oso 0.20.0-beta


Breaking changes


This release contains breaking changes. Be sure to follow migration steps before upgrading.

or / and operator precedence

The or operator has had its precedence lowered to be consistent with other programming languages. Existing policies using or should be updated where necessary to group or operations using parentheses:

foo(a, b, c) if a and b or c;

would now be written

foo(a, b, c) if a and (b or c);

We have temporarily made policies which combine and and or without using parentheses throw errors in order to avoid silent changes. To silence the error, add parentheses.

New features

Data Filtering

This release makes data filtering a core library feature. We have added a new method get_allowed_resources(actor, action, class) that returns all the resources of type class that the actor is allowed to do the action on. It requires registering some new information about classes and implementing some hooks to do the filtering. In this preview it is available for Python, Ruby and JavaScript and can be used with any ORM. You can go to the data filtering guide to see how to use it.

New syntax for RBAC/ReBAC policies

This release introduces a new, shorthand syntax for declaring roles, permissions, relations, and rules for a particular resource:

resource Repo {
  roles = ["reader", "writer"];
  permissions = ["pull", "push"];
  relations = { creator: User };

  "writer" if "creator";
  "reader" if "writer";

  "push" if "writer";
  "pull" if "reader";

Each of the shorthand rules is expanded into a full Polar rule. For example, "push" if "writer"; expands into the following rule:

has_permission(actor, "push", repo: Repo) if
  has_role(actor, "writer", repo);

And "reader" if "writer"; expands to:

has_role(actor, "reader", repo: Repo) if
  has_role(actor, "writer", repo);

Documentation for the new syntax is forthcoming. In the meantime, if you have any feedback we would love to hear it on Slack!

Other bugs & improvements

  • The debugger can now break on rule matches.
  • Polar reserved words (e.g. type, if, debug) can be used as field and method names in dictionaries and objects.
  • Fixed a bug where unifying an external instance with a partially-bound variable in the head of a rule would add an additional constraint to the variable instead of rebinding it to the external instance.


New Preview API: Enforcers

This release adds the Enforcer class to the oso python library, which is intended to bridge the gap between your app and your policy. Instead of querying your policy using is_allowed, an enforcer exposes the following methods for more specific scenarios:

  • authorize(actor, action, resource): ensures an actor can perform a particular action on a resource (this is most similar to is_allowed).
  • authorize_request(actor, request): ensures an actor can send a particular request to the server.
  • authorize_field(actor, action, resource, field): ensures that an actor can perform an action on a particular field of a resource.

Read more about enforcement in the new enforcement guide.

django-oso 0.20.0-beta

Other bugs & improvements

  • Updates to maintain compatibility with the core.

sqlalchemy-oso 0.20.0-beta

Other bugs & improvements

  • Updates to maintain compatibility with the core.

flask-oso 0.20.0-beta

Other bugs & improvements

  • Updates to maintain compatibility with the core.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.