oso 0.23.0

Core

Breaking changes

Warning

This release contains breaking changes. Be sure to follow migration steps before upgrading.

Data filtering now treats accessing an undeclared field as an error. All fields used in data filtering queries must now be registered ahead of time by including them in the fields parameter of the register_class Oso API function, which previously was only necessary for data relations. For example, to use data filtering with the rule

allow(user, _, foo: Foo) if foo.user_name = user.name;

user_name must be included in the register_class call for Foo:

# an example in Python
oso.register_class(Foo, fields={'user_name': str})

This change only affects data filtering. Other Oso APIs require no new configuration.

Other bugs & improvements

  • Fixed a bug where a negated constraint on a dot lookup could cause Polar to crash when the underlying variable became bound.
  • Removed syntax for parenthesized specializers like f(_: (x));, which don’t currently achieve anything.

Python

Other bugs & improvements

  • Thanks to Clara McCreery for a correction to our Python data filtering docs!

Platform support

We now publish wheels for musl-based Linux distributions (through the musllinux tag) and for ARM-based MacOS systems (through the macosx_11_0_arm64 tag). We now publish wheels for Python 3.10 for all supported platforms.

On those systems, you should now be able to use pip install oso to get the latest Oso package.

Node.js

New features

Custom type checks for plain objects
  • It is now possible to customize the way that types are determined. By passing a custom isaCheck parameter to oso.registerClass, you can tell Oso how to determine whether a particular value is an instance of that class. This is useful for certain frameworks, like Prisma, which don’t use prototype-style classes for objects of different types. In the example below, any object with type === "user" will be considered a User by the Oso runtime:
oso.registerClass(Object, {
  name: "User",
  isaCheck: instance => instance.type === "user"
});

Other bugs & improvements

  • The Class type for representing abstract resources for data filtering is now a top-level export.

Rust

Other bugs & improvements

  • Oso’s Rust REPL no longer swallows its output.

sqlalchemy-oso 0.23.0

Support for authorization of eager loaded data

sqlalchemy-oso will now detect entities that are loaded due to relationship loading options declared on the model or query. For example:

a = query(A).options(joinedload(A.bs)).all()
bs = a[0].bs

bs will now contain only authorized data according to the policy. In previous versions of sqlalchemy-oso, bs would not be authorized with the joinedload option.

django-oso 0.23.0

Bumped the minimum required version of the oso dependency.

flask-oso 0.23.0

Bumped the minimum required version of the oso dependency.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.