Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.
MIT License
Bot releases are visible (Hide)
Published by ymc9 22 days ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.6.1...v2.6.2
Published by ymc9 26 days ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.6.0...v2.6.1
Published by ymc9 26 days ago
This release fixed an important security issue related to polymorphic models.
In a polymorphic model hierarchy, both the base and concrete models inherited from it can have access policies. When reading entities with a base model type, the corresponding concrete model fields are also fetched and returned. However, in this case, the access policies directly defined on the concrete models were not properly enforced in the previous releases, resulting in returning concrete model fields when they should have been excluded. This also happens to fields marked @omit
on the concrete models.
The issue only happened when you read with a polymorphic base model (marked with @@delegate
). When reading directly with a concrete model type, policies were correctly enforced.
This release fixed the issue. If a concrete model is not readable, its fields are not included, and only the base model's fields are returned. It's recommended that you upgrade ASAP if you're using the polymorphic models feature.
A big THANK YOU 🙏 to @svetch for reporting this issue!
Added a new option to "@core/zod" plugin to specify if the generated schemas should reject, strip, or passthrough fields not recognized #1696 Doc
Example:
plugin zod {
provider = "@core/zod"
mode = "strip"
}
future().
or this.
#1695 #1713@@delegate
field has a default value #1693auth()
in @default()
is not effective for createMany
and createManyAndReturn
#1681findMany
, count
, etc. now has optional parameter type #1707Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.5.1...v2.6.0
Published by ymc9 about 1 month ago
Fixed an unintended change that resulted in a "backLink" field change in model metadata for abstract models. Although I haven't observed any adverse behavior related to it, it's good to upgrade if you're already on v2.5.0.
Published by ymc9 about 1 month ago
zenstack check
CLI command for checking ZModel file for errors docs
zenstack generate
CLI command now allows you to include/exclude specific plugins. You can use it to exclude plugins like tanstack-query hooks generation during CI docs
Fixed the issue that "connect" operation can circumvent "update" policy check for foreign key fields when the operation is initiated from a polymorphic model #1674
Special thanks to @eqqe for reporting this issue! The background is: when you use the "connect" operator to establish relations between entities, you need to have "update" permission on the entity that gets a foreign key update due to the "connect". However, this permission was not properly checked if the update is initiated from a polymorphic model in previous releases.
@@validate
data validation attribute is added with a new "path" parameter to indicate the path of the field that caused the error. Thanks @j0rdanba1n for proposing and implementing this! docs
findMany
and count
APIs #1644check()
attribute function's compatibility with post-update policies #1642@zenstackhq/runtime
#1571Meta
section #1549@core/enhance
plugin is configured with a custom output directory #1667@zenstackhq/runtime
's compatibility issue with CloudFlare Workers. Please make sure you import enhance
from @zenstackhq/runtime/edge
when using edge runtime #1672.Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.4.1...v2.5.0
Published by ymc9 2 months ago
Added more reduction to the generated Prisma queries to workaround a Prisma bug (prisma/prisma#21856) that can potentially breach access control #1627
The background is ZenStack internally uses { AND: [] }
to represent constant true
and { OR: [] }
for constant false
. However, Prisma provides inconsistent query results in certain nesting combinations. The fix introduced more query reduction logic to avoid generating such combinations.
It's recommended that you upgrade ASAP after thorough testing.
createMany
from input arg's typing for delegate models to avoid confusion #1577@map
is used on a foreign key field #1551Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.3...v2.4.0
Thanks to @irvinzz for helping with this release!
Published by ymc9 3 months ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.2...v2.3.3
Published by ymc9 3 months ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.1...v2.3.2
Published by ymc9 3 months ago
count
uses a where filter involving a polymorphic base field #1585auth()
access #1589createManyAndReturn
and polymorphism #1576Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.3.0...v2.3.1
Published by ymc9 3 months ago
The new check()
policy function that allows you to delegate a models' permission checking to its relations. #276
model Todo {
...
list List @relation(fields: [listId], references: [id])
// if the parent list is readable, grant full access to this Todo entity
@@allow('all', check(list, 'read'))
}
You can use this feature to remove duplicated policy rules and keep the schema DRY. See a full guide here.
Prisma 5.16.x is now supported. The new Prisma version introduced a typing breaking change. An adaptation is added in this version of ZenStack.
