palixir · coratgerl · Dec 7, 2025 · Dec 7, 2025
diff --git a/packages/wabe/src/database/DatabaseController.test.ts b/packages/wabe/src/database/DatabaseController.test.ts
@@ -489,7 +489,7 @@ describe('DatabaseController', () => {
 			select: { id: true },
 		})
 
-		expect(mockInitializeHook).toHaveBeenCalledTimes(1)
+		expect(mockInitializeHook).toHaveBeenCalledTimes(2)
 		expect(mockInitializeHook).toHaveBeenCalledWith({
 			className: 'TestClass',
 			context: {
@@ -501,7 +501,7 @@ describe('DatabaseController', () => {
 			select: { id: true },
 		})
 
-		expect(mockRunOnSingleObject).toHaveBeenCalledTimes(2)
+		expect(mockRunOnSingleObject).toHaveBeenCalledTimes(4)
 		expect(mockRunOnSingleObject).toHaveBeenNthCalledWith(1, {
 			operationType: hooks.OperationType.BeforeCreate,
 		})
@@ -528,7 +528,7 @@ describe('DatabaseController', () => {
 			select: { id: true },
 		})
 
-		expect(mockInitializeHook).toHaveBeenCalledTimes(1)
+		expect(mockInitializeHook).toHaveBeenCalledTimes(2)
 		expect(mockInitializeHook).toHaveBeenCalledWith({
 			className: 'TestClass',
 			context: {
@@ -540,7 +540,7 @@ describe('DatabaseController', () => {
 			select: { id: true },
 		})
 
-		expect(mockRunOnMultipleObject).toHaveBeenCalledTimes(2)
+		expect(mockRunOnMultipleObject).toHaveBeenCalledTimes(4)
 		expect(mockRunOnMultipleObject).toHaveBeenNthCalledWith(1, {
 			operationType: hooks.OperationType.BeforeCreate,
 		})

diff --git a/packages/wabe/src/database/DatabaseController.ts b/packages/wabe/src/database/DatabaseController.ts
@@ -259,14 +259,19 @@ export class DatabaseController<T extends WabeTypes> {
 												{
 													acl: {
 														users: {
-															notContains: { userId },
+															notContains: {
+																userId,
+															},
 														},
 													},
 												},
 												{
 													acl: {
 														roles: {
-															contains: { roleId, [operation]: true },
+															contains: {
+																roleId,
+																[operation]: true,
+															},
 														},
 													},
 												},
@@ -399,6 +404,12 @@ export class DatabaseController<T extends WabeTypes> {
 		context,
 		where,
 	}: CountOptions<T, K>): Promise<number> {
+		const whereWithACLCondition = this._buildWhereWithACL(
+			where || {},
+			context,
+			'read',
+		)
+
 		const hook = initializeHook({
 			className,
 			context,
@@ -409,7 +420,11 @@ export class DatabaseController<T extends WabeTypes> {
 			operationType: OperationType.BeforeRead,
 		})
 
-		const count = await this.adapter.count({ className, context, where })
+		const count = await this.adapter.count({
+			className,
+			context,
+			where: whereWithACLCondition,
+		})
 
 		await hook?.runOnSingleObject({
 			operationType: OperationType.AfterRead,
@@ -614,7 +629,7 @@ export class DatabaseController<T extends WabeTypes> {
 			operationType: OperationType.BeforeCreate,
 		})
 
-		const { id } = await this.adapter.createObject({
+		const res = await this.adapter.createObject({
 			className,
 			context,
 			select,
@@ -623,18 +638,20 @@ export class DatabaseController<T extends WabeTypes> {
 
 		await hook.runOnSingleObject({
 			operationType: OperationType.AfterCreate,
-			id,
+			id: res.id,
 		})
 
 		if (select && Object.keys(select).length === 0) return null
 
 		return this.getObject({
 			className,
-			context: contextWithRoot(context),
+			context: {
+				...context,
+				// @ts-expect-error
+				user: className === 'User' ? res : context.user,
+			},
 			select,
-			id,
-			// Because if you create an object, exceptionnaly you can read it after creation
-			_skipHooks: true,
+			id: res.id,
 		})
 	}
 
