What's Changed

• Upgraded Prisma peer dependency to allow 5.20.x
• Fixed the issue that when zod plugin runs in "strip" mode, mutation payload can be accidentally truncated due to union ambiguity #1746

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.6.1...v2.6.2

What's Changed

• Fixed an issue that the policy filters/field-selections generated into polymorphic read are not always wrapped into correct relation layer #1734

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.6.0...v2.6.1

Security Fixes

This release fixed an important security issue related to polymorphic models.

Background

In a polymorphic model hierarchy, both the base and concrete models inherited from it can have access policies. When reading entities with a base model type, the corresponding concrete model fields are also fetched and returned. However, in this case, the access policies directly defined on the concrete models were not properly enforced in the previous releases, resulting in returning concrete model fields when they should have been excluded. This also happens to fields marked @omit on the concrete models.

The issue only happened when you read with a polymorphic base model (marked with @@delegate). When reading directly with a concrete model type, policies were correctly enforced.

This release fixed the issue. If a concrete model is not readable, its fields are not included, and only the base model's fields are returned. It's recommended that you upgrade ASAP if you're using the polymorphic models feature.

A big THANK YOU 🙏 to @svetch for reporting this issue!

New Features

• Added a new option to "@core/zod" plugin to specify if the generated schemas should reject, strip, or passthrough fields not recognized #1696 Doc

  Example:

  plugin zod {
      provider = "@core/zod"
      mode = "strip"
  }
  

Fixes and Improvements

• Fixed the issue that in certain cases concrete model fields are not returned in a polymorphic read #1698
• Fixed ZModel type checker issue that fields from abstract base model cannot be accessed from future(). or this. #1695 #1713
• Fix zod compilation issue when a @@delegate field has a default value #1693
• Fixed the issue that using auth() in @default() is not effective for createMany and createManyAndReturn #1681
• TRPC plugin now generates procedures that better conform to PrismaClient's typing: APIs like findMany, count, etc. now has optional parameter type #1707

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.5.1...v2.6.0

Fixed an unintended change that resulted in a "backLink" field change in model metadata for abstract models. Although I haven't observed any adverse behavior related to it, it's good to upgrade if you're already on v2.5.0.

New Features

• TRPC v11 support (preview) docs
• Prisma Pulse support (preview) docs
• New zenstack check CLI command for checking ZModel file for errors docs
• The zenstack generate CLI command now allows you to include/exclude specific plugins. You can use it to exclude plugins like tanstack-query hooks generation during CI docs
• Updated Prisma peer dependencies to 5.19.x

Security Fixes

• Fixed the issue that "connect" operation can circumvent "update" policy check for foreign key fields when the operation is initiated from a polymorphic model #1674

  Special thanks to @eqqe for reporting this issue! The background is: when you use the "connect" operator to establish relations between entities, you need to have "update" permission on the entity that gets a foreign key update due to the "connect". However, this permission was not properly checked if the update is initiated from a polymorphic model in previous releases.

Fixes and Improvements

• The @@validate data validation attribute is added with a new "path" parameter to indicate the path of the field that caused the error. Thanks @j0rdanba1n for proposing and implementing this! docs
• Fixed inconsistent filtering/stripping behavior for field-level policies when findMany and count APIs #1644
• Fixed the issue that polymorphic entities returned in a nested read don't contain fields from base #1645
• Fixed the check() attribute function's compatibility with post-update policies #1642
• Fixed post-update policy validation issue with deeply nested field access #1648
• Replaced "decimal.js" dependency with the more lightweight "decimal.js-light" in @zenstackhq/runtime #1571
• Fixed incorrect OpenAPI spec generated for the Meta section #1549
• Fixed the code generation compilation errors when @core/enhance plugin is configured with a custom output directory #1667
• Fixed @zenstackhq/runtime's compatibility issue with CloudFlare Workers. Please make sure you import enhance from @zenstackhq/runtime/edge when using edge runtime #1672.

New Contributors

• Welcome @j0rdanba1n as our new contributor ❤️!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.4.1...v2.5.0

Fixes and Improvements

• Prisma 5.18.0 support

Security Fixes

• Added more reduction to the generated Prisma queries to workaround a Prisma bug (prisma/prisma#21856) that can potentially breach access control #1627

  The background is ZenStack internally uses { AND: [] } to represent constant true and { OR: [] } for constant false. However, Prisma provides inconsistent query results in certain nesting combinations. The fix introduced more query reduction logic to avoid generating such combinations.

  It's recommended that you upgrade ASAP after thorough testing.

