This release contains breaking changes. Be sure to follow migration steps before upgrading.
Anonymous rest variables now properly anonymized
Previously, we were not generating unique identifiers for anonymous rest
*_) during the rewriting pass. This resulted in unexpected
results for queries containing multiple anonymous rest variables, such as:
[*_] in [*a] and [*b] in [*_] and b = 1
The above query would return a result with
a bound to
*b interacted through the pair of un-anonymized rest variables.
After this change, that query now correctly returns a result with
*_1 is the rewritten, anonymized rest variable.
get_allowed_actions introduced for Python
oso.Oso.get_allowed_actions() to get a list of actions that a user
is allowed to take on a resource. These actions can be used for making
additional authorization decisions, especially in the frontend (e.g., hiding
or showing a button based on the current user’s allowed actions).
See our guide here!
Running Oso in the browser
To see how to use Oso in the browser, see this example.
PolarClass implemented for versions 0.7 & 0.8 of the
PolarClass is now implemented for versions 0.7 & 0.8 of the
behind the optional
uuid-07 feature flag.
Ruby library now supports Ruby 3.0
There are no breaking changes. Happy Rubying!
Improved support for constraint propagation and interactions between variables in Polar VM
The Polar VM now supports adding constraints during query execution on any
unbound variable, including constraints over multiple unbound variables.
Constraints can be used within any query, without requiring partial objects to
be passed in to
oso.query_rule. This allows writing queries in a more
declarative style, and allows Polar to correctly answer more queries with
unbound variables. The change improves support for the following
queries, when run using
oso.query_rule or using list filtering adapters with
Django or SQLAlchemy:
Rules involving intersections between multiple collections on objects
allow(actor, action, post: Post) if tag in post.tags and tag in actor.allowed_tags;
Calling rules on a field of a constrained variable
allow(actor, action, post: Post) if allow(actor, action, post.tag);
Comparison operations between constrained partials
allow(actor, action, post: Post) if post_tag in post.tags and actor_tag in actor.tags and post_tag = actor_tag;
Support for more queries involving negation and constraints.
Creation of constrained variables from unbound variables during query execution
f(x) if not (x = 1) and x = 2;
Since this is a substantial change, we are releasing an alpha build. This build provides an opportunity to give feedback to our engineering team as we complete this functionality. We’re available on Slack for questions and feedback.
Includes support for
Includes support for
Connect with us on Slack
If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.