sqlalchemy-oso 0.6.2

Other bugs & improvements

  • Authorized sessions now disable baked queries by default because the caching mechanism can bypass authorization by using queries from the cache that were previously baked without authorization applied. If you understand the risks and still want to opt-in to the previous behavior of using baked queries, you can pass the enable_baked_queries=True keyword argument to sqlalchemy_oso.authorized_sessionmaker() and friends.

sqlalchemy-oso-preview 0.0.3

Breaking changes

Warning

This release contains breaking changes. Be sure to follow migration steps before upgrading.

Replaced action parameter with checked_permissions

Previously, sqlalchemy_oso.authorized_sessionmaker() and friends expected sqlalchemy_oso.session.AuthorizedSession to be constructed with an action parameter. This action would then be used to return only authorized results when querying for SQLAlchemy models via the session. However, it did not allow much flexibility in that there was no way to map different actions to different models if, for example, you wished to authorize the "list_issues" action for Repos and the "read" action for Issues.

That level of granularity is now possible as the action parameter for sqlalchemy_oso.session.AuthorizedSession and the get_action parameter for sqlalchemy_oso.authorized_sessionmaker() and sqlalchemy_oso.session.scoped_session() have been replaced by checked_permissions and get_checked_permissions, respectively.

Previously:

Session = authorized_sessionmaker(
    get_oso=lambda: current_app.oso,
    get_user=lambda: g.current_user,
    get_action=lambda: "read",
    bind=engine,
)

Now:

Session = authorized_sessionmaker(
    get_oso=lambda: current_app.oso,
    get_user=lambda: g.current_user,
    get_action=lambda: {Issue: "read", Repo: "list_issues"},
    bind=engine,
)

Additionally, if you wish to skip all authorization checks for a particular session, you can pass checked_permissions=None or get_checked_permissions=lambda: None.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.