ZenStack Release v2.6.0

Security Fixes

This release fixed an important security issue related to polymorphic models.

Background

In a polymorphic model hierarchy, both the base and concrete models inherited from it can have access policies. When reading entities with a base model type, the corresponding concrete model fields are also fetched and returned. However, in this case, the access policies directly defined on the concrete models were not properly enforced in the previous releases, resulting in returning concrete model fields when they should have been excluded. This also happens to fields marked @omit on the concrete models.

The issue only happened when you read with a polymorphic base model (marked with @@delegate). When reading directly with a concrete model type, policies were correctly enforced.

This release fixed the issue. If a concrete model is not readable, its fields are not included, and only the base model's fields are returned. It's recommended that you upgrade ASAP if you're using the polymorphic models feature.

A big THANK YOU 🙏 to @svetch for reporting this issue!

New Features

• Added a new option to "@core/zod" plugin to specify if the generated schemas should reject, strip, or passthrough fields not recognized #1696 Doc

  Example:

  plugin zod {
      provider = "@core/zod"
      mode = "strip"
  }

Fixes and Improvements

• Fixed the issue that in certain cases concrete model fields are not returned in a polymorphic read #1698
• Fixed ZModel type checker issue that fields from abstract base model cannot be accessed from future(). or this. #1695 #1713
• Fix zod compilation issue when a @@delegate field has a default value #1693
• Fixed the issue that using auth() in @default() is not effective for createMany and createManyAndReturn #1681
• TRPC plugin now generates procedures that better conform to PrismaClient's typing: APIs like findMany, count, etc. now has optional parameter type #1707

Full Changelog: v2.5.1...v2.6.0