Fixes and Improvements

• RedwoodJS package "@zenstackhq/redwood" now supports Redwood V7 #1553. Special thanks to @ladderschool for identifying the related breaking changes!
• REST-flavor API: support comma-separated multiple filter values #1573
• Fixed false-positive validation errors when using polymorphic models with tRPC #1608
• Fixed Zod schema compilation errors when outputting to a custom directory #1610
• Fixed "@zenstackhq/swr" plugin build issues which can cause typescript typing errors with certain tsconfig settings
• Consistently throw Prisma error types #1596
• Removed createMany from input arg's typing for delegate models to avoid confusion #1577
• Fixed an excessively strict Zod schema causing rejection during update #1563
• Fixed the issue that explicitly providing a "@core/enhancer" plugin in ZModel causes data validation to be muted #1562
• Fixed Prisma schema generation errors when @map is used on a foreign key field #1551
• Fixed Prisma schema generation errors when very long model names are used

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.3...v2.4.0

Thanks to @irvinzz for helping with this release!

What's Changed

• Update Prisma dependencies to 5.17.x

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.2...v2.3.3

What's Changed

• Update superjson dependency

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.1...v2.3.2

What's Changed

• Fixed incorrect prisma query executed when count uses a where filter involving a polymorphic base field #1585
• Fixed over-strict typing generated for auth() access #1589
• Fixed compatibility issue between createManyAndReturn and polymorphism #1576
• Fixed the issue that field-level override rules don't work with non-optional to-one relations #1574

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.0...v2.3.1

New Features

• The new check() policy function that allows you to delegate a models' permission checking to its relations. #276

  model Todo {
      ...
      list List @relation(fields: [listId], references: [id])
  
      // if the parent list is readable, grant full access to this Todo entity
      @@allow('all', check(list, 'read'))
  }
  

  You can use this feature to remove duplicated policy rules and keep the schema DRY. See a full guide here.

• Prisma 5.16.x is now supported. The new Prisma version introduced a typing breaking change. An adaptation is added in this version of ZenStack.

Documentation

• New guide for integrating with Lucia Auth!

Fixes and Improvements

• Runtime error with disconnecting a self-relation #1530
• Incorrect query result when using Prisma.DbNull to filter JSON fields #1533
• Fixed the issue that using @length on a @password field checks the length of hash password rather than the original value #1502
• Typing conflict with Prisma client extension (with polymorphism or auth() in @default() is used) #1493
• IDE formatting issue when Unsupported type is used #1517
• Runtime error when creating a polymorphic model that inherits from an abstract model #1560
• Set timeout for checking newer versions when running CLI to avoid hangs under unstable network #1529
• Typing issue in generated hooks for vue-query #1564
• Excluded create and upsert for delegate models from generated hooks and trpc routers, as they cannot be directly created.
• When generation @relation for delegate models, user-provided relation name should be used if it exists #1575 by @irvinzz
• SWR is now added as a peer dependency of @zenstackhq/swr plugin.
• The ZenStack monorepo has enabled corepack to enforce a consistent version of pnpm.

New Contributors

Thanks to @jasonmacdonald @benjamintd @irvinzz @mentorkadriu for contributing to this release! ❤️

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.4...v2.3.0

What's Changed

This release contains several fixes related to polymorphic models.

• When a concrete model is created with an explicit id field, make sure the field is pushed down to the base model's payload#1518
• Make sure concrete model's fields are included when its included from a deeply nested context #1522
• Convert polymorphic model's createMany payload into regular create #1520

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.3...v2.2.4

What's Changed

• Fixed an incorrect validation error when checking for cross-model field comprisons.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.2...v2.2.3

What's Changed

• Fixed incorrect identification of cross-model field comparison that hindered performance #1506 #1507.
• Improved validation of cross-model field comparison.
• Fixed the regression that when a field-level policy has no @allow rule, the access is always denied #1501

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.1...v2.2.2

What's Changed

• Fixed a typing issue with TanStack vue-query infinite queries.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.0...v2.2.1

New Features

1. Comparing fields from different models in mutation policies #1463

Previous versions of ZenStack had an unintuitive limitation that you can't compare fields from different models in policy rules. E.g., the following snippet was not valid:

model Post {
  ...
  org Organization @relation(...)
  orgId Int
  author User @relation(...)
  authorId Int

  @@allow('update', orgId == author.orgId) // orgId and author.orgId are from different models
}

This release partly resolved the limitation by supporting such comparisons in mutation rules ("create," "update," and "delete").

Cross-model field comparison is not natively supported by Prisma, so ZenStack has to read the data out of the database and check the rules in the JS runtime. When ZenStack identifies a policy rule that involves such a comparison, the entire rule will be evaluated "post-read". Although it's usually not a big deal for mutation operations, you should be aware of the performance impact. For best performance, put expressions involving cross-model comparison into separate policy rules (so that other rules are still evaluated during database queries).

