []) {
-            if (RawNode.is(modifier)) {
-                const fragment = modifier.sqlFragments[0];
-                if (fragment?.startsWith(prefix)) {
-                    return fragment.slice(prefix.length, -2); // strip prefix and trailing */
-                }
-            }
-        }
-        return undefined;
-    }
-
     private async enforcePreCreatePolicyForOne(
         model: string,
         fields: string[],