Skip to content

oso 0.21.0

Compare
Choose a tag to compare
@github-actions github-actions released this 28 Sep 18:07
7541252

oso 0.21.0

Core

Other bugs & improvements

  • Unification constraints on dot properties are no longer elided when emitting
    partial results for queries over multiple unbound variables.
  • Debug mode can now be disabled by setting POLAR_LOG=0 or POLAR_LOG=off.
    Thanks to @alexhafner for the
    contribution!

Python

Breaking changes

Optional types parameter to register_class() renamed to fields

This now mirrors the parameter's name in the other language libraries.

To migrate to the new API, change:

oso.register_class(User, types=...)

to:

oso.register_class(User, fields=...)

Other bugs & improvements

  • Data filtering API types (Relation, Filter) are now importable from the
    top level oso module:

    from oso import Oso, Relation, Filter
  • Fixed a bug concerning fetching errors from the core containing additional
    details. [#1229]

Ruby

Other bugs & improvements

  • Data filtering API types (Relation, Filter) are now defined on the top
    level Oso module.
require 'oso'
Relation = Oso::Relation
  • The Ruby library can now be require-ed as "oso" or "oso-oso". Thanks to
    @davidpelaez for the contribution!

Node.js

Breaking changes

Optional types parameter to registerClass() renamed to fields

This now mirrors the parameter's name in the other language libraries.

To migrate to the new API, change:

oso.registerClass(User, { types: { ... } });

to:

oso.registerClass(User, { fields: { ... } });
Accessing a nonexistent property on an object now errors

To help with catching erroneous policies, accessing a property that doesn't
exist on an object or anywhere in its prototype chain will now return an error.

Policy:

allow(user, "read", "document") if user.isAdmin;

Code:

const user = {name: "notanadmin"};
await oso.isAllowed(user, "read", "document");

Before this change, this isAllowed() call would silently fail. Oso would look
up the nonexistent isAdmin property on the {name: "notanadmin"} object,
which returns undefined. Since undefined is not equivalent to true, the
isAllowed() call would fail, but the developer wouldn't have any idea that
they'd written a policy that referenced a nonexistent property.

Now, this will error since isAdmin is not a property on the user object.

This will still work if (1) the isAdmin property is explicitly set to
undefined (e.g., user = {isAdmin: undefined}) or (2) the property check is
moved into the head of the rule:

allow(user: {isAdmin: true}, "read", "document");

since specializers will not error if a property doesn't exist (but the {name: "notanadmin"} object will fail to match the specializer and the isAllowed()
call will still correctly return false).

Other bugs & improvements

  • Data filtering API functions (authorizedQuery, authorizedResources) now
    correctly restrict their output to records of the user-supplied resource
    type.
  • Runtime type checking on dot operations now works as intended, which fixes a
    disparity when extracting properties from objects using specializers.

Go

New features

Go pointer methods

Go methods that are defined on pointer receivers can now be called from Polar.
Before this change, only methods defined on value receivers could be called.

type Typ struct {
	x int
}

// This could be called from Polar before
func (t Typ) Method() int {
	return t.x + 1
}

// This could not be called from Polar before but can now.
func (t *Typ) PtrMethod() bool {
	return t.x == 1
}

Other bugs & improvements

  • The CLI to the Go REPL has been updated to use the new LoadFiles API. This
    re-enables support for loading multiple files via the CLI.
  • The minimum supported Go version is back to 1.12.

sqlalchemy-oso 0.21.0

Other bugs & improvements

  • Type definitions are now exported in the built wheel, so type annotations
    should work if you use a type checker like MyPy.