@@ -704,12 +721,14 @@ export class DatabaseController<T extends WabeTypes> {
 
 		return this.getObjects({
 			className,
-			context,
+			context: {
+				...context,
+				// @ts-expect-error
+				user: className === 'User' ? data[0] : context.user,
+			},
 			select,
 			// @ts-expect-error
 			where: { id: { in: ids } },
-			// Because if you create an object, exceptionnaly you can read it after creation
-			_skipHooks: true,
 			first,
 			offset,
 			order,

diff --git a/packages/wabe/src/database/index.test.ts b/packages/wabe/src/database/index.test.ts
@@ -14,8 +14,6 @@ import {
 	type DevWabeTypes,
 	getAdminUserClient,
 	getGraphqlClient,
-	createUserAndUpdateRole,
-	getAnonymousClient,
 } from '../utils/helper'
 import { setupTests, closeTests } from '../utils/testHelper'
 import type { WabeContext } from '../server/interface'
@@ -136,31 +134,6 @@ describe('Database', () => {
 		spyGetObjects.mockClear()
 	})
 
-	it("should return created objects with createObjects event if the user doesn't have access to read the object", async () => {
-		const rootClient = getGraphqlClient(wabe.config.port)
-
-		const { userClient } = await createUserAndUpdateRole({
-			anonymousClient: getAnonymousClient(wabe.config.port),
-			port: wabe.config.port,
-			roleName: 'Client',
-			rootClient,
-		})
-
-		const res = await userClient.request<any>(gql`
-      mutation createTests{
-        createTests(input: {fields: [{name: "test"}]}){
-            edges {
-                node {
-                    id
-                }
-            }
-        }
-      }
-    `)
-
-		expect(res.createTests.edges.length).toEqual(1)
-	})
-
 	it('should return id of a relation if set to true in select on getObject', async () => {
 		const rootClient = getGraphqlClient(wabe.config.port)
 

diff --git a/packages/wabe/src/file/index.test.ts b/packages/wabe/src/file/index.test.ts
@@ -197,7 +197,6 @@ describe('File upload', () => {
 
 		formData.append('0', new File(['a'], 'a.text', { type: 'text/plain' }))
 
-		console.log('before fetch')
 		const res = await fetch(`http://127.0.0.1:${port}/graphql`, {
 			method: 'POST',
 			body: formData,

diff --git a/packages/wabe/src/graphql/resolvers.ts b/packages/wabe/src/graphql/resolvers.ts
@@ -14,10 +14,13 @@ import {
 export const extractFieldsFromSetNode = (
 	selectionSet: SelectionSetNode,
 	className: string,
+	options?: { ignoreClassField?: boolean },
 ): Record<string, any> => {
 	const ignoredFields = ['edges', 'node', 'clientMutationId', 'ok']
+	const shouldIgnoreClassField = options?.ignoreClassField ?? true
 
-	if (className) ignoredFields.push(firstLetterInLowerCase(className))
+	if (shouldIgnoreClassField && className)
+		ignoredFields.push(firstLetterInLowerCase(className))
 
 	return selectionSet.selections?.reduce(
 		(acc, selection) => {
@@ -34,7 +37,9 @@ export const extractFieldsFromSetNode = (
 					//@ts-expect-error
 					selection.selectionSet,
 					className,
+					{ ignoreClassField: false },
 				)
+
 				if (ignoredFields.indexOf(currentValue) === -1)
 					return {
 						...acc,

diff --git a/packages/wabe/src/hooks/setupAcl.test.ts b/packages/wabe/src/hooks/setupAcl.test.ts
@@ -248,6 +248,36 @@ describe('setupAcl', () => {
 							write: true,
 						})
 
