PolicyPlugin rejects raw SQL methods ($queryRaw, $executeRaw)

[pkudinov]

Description

$queryRawUnsafe, $executeRawUnsafe, $queryRaw, and $executeRaw fail with "non-CRUD queries are not allowed" when PolicyPlugin is active.

Reproduction

const client = new ZenStackClient(schema, {
  dialect: new PostgresDialect({ pool }),
  plugins: [new PolicyPlugin()],
});

// This throws: "non-CRUD queries are not allowed"
await client.$queryRawUnsafe('SELECT 1');

Root cause

In client-impl.ts, all four raw methods execute through this.kysely, which routes queries through ZenStackQueryExecutor and the plugin pipeline. PolicyPlugin's handle() (policy-handler.ts:78-84) rejects any node that isn't Select/Insert/Update/Delete:

if (!this.isCrudQueryNode(node)) {
    throw createRejectedByPolicyError(
        undefined,
        RejectedByPolicyReason.OTHER,
        'non-CRUD queries are not allowed',
    );
}

Raw SQL produces a RawNode, not a CRUD node, so it's always rejected.

Why this should be fixed

Raw SQL has no model-level semantics — there's no table/row context for PolicyPlugin to enforce access control on. The caller is fully responsible for the SQL they write. Blocking raw SQL forces users to either:

• Maintain a separate non-policy client just for raw queries
• Call $unuseAll() before every raw query (which also has a transaction isolation bug, see $unuseAll() and $unuse() break transaction isolation #2494)
• Mutate $options.plugins at runtime to temporarily remove PolicyPlugin

All three workarounds are fragile and error-prone.

Suggested fix

Route raw SQL methods through kyselyRaw instead of this.kysely:

$queryRawUnsafe<T = unknown>(query: string, ...values: any[]) {
    return createZenStackPromise(async () => {
        const compiledQuery = this.createRawCompiledQuery(query, values);
        const result = await this.kyselyRaw.executeQuery(compiledQuery);
        return result.rows as T;
    });
}

Note: kyselyRaw would also need to be updated inside interactiveTransaction to preserve transaction isolation (same pattern as this.kysely = tx).

Alternatively, PolicyPlugin could pass through non-CRUD nodes instead of rejecting them.

Version

@zenstackhq/orm 3.4.6, @zenstackhq/plugin-policy 3.4.6

[ymc9]

Hi @pkudinov , raw queries are intentionally rejected by the policy plugin as a safety measure, as a user may have the impression that everything that goes through the plugin is guarded by access policies.

We should probably introduce a flag to the plugin to "dangerously" allow it?

[pkudinov]

I agree – this is a nice feature to fully prevent Raw by default. However I'm feeling strongly that users should be able to still do it to maintain feature parity with Prisma & Zenstack V2 – through a flag on a client for example.

The problem with the flag on a client though is that we will have to set it globally for the whole app. So perhaps a better option is to name these raw queries like dangerouslyExecuteQueryRaw or unpoliciedExecutedQueryRaw?

[pkudinov]

I decided to implement a flag on the plugin following @ymc9 's suggestion. It is easy, explicit and focused. Implementing raw query methods is harder and might be more fragile. Let's see how it lands in the community and see if anyone else needs these methods.