What's Changed
-
New
enhanceAPIAdded a new
enhanceAPI as a replacement towithPresets, which includes all essential enhancements to PrismaClient. ThewithPresetsAPI, found to have a confusing name by many, will be deprecated in a future release. -
Policy check refactor and performance improvement
This release contains a major refactor to the access policy engine, bringing two significant improvements:
- The new engine doesn't rely on the auxiliary fields (
zenstack_guard&zenstack_transaction) for policy checks anymore. The aux fields are still generated in this release but will be removed in a future one. - Performance improvements, especially for the nested read of to-one relationships. Now read filtering is fully done with query injection and never does post-read checks.
- The new engine doesn't rely on the auxiliary fields (
-
Fixed incorrect relation ownership analysis for self-relations. #609
Breaking Changes
-
Requires Prisma minimum version 4.8.0
The minimum supported Prisma version is increased to 4.8.0. This is mainly for being able to filter nullable to-one relations during query (so we don't need to do post-read filtering). A warning will be printed when you run CLI to create an enhanced PrismaClient at runtime if a lower Prisma version is detected.
-
Policy check behavior changes when reading with an enhanced PrismaClient
In the new release, read queries (
findXXX,aggregate,count,groupBy) never throws rejection errors due to access policy violations. They behave as if the rows not satisfying "read" policies don't exist.Attention should be made to reading nested "to-one" relations since the behavior changes in this release.
-
Non-nullable to-one relations
In previous releases, if you nested-read a non-nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the top-level read to be filtered out. E.g.:const post = await db.post.findUnique({ where: id, include: { author: true } }); // In previous releases, if `author` is not readable, the call results in an error thrown. // In the new release, it'll return null (as if the top-level `post` read is filtered)
-
Nullable to-one relations
In previous releases, if you nested-read a nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the relation field to be set null. E.g.:const user = await db.user.findUnique({ where: id, include: { profile: true } }); // In previous releases, if `profile` is not readable, the call results in an error thrown. // In the new release, the read will succeed (as long as `user` is readable`) and the `profile` field will be set null
-
Full Changelog: v1.0.0-beta.10...v1.0.0-beta.16