+						await hookObject.addACL('roles', {
+							// @ts-expect-error
+							role: 'Client',
+							read: true,
+							write: true,
+						})
+					},
+				},
+			},
+			{
+				name: 'SetupACL8',
+				fields: {
+					test: {
+						type: 'String',
+					},
+				},
+				permissions: {
+					create: {
+						requireAuthentication: false,
+					},
+					read: {
+						requireAuthentication: false,
+					},
+					acl: async (hookObject) => {
+						await hookObject.addACL('users', {
+							userId: hookObject.context.user?.id || '',
+							read: true,
+							write: true,
+						})
+
 						await hookObject.addACL('roles', {
 							// @ts-expect-error
 							role: 'Client',
@@ -319,9 +349,9 @@ describe('setupAcl', () => {
 		})
 
 		const res = await userClient.request<any>(gql`
-        mutation createSetupACL {
-          createSetupACL(input: {fields: {test: "test"}}) {
-            setupACL {
+        mutation createSetupACL8 {
+          createSetupACL8(input: {fields: {test: "test"}}) {
+            setupACL8 {
               id
               acl {
                 users {
@@ -341,30 +371,23 @@ describe('setupAcl', () => {
     `)
 
 		// User
-		expect(res.createSetupACL.setupACL.acl.users[0].userId).toEqual(userId)
-		expect(res.createSetupACL.setupACL.acl.users[0].read).toEqual(true)
-		expect(res.createSetupACL.setupACL.acl.users[0].write).toEqual(true)
+		expect(res.createSetupACL8.setupACL8.acl.users[0].userId).toEqual(userId)
+		expect(res.createSetupACL8.setupACL8.acl.users[0].read).toEqual(true)
+		expect(res.createSetupACL8.setupACL8.acl.users[0].write).toEqual(true)
 
 		// Role
 		expect(
 			await getRoleNameFromId(
-				res.createSetupACL.setupACL.acl.roles[0].roleId,
+				res.createSetupACL8.setupACL8.acl.roles[0].roleId,
 				rootClient,
 			),
 		).toEqual('Client')
-		expect(res.createSetupACL.setupACL.acl.roles[0].read).toEqual(true)
-		expect(res.createSetupACL.setupACL.acl.roles[0].write).toEqual(true)
+		expect(res.createSetupACL8.setupACL8.acl.roles[0].read).toEqual(true)
+		expect(res.createSetupACL8.setupACL8.acl.roles[0].write).toEqual(true)
 	})
 
 	it('should not update acl object if the acl function is not present in permissions in the class', async () => {
-		const { userClient } = await createUserAndUpdateRole({
-			anonymousClient,
-			port,
-			roleName: 'Client',
-			rootClient,
-		})
-
-		const res = await userClient.request<any>(gql`
+		const res = await rootClient.request<any>(gql`
         mutation createSetupACL2 {
           createSetupACL2(input: {fields: {test: "test"}}) {
             setupACL2 {
@@ -390,14 +413,7 @@ describe('setupAcl', () => {
 	})
 
 	it('should set read and write to false if the null value is provided for users and roles', async () => {
-		const { userClient } = await createUserAndUpdateRole({
-			anonymousClient,
-			port,
-			roleName: 'Client',
-			rootClient,
-		})
-
-		await userClient.request<any>(gql`
+		await rootClient.request<any>(gql`
         mutation createSetupACL3 {
           createSetupACL3(input: {fields: {test: "test"}}) {
             setupACL3 {
@@ -439,14 +455,7 @@ describe('setupAcl', () => {
 	})
 
 	it('should call acl function if provided', async () => {
-		const { userClient } = await createUserAndUpdateRole({
-			anonymousClient,
-			port,
-			roleName: 'Client',
-			rootClient,
-		})
-
-		await userClient.request<any>(gql`
+		await rootClient.request<any>(gql`
         mutation createSetupACL4 {
           createSetupACL4(input: {fields: {test: "test"}}) {
             setupACL4 {
@@ -460,14 +469,7 @@ describe('setupAcl', () => {
 	})
 
 	it('should get different role id for read and write if roles are different', async () => {
-		const { userClient } = await createUserAndUpdateRole({
-			anonymousClient,
-			port,
-			roleName: 'Client',
-			rootClient,
-		})
-
-		const res = await userClient.request<any>(gql`
+		const res = await rootClient.request<any>(gql`
         mutation createSetupACL5 {
           createSetupACL5(input: {fields: {test: "test"}}) {
             setupACL5 {