ZenStack Release v2.2.0

New Features

1. Comparing fields from different models in mutation policies #1463

Previous versions of ZenStack had an unintuitive limitation that you can't compare fields from different models in policy rules. E.g., the following snippet was not valid:

model Post {
  ...
  org Organization @relation(...)
  orgId Int
  author User @relation(...)
  authorId Int

  @@allow('update', orgId == author.orgId) // orgId and author.orgId are from different models
}

This release partly resolved the limitation by supporting such comparisons in mutation rules ("create," "update," and "delete").

Cross-model field comparison is not natively supported by Prisma, so ZenStack has to read the data out of the database and check the rules in the JS runtime. When ZenStack identifies a policy rule that involves such a comparison, the entire rule will be evaluated "post-read". Although it's usually not a big deal for mutation operations, you should be aware of the performance impact. For best performance, put expressions involving cross-model comparison into separate policy rules (so that other rules are still evaluated during database queries).

Cross-model field comparison is still not supported in "read" rules for two reasons:

1. It's very easy to result in reading an unbounded number of rows, filtering and discarding most of them.
2. It should be noted that "read" rules cover not only find but also aggregations. If we can't do a filtered aggregation on the database side, we'll have to reimplement it in the ZenStack library.

Please provide feedback in our discord if it's important for you.

2. Added support for Prisma 5.14's new createManyAndReturn API #1461

The returned results are properly filtered by access policies.

3. Relation filtering now respects field-level policies #1454

Background: ZenStack's "read" policy rules control not only what data you can retrieve but also how filters work. For example, in the following schema and query:

model Post {
  ...
  deleted Boolean
  @@allow('read', !deleted)
}

db.user.findMany({ where: { posts: { some: { published: true } } } });

Post model's read rules will be injected into the where clause, like:

db.user.findMany({
  where: {
    posts: {
      some: {
        published: true,  // user-provided filter
        deleted: false  // ZenStack injected filter
    }
  }
});

In previous versions of ZenStack, such filter injection only respected model-level policies but not field-level ones. This release fixes this missing part. For fields involved in filters, if they have field-level "read" rules, those rules will also be combined into the final filter. The consequence is, for the above example, if the published field is not readable, the findMany will result in an empty array.

The injection also respects "override" field-level rules, meaning that even if the Post model is not readable, but you have a field-level "read" rule for the published field that overrides the model-level policy, the published field can be used in the filter.

Fixes and Improvements

• Fixed Windows build issues and improved contribution documentation by @WimTibackx
• Fixed default value handling for BigInt type in Zod schemas by @aloisklink
• Upgraded Prisma peer dependency to <= 5.15.x
• Fixed typing issues in TanStack Query's infinite query hooks #1472
• Fixed typing issues in TanStack Query hooks generated for Svelte #1488
• Fixed overlong identifier names generated in Prisma schemas generated for polymorphic models #1466
• Fixed incorrect validation errors for polymorphic models inherited from an abstract base model #1474
• Fixed Decimal/Date object corruption when used with polymorphic models #1487
• Fixed runtime error when using polymorphic models with optional relation fields #1483

Docs Updates

• Clerk integration guide now has sample code for Next.js app router

  https://zenstack.dev/docs/guides/authentication/clerk#create-an-enhanced-prisma-client

New Contributors

Welcome @WimTibackx and @aloisklink as our new contributors!

Full Changelog: v2.1.2...v2.2.0

ZenStack Release v2.1.2

What's Changed

• Allow using type names (Int, String, DateTime, etc.) as enum field names in ZModel #1399 by @francistogram

New Contributors

Welcome @francistogram as our new contributor!

Full Changelog: v2.1.1...v2.1.2

ZenStack Release v2.1.1

What's Changed

• Fixed an infinite recursion while evaluating field-level policies #1451

Full Changelog: v2.1.0...v2.1.1

ZenStack Release v2.1.0

New Features

• Permission Checker #242

  A check API is extended to each model in the enhanced PrismaClient for checking permissions without querying the database. See more details here.

• auth() is resolved from all loaded schema files #1388

  In the previous release, to use auth() in a ZModel file, you'll need to import the schema file that contains the User model definition (or the model definition marked with @@auth). This release relaxed that requirement: auth() is now resolvable as long as the schema file containing the auth model is reachable through any import. You don't have to explicitly import it from every model now.

