Open AstraLuma opened 2 years ago
I'm pretty sure it's a regression because my initial work around hit a similar problem, so my version ended up with:
def scoped_session(
get_oso,
get_user,
get_checked_permissions,
scopefunc=None,
**kwargs,
):
from sqlalchemy_oso.session import authorized_sessionmaker
from sqlalchemy import orm
scopefunc = scopefunc or (lambda: None)
def _scopefunc():
cperms = get_checked_permissions()
if cperms is None:
checked_permissions = None
return scopefunc()
# Note: get_user() often needs database access, so don't call that in this branch.
else:
checked_permissions = frozenset(cperms.items())
return (get_oso(), checked_permissions, get_user(), scopefunc())
factory = authorized_sessionmaker(
get_oso, get_user, get_checked_permissions, **kwargs
)
return orm.scoped_session(factory, scopefunc=_scopefunc)
Hi @AstraLuma. Sorry for the delay getting back to you! I think this issue is caused by your use of scoped session to access User
. The get_user
function may access the database, but it cannot use an Oso session to do so, otherwise you end up with recursion as you've noted.
To get around this, most users will use an 'unauthorized' session to retrieve the current user. You'll need an authorized session and an unauthorized session for every request.
You can see an example in this app.
This workaround you presented is interesting and could be an enhancement to the scoped_session
API. I think you'd still hit a recursive get_user
call when the AuthorizedSession
is constructed though (see here). Do you see the recursive query issue with your workaround?
One enhancement we could add is to avoid calling get_user
if get_checked_permissions
returns None
in session construction.
My current app just uses a non-oso session.
Within get_user()
?
Yeah
Does this overlap with https://github.com/osohq/oso/issues/1579 / did https://github.com/osohq/oso/pull/1581 address this issue?
I don't think so, it looks like different code paths. But we ended up not using oso-sqlalchemy (just vanilla oso), so I don't have current code handy to check.
No worries, I figured I'd check in case. Thanks :)
Pretty sure this is a regression introduced by #1440
If
get_user()
accesses the database via oso'sScopedSession
andget_checked_permissions()
returnsNone
, infinite recursion happens.