Absent: no session will be available in the route handler.
@session() or @session(None) or @session(checked_permissions=None): g.session will be available in the route handler and will be a SQLAlchemy session with no authorization applied.
@session({Org: "read"}) or @session(checked_permissions={Org: "read"}): g.session will be available in the route handler and will be a SQLAlchemy session that only returns Org records that the current user is authorized to "read" (via oso- & sqlalchemy-oso-powered data filtering) but does not apply authorization to records for other SQLAlchemy models.
It's unfortunate that the permissions (action-resource pairs) have to be specified up front instead of at query time, but it's a constraint imposed by the way SQLAlchemy sessions "cache" query results in their local identity map.
I think the new method of specifying a set of permissions is an improvement on the previous method of specifying a single action per request because it provides more explicit, flexible, and granular control than the previous system that would check authorization for every SQLAlchemy resource with the same action. The new method allows users to selectively apply authorization to certain resources while leaving others untouched and to authorize different actions for different resources.
Added repo role management via a new /orgs/:org_id/repos/:repo_id/settings page.
Done
@session()decorator for route handlers.@session()or@session(None)or@session(checked_permissions=None):g.sessionwill be available in the route handler and will be a SQLAlchemy session with no authorization applied.@session({Org: "read"})or@session(checked_permissions={Org: "read"}):g.sessionwill be available in the route handler and will be a SQLAlchemy session that only returnsOrgrecords that the current user is authorized to"read"(viaoso- &sqlalchemy-oso-powered data filtering) but does not apply authorization to records for other SQLAlchemy models./orgs/:org_id/repos/:repo_id/settingspage.TODO