fix(policy): incorrect policy injection for createManyAndReturn when the model contains array fields

[ymc9]

fixes #1955

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request includes a version update to 2.11.2 in the build.gradle.kts file and modifications to the createManyAndReturn method in the PolicyProxyHandler class to enhance argument preparation. Additionally, a new regression test suite has been added to address issue #1955, which verifies the functionality of creating multiple entries with different policy configurations.

Changes

File	Change Summary
packages/ide/jetbrains/build.gradle.kts	Version bumped from 2.11.1 to 2.11.2
packages/runtime/src/enhancements/node/policy/handler.ts	Updated createManyAndReturn method to use makeIdSelection for argument handling
tests/regression/tests/issue-1955.test.ts	Added new test suite with "simple policy" and "complex policy" test cases
tests/integration/tests/enhancements/with-policy/create-many-and-return.test.ts	Modified assertions and comments related to createManyAndReturn behavior

Assessment against linked issues

Objective	Addressed	Explanation
Fix createManyAndReturn for models with array fields [#1955]	✅
Ensure compatibility with Prisma 6.2.x	❌	The PR does not explicitly address compatibility with the specified Prisma version.

Possibly related PRs

• fix: infinite recursion when injecting field selection for field-level permission check #1452: This PR updates the version number in the build.gradle.kts file, similar to the main PR which also modifies the version number in the same file.
• chore: bump version #1459: This PR also involves a version bump in the build.gradle.kts file, aligning with the version update in the main PR.
• merge dev to main (v2.6.2) #1752: This PR involves a version update in the build.gradle.kts file, which is directly related to the version change in the main PR.

Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

tests/regression/tests/issue-1955.test.ts (2)

4-45: LGTM! Consider adding assertions for the array field.

The test case effectively verifies the basic functionality of createManyAndReturn. However, since the issue specifically relates to models with array fields, consider adding assertions for the expections array field to ensure it's handled correctly.

 await expect(
     db.post.createManyAndReturn({
         data: [
             {
                 name: 'bla',
+                expections: ['exp1', 'exp2'],
             },
             {
                 name: 'blu',
+                expections: ['exp3', 'exp4'],
             },
         ],
     })
 ).resolves.toEqual(
     expect.arrayContaining([
-        expect.objectContaining({ name: 'bla' }),
-        expect.objectContaining({ name: 'blu' }),
+        expect.objectContaining({ 
+            name: 'bla',
+            expections: ['exp1', 'exp2']
+        }),
+        expect.objectContaining({ 
+            name: 'blu',
+            expections: ['exp3', 'exp4']
+        }),
     ])
 );

---

47-96: LGTM! Consider adding test cases for policy enforcement.

The test case effectively verifies createManyAndReturn with a complex policy. However, consider adding test cases that:

1. Verify the policy is actually enforced by attempting to create posts with private comments
2. Test the behavior when mixing allowed and disallowed operations in a single batch

 it('complex policy', async () => {
     const dbUrl = await createPostgresDb('issue-1955-2');
     let _prisma: any;

     try {
         const { enhance, prisma } = await loadSchema(
             `
         model Post {
             id Int @id @default(autoincrement())
             name String
             expections String[]
             comments Comment[]

             @@allow('all', comments^[private])
         }

         model Comment {
             id Int @id @default(autoincrement())
             private Boolean @default(false)
             postId Int
             post Post @relation(fields: [postId], references: [id])
         }
         `,
             { provider: 'postgresql', dbUrl }
         );
         _prisma = prisma;

         const db = enhance();
+        // Test successful creation
         await expect(
             db.post.createManyAndReturn({
                 data: [
                     {
                         name: 'bla',
+                        comments: {
+                            create: { private: false }
+                        }
                     },
                     {
                         name: 'blu',
+                        comments: {
+                            create: { private: false }
+                        }
                     },
                 ],
             })
         ).resolves.toEqual(
             expect.arrayContaining([
                 expect.objectContaining({ name: 'bla' }),
                 expect.objectContaining({ name: 'blu' }),
             ])
         );
+
+        // Test policy enforcement
+        await expect(
+            db.post.createManyAndReturn({
+                data: [
+                    {
+                        name: 'bla2',
+                        comments: {
+                            create: { private: true }
+                        }
+                    }
+                ],
+            })
+        ).rejects.toThrow();
+
+        // Test mixed allowed/disallowed operations
+        await expect(
+            db.post.createManyAndReturn({
+                data: [
+                    {
+                        name: 'bla3',
+                        comments: {
+                            create: { private: false }
+                        }
+                    },
+                    {
+                        name: 'blu3',
+                        comments: {
+                            create: { private: true }
+                        }
+                    }
+                ],
+            })
+        ).rejects.toThrow();
     } finally {
         await _prisma.$disconnect();
         await dropPostgresDb('issue-1955-2');
     }
 });