• TanStack-Query and SWR plugins now generate createMany hooks for SQLite when Prisma >= 5.12

• TRPC plugin now generates createMany procedure for SQLite when Prisma >= 5.12

Fixes and Improvements

• Fixed several code generation errors for delegate models #1415 #1416
• Fixed the problem that filters using fields from delegate base models don't work properly when nested inside a logical group #1410
• ZModel type names (e.g., DateTime) can now be used as field names #1424
• Fixed the typing inconsistency for Zod schemas generated for fields using auth() in @default() #1378
• TRPC code gen improvements: make sure type-only imports are only type-imported #1405
• Fixed the problem that relation fields are included even if select is set to false #1427
• Fixed incorrect validation error when @@unique attribute is defined in a base model #1430
• Fixed compatibility with Prisma 5.13's omit feature
• Fixed query issue with using enums inside access policies #1435
• The generated TRPC code is now more robust with importing Zod schemas #1406

Full Changelog: v2.0.3...v2.1.0

ZenStack Release v2.0.3

What's Changed

• Allow empty constructor for the dbgenerated() attribute function by @clementoriol #1400
• Fixed the issue that auth() inside @default() is not effective for upsert operations by @israelins85 #1404

New Contributors

Welcome @clementoriol and @israelins85 as our new contributors!

Full Changelog: v2.0.2...v2.0.3

ZenStack Release v2.0.2

What's Changed

• Fixed the problem that enum documentation is lost in the generated prisma schema by @nopain1210
• Fixed compatibility issue with pnpm workspace environment

New Contributors

• Welcome @nopain1210 to becoming our new contributor!

Full Changelog: v2.0.1...v2.0.2

ZenStack Release v2.0.1

What's Changed

• Prisma peer dependency version has been bumped to 5.13.x.
• Fixed VSCode auto-fix code generation location issue.
• Fixed policy compilation error for deeply nested post-update rules #1381

Full Changelog: v2.0.0...v2.0.1

ZenStack Release v2.0.0 🎉

Features

Make sure you read the full upgrade guide before upgrading!

1. Polymorphic Relations

You can now model a polymorphic inheritance hierarchy using the "delegated types" pattern. Read more details here.

2. Using auth() Inside @default Attribute

You can now use the auth() function call inside @default() attribute in ZModel. It's very handy for models that should always be connected to the current user during creation. By providing such a default value, you don't need to explicitly connect to the user anymore:

model Post {
  ...
  author User @relation(...)
  authorId String @default(auth().id)
}

const db = enhance(prisma, { user: getCurrentUser() });
const post = await db.post.create({ title: 'Post1' }); // no need to connect the `author` field

Special thanks to Augustin for making this feature happen!

3. Edge Runtime Support (Preview)

The @zenstackhq/runtime package is compatible with Vercel Edge Runtime and Cloudflare Workers. See here for more details.

4. Server Adapter for NestJS

An official adapter for using ZenStack with NestJS that plays well with its dependency injection. See here for more details.

5. Formating ZModel in Prisma Style

Yes, we heard your voices, and here it comes 😄. Please update the VSCode extension and JetBrains plugin to the latest version and enjoy.

You can toggle back to the old behavior in the extension settings (VSCode only).

Improvements and Fixes

This release also contains many DX improvements and fixes.

Full Changelog: v1.12.4...v2.0.0

ZenStack Release v1.12.4

What's Changed

• Fixed access policy check issue with "upsert" models with compound @@id fields. #1271

Full Changelog: v1.12.3...v1.12.4

ZenStack Release v2.0.0-beta.13

What's Changed

• VSCode extension and the zenstack CLI formats ZModel files with prisma-like indentation style by default. #885
• zenstack CLI now auto-format the generated prisma schema by default.
• Fixed several typing issues about using auth() inside @default().
• Fixed the problem that member access from auth() is not properly resolved if the auth model is imported. #1257
• Fixed the problem that @@index attribute is incorrectly inherited from the base. #1243
• Removed several Prisma V4 dependencies since V4 is not supported anymore.

Full Changelog: v2.0.0-beta.8...v2.0.0-beta.13