oso
0.10.0
Breaking changes
Anonymous rest variables now properly anonymized
Previously, we were not generating unique identifiers for anonymous rest
variables (*_
) during the rewriting pass. This resulted in unexpected
results for queries containing multiple anonymous rest variables, such as:
[*_] in [*a] and [*b] in [*_] and b = 1
The above query would return a result with a
bound to [1]
because
*a
and *b
interacted through the pair of un-anonymized rest variables.
After this change, that query now correctly returns a result with a
bound
to [*_1]
, where *_1
is the rewritten, anonymized rest variable.
New features
get_allowed_actions
introduced for Python
Use Oso.get_allowed_actions to get a list of actions that a user is allowed to take on a resource. These actions can be used for making additional authorization decisions, especially in the frontend (e.g., hiding or showing a button based on the current user’s allowed actions).
See our guide here!
Running Oso in the browser
The Oso JavaScript/TypeScript package on NPM has been updated to work with browser environments using bundlers like webpack.
You can see it in action on our new docs site and to see how to use in the browser, see this example.
PolarClass
implemented for versions 0.7 & 0.8 of the uuid
crate
PolarClass
is now implemented for versions 0.7 & 0.8 of the uuid
crate
behind the optional uuid-07
feature flag.
Ruby library now supports Ruby 3.0
There are no breaking changes. Happy Rubying!
oso
0.11.0a0
New features
Improved support for constraint propagation and interactions between variables in Polar VM
The Polar VM now supports adding constraints during query execution on any unbound variable, including constraints over multiple unbound variables. Constraints can be used within any query, without requiring partial objects to be passed in to oso.query_rule. This allows writing queries in a more declarative style, and allows Polar to correctly answer more queries with unbound variables. The change improves support for the following queries, when run using oso.query_rule or using list filtering adapters with Django or SQLAlchemy:
- Rules involving intersections between multiple collections on objects
allow(actor, action, post: Post) if
tag in post.tags and
tag in actor.allowed_tags;
- Calling rules on a field of a constrained variable
allow(actor, action, post: Post) if allow(actor, action, post.tag);
- Comparison operations between constrained partials
allow(actor, action, post: Post) if
post_tag in post.tags and
actor_tag in actor.tags and
post_tag = actor_tag;
-
Support for more queries involving negation and constraints.
-
Creation of constrained variables from unbound variables during query execution
f(x) if not (x = 1) and x = 2;
Since this is a substantial change, we are releasing an alpha build. This build provides an opportunity to give feedback to our engineering team as we complete this functionality. We’re available in Slack for questions and feedback.
sqlalchemy-oso
0.5.0a0
Includes support for oso
0.11.0a0.
django-oso
0.7.0a0
Includes support for oso
0.11.0a0.