oso 0.10.0

Breaking changes

Warning

This release contains breaking changes. Be sure to follow migration steps before upgrading.

Anonymous rest variables now properly anonymized

Previously, we were not generating unique identifiers for anonymous rest variables (*_) during the rewriting pass. This resulted in unexpected results for queries containing multiple anonymous rest variables, such as:

[*_] in [*a] and [*b] in [*_] and b = 1

The above query would return a result with a bound to [1] because *a and *b interacted through the pair of un-anonymized rest variables. After this change, that query now correctly returns a result with a bound to [*_1], where *_1 is the rewritten, anonymized rest variable.

New features

get_allowed_actions introduced for Python

Use oso.Oso.get_allowed_actions() to get a list of actions that a user is allowed to take on a resource. These actions can be used for making additional authorization decisions, especially in the frontend (e.g., hiding or showing a button based on the current user’s allowed actions).

See our guide here!

Running Oso in the browser

The Oso JavaScript/TypeScript package on NPM has been updated to work with browser environments using bundlers like webpack.

To see how to use Oso in the browser, see this example.

PolarClass implemented for versions 0.7 & 0.8 of the uuid crate

PolarClass is now implemented for versions 0.7 & 0.8 of the uuid crate behind the optional uuid-07 feature flag.

Ruby library now supports Ruby 3.0

There are no breaking changes. Happy Rubying!

oso 0.11.0a0

New features

Improved support for constraint propagation and interactions between variables in Polar VM

The Polar VM now supports adding constraints during query execution on any unbound variable, including constraints over multiple unbound variables. Constraints can be used within any query, without requiring partial objects to be passed in to oso.query_rule. This allows writing queries in a more declarative style, and allows Polar to correctly answer more queries with unbound variables. The change improves support for the following queries, when run using oso.query_rule or using list filtering adapters with Django or SQLAlchemy:

  • Rules involving intersections between multiple collections on objects

    allow(actor, action, post: Post) if
    tag in post.tags and
    tag in actor.allowed_tags;

  • Calling rules on a field of a constrained variable

    allow(actor, action, post: Post) if allow(actor, action, post.tag);

  • Comparison operations between constrained partials

    allow(actor, action, post: Post) if
    post_tag in post.tags and
    actor_tag in actor.tags and
    post_tag = actor_tag;

  • Support for more queries involving negation and constraints.

  • Creation of constrained variables from unbound variables during query execution

    f(x) if not (x = 1) and x = 2;

Since this is a substantial change, we are releasing an alpha build. This build provides an opportunity to give feedback to our engineering team as we complete this functionality. We’re available on Slack for questions and feedback.

django-oso 0.7.0a0

Includes support for oso 0.11.0a0.

sqlalchemy-oso 0.5.0a0

Includes support for oso 0.11.0a0.