Prisma.DbNull
to filter JSON fields #1533@length
on a @password
field checks the length of hash password rather than the original value #1502auth()
in @default()
is used) #1493Unsupported
type is used #1517create
and upsert
for delegate models from generated hooks and trpc routers, as they cannot be directly created.@relation
for delegate models, user-provided relation name should be used if it exists #1575 by @irvinzz@zenstackhq/swr
plugin.Thanks to @jasonmacdonald @benjamintd @irvinzz @mentorkadriu for contributing to this release! ❤️
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.4...v2.3.0
Published by ymc9 4 months ago
This release contains several fixes related to polymorphic models.
createMany
payload into regular create
#1520Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.3...v2.2.4
Published by ymc9 4 months ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.2...v2.2.3
Published by ymc9 4 months ago
@allow
rule, the access is always denied #1501Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.1...v2.2.2
Published by ymc9 4 months ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.2.0...v2.2.1
Published by ymc9 4 months ago
Previous versions of ZenStack had an unintuitive limitation that you can't compare fields from different models in policy rules. E.g., the following snippet was not valid:
model Post {
...
org Organization @relation(...)
orgId Int
author User @relation(...)
authorId Int
@@allow('update', orgId == author.orgId) // orgId and author.orgId are from different models
}
This release partly resolved the limitation by supporting such comparisons in mutation rules ("create," "update," and "delete").
Cross-model field comparison is not natively supported by Prisma, so ZenStack has to read the data out of the database and check the rules in the JS runtime. When ZenStack identifies a policy rule that involves such a comparison, the entire rule will be evaluated "post-read". Although it's usually not a big deal for mutation operations, you should be aware of the performance impact. For best performance, put expressions involving cross-model comparison into separate policy rules (so that other rules are still evaluated during database queries).
Cross-model field comparison is still not supported in "read" rules for two reasons:
Please provide feedback in our discord if it's important for you.
createManyAndReturn
API #1461The returned results are properly filtered by access policies.
Background: ZenStack's "read" policy rules control not only what data you can retrieve but also how filters work. For example, in the following schema and query:
model Post {
...
deleted Boolean
@@allow('read', !deleted)
}
db.user.findMany({ where: { posts: { some: { published: true } } } });
Post
model's read rules will be injected into the where
clause, like:
db.user.findMany({
where: {
posts: {
some: {
published: true, // user-provided filter
deleted: false // ZenStack injected filter
}
}
});
In previous versions of ZenStack, such filter injection only respected model-level policies but not field-level ones. This release fixes this missing part. For fields involved in filters, if they have field-level "read" rules, those rules will also be combined into the final filter. The consequence is, for the above example, if the published
field is not readable, the findMany
will result in an empty array.
The injection also respects "override" field-level rules, meaning that even if the Post
model is not readable, but you have a field-level "read" rule for the published
field that overrides the model-level policy, the published
field can be used in the filter.
Clerk integration guide now has sample code for Next.js app router
https://zenstack.dev/docs/guides/authentication/clerk#create-an-enhanced-prisma-client
Welcome @WimTibackx and @aloisklink as our new contributors!
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.1.2...v2.2.0
Published by ymc9 5 months ago
Int
, String
, DateTime
, etc.) as enum field names in ZModel #1399 by @francistogramWelcome @francistogram as our new contributor!
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.1.1...v2.1.2
Published by ymc9 5 months ago
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.1.0...v2.1.1
Published by ymc9 5 months ago
Permission Checker #242
A check
API is extended to each model in the enhanced PrismaClient
for checking permissions without querying the database. See more details here.
auth()
is resolved from all loaded schema files #1388
In the previous release, to use auth()
in a ZModel file, you'll need to import the schema file that contains the User
model definition (or the model definition marked with @@auth
). This release relaxed that requirement: auth()
is now resolvable as long as the schema file containing the auth model is reachable through any import. You don't have to explicitly import it from every model now.
TanStack-Query and SWR plugins now generate createMany
hooks for SQLite when Prisma >= 5.12
TRPC plugin now generates createMany
procedure for SQLite when Prisma >= 5.12
DateTime
) can now be used as field names #1424auth()
in @default()
#1378select
is set to false
#1427@@unique
attribute is defined in a base model #1430Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.0.3...v2.1.0
Published by ymc9 6 months ago
dbgenerated()
attribute function by @clementoriol #1400auth()
inside @default()
is not effective for upsert operations by @israelins85 #1404Welcome @clementoriol and @israelins85 as our new contributors!
Full Changelog: https://github.com/zenstackhq/zenstack/compare/v2.0.2...v2.0.3