oso 0.21.0

Core

Other bugs & improvements

• Unification constraints on dot properties are no longer elided when emitting partial results for queries over multiple unbound variables.
• Debug mode can now be disabled by setting POLAR_LOG=0 or POLAR_LOG=off. Thanks to @alexhafner for the contribution!

Python

Breaking changes

Optional types parameter to register_class() renamed to fields

This now mirrors the parameter’s name in the other language libraries.

To migrate to the new API, change:

oso.register_class(User, types=...)

to:

oso.register_class(User, fields=...)

Other bugs & improvements

• Data filtering API types (Relation, Filter) are now importable from the top level oso module:

  from oso import Oso, Relation, Filter
  

• Fixed a bug concerning fetching errors from the core containing additional details. [ #1229]

Ruby

Other bugs & improvements

• Data filtering API types (Relation, Filter) are now defined on the top level Oso module.

require 'oso'
Relation = Oso::Relation

• The Ruby library can now be require-ed as "oso" or "oso-oso". Thanks to @davidpelaez for the contribution!

Node.js

Breaking changes

Optional types parameter to registerClass() renamed to fields

This now mirrors the parameter’s name in the other language libraries.

To migrate to the new API, change:

oso.registerClass(User, { types: { ... } });

to:

oso.registerClass(User, { fields: { ... } });

Accessing a nonexistent property on an object now errors

To help with catching erroneous policies, accessing a property that doesn’t exist on an object or anywhere in its prototype chain will now return an error.

Policy:

allow(user, "read", "document") if user.isAdmin;

Code:

const user = {name: "notanadmin"};
await oso.isAllowed(user, "read", "document");

Before this change, this isAllowed() call would silently fail. Oso would look up the nonexistent isAdmin property on the {name: "notanadmin"} object, which returns undefined. Since undefined is not equivalent to true, the isAllowed() call would fail, but the developer wouldn’t have any idea that they’d written a policy that referenced a nonexistent property.

Now, this will error since isAdmin is not a property on the user object.

This will still work if (1) the isAdmin property is explicitly set to undefined (e.g., user = {isAdmin: undefined}) or (2) the property check is moved into the head of the rule:

allow(user: {isAdmin: true}, "read", "document");

since specializers will not error if a property doesn’t exist (but the {name: "notanadmin"} object will fail to match the specializer and the isAllowed() call will still correctly return false).

Other bugs & improvements

• Data filtering API functions (authorizedQuery, authorizedResources) now correctly restrict their output to records of the user-supplied resource type.
• Runtime type checking on dot operations now works as intended, which fixes a disparity when extracting properties from objects using specializers.

Go

New features

Go pointer methods

Go methods that are defined on pointer receivers can now be called from Polar. Before this change, only methods defined on value receivers could be called.

type Typ struct {
	x int
}

// This could be called from Polar before
func (t Typ) Method() int {
	return t.x + 1
}

// This could not be called from Polar before but can now.
func (t *Typ) PtrMethod() bool {
	return t.x == 1
}

Other bugs & improvements

• The CLI to the Go REPL has been updated to use the new LoadFiles API. This re-enables support for loading multiple files via the CLI.
• The minimum supported Go version is back to 1.12.

sqlalchemy-oso 0.21.0

Other bugs & improvements

• Type definitions are now exported in the built wheel, so type annotations should work if you use a type checker like MyPy.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.