packages/runtime/src/enhancements/node/policy/handler.ts (1)

481-487: LGTM! Consider adding error handling for invalid select fields.

The changes correctly ensure that only ID fields are selected for return. However, consider adding validation for cases where the original select argument might conflict with the required ID fields.

 const updatedArgs = {
     ...args,
-    select: this.policyUtils.makeIdSelection(this.model),
+    select: {
+        ...this.policyUtils.makeIdSelection(this.model),
+        ...(args.select ? this.validateSelectFields(args.select) : {}),
+    },
 };

+private validateSelectFields(select: any): any {
+    const idFields = this.policyUtils.makeIdSelection(this.model);
+    // Ensure required ID fields are not excluded
+    for (const [field, value] of Object.entries(idFields)) {
+        if (select[field] === false) {
+            throw this.policyUtils.validationError(
+                `Cannot exclude required ID field "${field}" in select`
+            );
+        }
+    }
+    return select;
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8e3b675 and 35517a1.

⛔ Files ignored due to path filters (13)

• package.json is excluded by !**/*.json
• packages/ide/jetbrains/package.json is excluded by !**/*.json
• packages/language/package.json is excluded by !**/*.json
• packages/misc/redwood/package.json is excluded by !**/*.json
• packages/plugins/openapi/package.json is excluded by !**/*.json
• packages/plugins/swr/package.json is excluded by !**/*.json
• packages/plugins/tanstack-query/package.json is excluded by !**/*.json
• packages/plugins/trpc/package.json is excluded by !**/*.json
• packages/runtime/package.json is excluded by !**/*.json
• packages/schema/package.json is excluded by !**/*.json
• packages/sdk/package.json is excluded by !**/*.json
• packages/server/package.json is excluded by !**/*.json
• packages/testtools/package.json is excluded by !**/*.json

📒 Files selected for processing (3)

• packages/ide/jetbrains/build.gradle.kts (1 hunks)
• packages/runtime/src/enhancements/node/policy/handler.ts (1 hunks)
• tests/regression/tests/issue-1955.test.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• packages/ide/jetbrains/build.gradle.kts

⏰ Context from checks skipped due to timeout of 90000ms (6)

• GitHub Check: build-test (20.x)
• GitHub Check: build-test (20.x)
• GitHub Check: dependency-review
• GitHub Check: build-test (20.x)
• GitHub Check: OSSAR-Scan
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/integration/tests/enhancements/with-policy/create-many-and-return.test.ts (1)

95-105: LGTM! Consider strengthening the assertions.

The test effectively verifies the field-level policy behavior for createManyAndReturn with array fields. It confirms that:

1. Both posts are created successfully
2. The title field is correctly filtered based on the published state

Consider strengthening the assertions by checking the actual title values:

 expect(r.length).toBe(2);
-expect(r[0].title).toBeTruthy();
+expect(r[0].title).toBe('post1');
 expect(r[1].title).toBeUndefined();

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 35517a1 and 2ee868f.

📒 Files selected for processing (2)

• packages/runtime/src/enhancements/node/policy/handler.ts (1 hunks)
• tests/integration/tests/enhancements/with-policy/create-many-and-return.test.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/runtime/src/enhancements/node/policy/handler.ts

⏰ Context from checks skipped due to timeout of 90000ms (6)

• GitHub Check: build-test (20.x)
• GitHub Check: build-test (20.x)
• GitHub Check: build-test (20.x)
• GitHub Check: OSSAR-Scan
• GitHub Check: dependency-review
• GitHub Check: Analyze (javascript-typescript)