Cross-model field comparison is still not supported in "read" rules for two reasons:

1. It's very easy to result in reading an unbounded number of rows, filtering and discarding most of them.
2. It should be noted that "read" rules cover not only find but also aggregations. If we can't do a filtered aggregation on the database side, we'll have to reimplement it in the ZenStack library.

Please provide feedback in our discord if it's important for you.

2. Added support for Prisma 5.14's new createManyAndReturn API #1461

The returned results are properly filtered by access policies.

3. Relation filtering now respects field-level policies #1454

Background: ZenStack's "read" policy rules control not only what data you can retrieve but also how filters work. For example, in the following schema and query:

model Post {
  ...
  deleted Boolean
  @@allow('read', !deleted)
}

db.user.findMany({ where: { posts: { some: { published: true } } } });

Post model's read rules will be injected into the where clause, like:

db.user.findMany({
  where: {
    posts: {
      some: {
        published: true,  // user-provided filter
        deleted: false  // ZenStack injected filter
    }
  }
});

In previous versions of ZenStack, such filter injection only respected model-level policies but not field-level ones. This release fixes this missing part. For fields involved in filters, if they have field-level "read" rules, those rules will also be combined into the final filter. The consequence is, for the above example, if the published field is not readable, the findMany will result in an empty array.

The injection also respects "override" field-level rules, meaning that even if the Post model is not readable, but you have a field-level "read" rule for the published field that overrides the model-level policy, the published field can be used in the filter.

Fixes and Improvements

• Fixed Windows build issues and improved contribution documentation by @WimTibackx
• Fixed default value handling for BigInt type in Zod schemas by @aloisklink
• Upgraded Prisma peer dependency to <= 5.15.x
• Fixed typing issues in TanStack Query's infinite query hooks #1472
• Fixed typing issues in TanStack Query hooks generated for Svelte #1488
• Fixed overlong identifier names generated in Prisma schemas generated for polymorphic models #1466
• Fixed incorrect validation errors for polymorphic models inherited from an abstract base model #1474
• Fixed Decimal/Date object corruption when used with polymorphic models #1487
• Fixed runtime error when using polymorphic models with optional relation fields #1483

Docs Updates

• Clerk integration guide now has sample code for Next.js app router

  https://zenstack.dev/docs/guides/authentication/clerk#create-an-enhanced-prisma-client

New Contributors

Welcome @WimTibackx and @aloisklink as our new contributors!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.1.2...v2.2.0

What's Changed

• Allow using type names (Int, String, DateTime, etc.) as enum field names in ZModel #1399 by @francistogram

New Contributors

Welcome @francistogram as our new contributor!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.1.1...v2.1.2

What's Changed

• Fixed an infinite recursion while evaluating field-level policies #1451

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.1.0...v2.1.1

New Features

• Permission Checker #242

  A check API is extended to each model in the enhanced PrismaClient for checking permissions without querying the database. See more details here.

• auth() is resolved from all loaded schema files #1388

  In the previous release, to use auth() in a ZModel file, you'll need to import the schema file that contains the User model definition (or the model definition marked with @@auth). This release relaxed that requirement: auth() is now resolvable as long as the schema file containing the auth model is reachable through any import. You don't have to explicitly import it from every model now.

• TanStack-Query and SWR plugins now generate createMany hooks for SQLite when Prisma >= 5.12

• TRPC plugin now generates createMany procedure for SQLite when Prisma >= 5.12

Fixes and Improvements

• Fixed several code generation errors for delegate models #1415 #1416
• Fixed the problem that filters using fields from delegate base models don't work properly when nested inside a logical group #1410
• ZModel type names (e.g., DateTime) can now be used as field names #1424
• Fixed the typing inconsistency for Zod schemas generated for fields using auth() in @default() #1378
• TRPC code gen improvements: make sure type-only imports are only type-imported #1405
• Fixed the problem that relation fields are included even if select is set to false #1427
• Fixed incorrect validation error when @@unique attribute is defined in a base model #1430
• Fixed compatibility with Prisma 5.13's omit feature
• Fixed query issue with using enums inside access policies #1435
• The generated TRPC code is now more robust with importing Zod schemas #1406

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.0.3...v2.1.0

What's Changed

• Allow empty constructor for the dbgenerated() attribute function by @clementoriol #1400
• Fixed the issue that auth() inside @default() is not effective for upsert operations by @israelins85 #1404

New Contributors

Welcome @clementoriol and @israelins85 as our new contributors!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.0.2...v2.0.3