refactor(policy): move raw sql allowance into handler

Author: pkudinov

packages/plugins/policy/src/plugin.ts

@@ -1,17 +1,9 @@
 import { type OnKyselyQueryArgs, type RuntimePlugin } from '@zenstackhq/orm';
 import type { SchemaDef } from '@zenstackhq/orm/schema';
-import { RawNode } from 'kysely';
 import { check } from './functions';
-import { PolicyHandler } from './policy-handler';
+import { PolicyHandler, type PolicyHandlerOptions } from './policy-handler';
 
-export type PolicyPluginOptions = {
-    /**
-     * Dangerously bypasses access-policy enforcement for raw SQL queries.
-     * Raw queries remain in the current transaction, but the policy plugin will
-     * not inspect or reject them.
-     */
-    dangerouslyAllowRawSql?: boolean;
-};
+export type PolicyPluginOptions = PolicyHandlerOptions;
 
 export class PolicyPlugin implements RuntimePlugin<SchemaDef, {}, {}, {}> {
     constructor(private readonly options: PolicyPluginOptions = {}) {}
@@ -35,10 +27,7 @@ export class PolicyPlugin implements RuntimePlugin<SchemaDef, {}, {}, {}> {
     }
 
     onKyselyQuery({ query, client, proceed }: OnKyselyQueryArgs<SchemaDef>) {
-        if (this.options.dangerouslyAllowRawSql && RawNode.is(query as never)) {
-            return proceed(query);
-        }
-        const handler = new PolicyHandler<SchemaDef>(client);
+        const handler = new PolicyHandler<SchemaDef>(client, this.options);
         return handler.handle(query, proceed);
     }
 }

packages/plugins/policy/src/policy-handler.ts

@@ -23,6 +23,7 @@ import {
     OperatorNode,
     ParensNode,
     PrimitiveValueListNode,
+    RawNode,
     ReferenceNode,
     ReturningNode,
     SelectAllNode,
@@ -63,11 +64,23 @@ export type MutationQueryNode = InsertQueryNode | UpdateQueryNode | DeleteQueryN
 
 type FieldLevelPolicyOperations = Exclude<CRUD_EXT, 'create' | 'delete'>;
 
+export type PolicyHandlerOptions = {
+    /**
+     * Dangerously bypasses access-policy enforcement for raw SQL queries.
+     * Raw queries remain in the current transaction, but the policy plugin will
+     * not inspect or reject them.
+     */
+    dangerouslyAllowRawSql?: boolean;
+};
+
 export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransformer {
     private readonly dialect: BaseCrudDialect<Schema>;
     private readonly eb = expressionBuilder<any, any>();
 
-    constructor(private readonly client: ClientContract<Schema>) {
+    constructor(
+        private readonly client: ClientContract<Schema>,
+        private readonly options: PolicyHandlerOptions = {},
+    ) {
         super();
         this.dialect = getCrudDialect(this.client.$schema, this.client.$options);
     }
@@ -76,6 +89,9 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
 
     async handle(node: RootOperationNode, proceed: ProceedKyselyQueryFunction) {
         if (!this.isCrudQueryNode(node)) {
+            if (this.options.dangerouslyAllowRawSql && RawNode.is(node as never)) {
+                return proceed(node);
+            }
             // non-CRUD queries are not allowed
             throw createRejectedByPolicyError(
                 undefined,