fix(policy): resolve this.relation.field against @@allow model, unnest array columns in subqueries

packages/plugins/policy/src/expression-transformer.ts

@@ -702,7 +702,10 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
             } else {
                 // transform the first segment into a relation access, then continue with the rest of the members
                 const firstMemberFieldDef = QueryUtils.requireField(this.schema, context.thisType, expr.members[0]!);
-                receiver = this.transformRelationAccess(expr.members[0]!, firstMemberFieldDef.type, restContext);
+                receiver = this.transformRelationAccess(expr.members[0]!, firstMemberFieldDef.type, {
+                    ...restContext,
+                    modelOrType: context.thisType,
+                });
                 members = expr.members.slice(1);
                 // startType should be the type of the relation access
                 startType = firstMemberFieldDef.type;
@@ -756,7 +759,7 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
             currType = fieldDef.type;
         }
 
-        let currNode: SelectQueryNode | ColumnNode | ReferenceNode | undefined = undefined;
+        let currNode: SelectQueryNode | ColumnNode | ReferenceNode | FunctionNode | undefined = undefined;
 
         for (let i = members.length - 1; i >= 0; i--) {
             const member = members[i]!;
@@ -788,7 +791,9 @@ export class ExpressionTransformer<Schema extends SchemaDef> {
                 invariant(i === members.length - 1, 'plain field access must be the last segment');
                 invariant(!currNode, 'plain field access must be the last segment');
 
-                currNode = ColumnNode.create(member);
+                currNode = fieldDef.array && this.schema.provider.type === 'postgresql'
+                    ? FunctionNode.create('unnest', [ColumnNode.create(member)])
+                    : ColumnNode.create(member);
             }
         }
 

tests/e2e/orm/policy/auth-access.test.ts

@@ -475,4 +475,130 @@ model Channel {
             userDb2.channel.update({ where: { id: 1 }, data: { name: 'general-updated' } }),
         ).resolves.toBeTruthy();
     });
+
+    it('resolves this.relation.field against @@allow model in collection predicates (Fix #1)', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id Int @id @default(autoincrement())
+    level Int
+    permissions Permission[]
+    posts Post[]
+    @@auth
+}
+
+model Permission {
+    id Int @id @default(autoincrement())
+    user User @relation(fields: [userId], references: [id])
+    userId Int
+    clearance Int
+}
+
+model Post {
+    id Int @id @default(autoincrement())
+    author User @relation(fields: [authorId], references: [id])
+    authorId Int
+
+    @@allow('read', auth().permissions?[p, p.clearance >= this.author.level])
+}
+`,
+            { provider: 'postgresql' },
+        );
+
+        await db.$unuseAll().post.create({
+            data: { id: 1, author: { create: { id: 1, level: 5 } } },
+        });
+        await db.$unuseAll().post.create({
+            data: { id: 2, author: { create: { id: 2, level: 10 } } },
+        });
+
+        // no auth: no permissions → cannot read any post
+        await expect(db.post.findMany()).resolves.toHaveLength(0);
+
+        // clearance 5: can read author level ≤ 5 → only post 1 (author level 5)
+        const user1 = db.$setAuth({
+            id: 3,
+            permissions: [{ id: 1, clearance: 5 }],
+        });
+        const posts1 = await user1.post.findMany();
+        expect(posts1.map((p) => p.id).sort()).toEqual([1]);
+
+        // clearance 10: can read author level ≤ 10 → both posts
+        const user2 = db.$setAuth({
+            id: 4,
+            permissions: [{ id: 2, clearance: 10 }],
+        });
+        const posts2 = await user2.post.findMany();
+        expect(posts2.map((p) => p.id).sort()).toEqual([1, 2]);
+    });
+
+    it('handles this.relation.arrayField with in operator (Fix #2)', async () => {
+        const db = await createPolicyTestClient(
+            `
+model User {
+    id Int @id @default(autoincrement())
+    permissions Permission[]
+    @@auth
+}
+
+model Group {
+    id Int @id @default(autoincrement())
+    visibleDocIds Int[]
+    docs Doc[]
+}
+
+model Permission {
+    id Int @id @default(autoincrement())
+    user User @relation(fields: [userId], references: [id])
+    userId Int
+    allowedDocIds Int[]
+}
+
+model Doc {
+    id Int @id @default(autoincrement())
+    group Group @relation(fields: [groupId], references: [id])
+    groupId Int
+
+    @@allow('read',
+        auth().permissions?[p, this.id in p.allowedDocIds] ||
+        this.id in this.group.visibleDocIds
+    )
+}
+`,
+            { provider: 'postgresql' },
+        );
+
+        await db.$unuseAll().group.create({
+            data: { id: 1, visibleDocIds: [1] },
+        });
+        await db.$unuseAll().group.create({
+            data: { id: 2, visibleDocIds: [] },
+        });
+        await db.$unuseAll().user.create({
+            data: { id: 1 },
+        });
+        await db.$unuseAll().user.create({
+            data: { id: 2 },
+        });
+        await db.$unuseAll().permission.create({
+            data: { id: 10, userId: 2, allowedDocIds: [2] },
+        });
+        await db.$unuseAll().doc.createMany({
+            data: [
+                { id: 1, groupId: 1 },
+                { id: 2, groupId: 2 },
+            ],
+        });
+
+        // User 1 (no perms): doc 1 visible via group.visibleDocIds
+        const user1 = db.$setAuth({ id: 1, permissions: [] });
+        expect((await user1.doc.findMany()).map((d) => d.id).sort()).toEqual([1]);
+
+        // User 2 (perm allows doc 2): sees doc 1 (group-visible) + doc 2 (permission)
+        const user2 = db.$setAuth({
+            id: 2,
+            permissions: [{ id: 10, allowedDocIds: [2] }],
+        });
+        expect((await user2.doc.findMany()).map((d) => d.id).sort()).toEqual([1, 2]);
+    });
 });