Joey
12/08/2022, 3:52 PMJoey
12/08/2022, 3:53 PMviewer
and then have to grant the token it as well?seeruyy
12/08/2022, 3:53 PMJoey
12/08/2022, 3:53 PMseeruyy
12/08/2022, 3:58 PMuser:user_id#inheritor@user:access_key
2. A user creates a token with restricted permissions, for example: just read only access. But if user has no access to some resource even to read, the token should not have an access tooseeruyy
12/08/2022, 4:03 PMtrue
token has access
So I do 2 checkPermission API call, which seems incorrect.Joey
12/08/2022, 4:22 PMJoey
12/08/2022, 4:23 PMdefinition token {}
definition user {
relation token: token
}
definition resource {
relation viewer: user | token
permission view = viewer->token & viewer
}
check resource:foo view token:whatever
Joey
12/08/2022, 4:23 PMJoey
12/08/2022, 4:23 PMdefinition token {}
definition user {
relation token: token
}
definition resource {
relation viewer: user#token
permission view = viewer
}
Joey
12/08/2022, 4:24 PMseeruyy
12/08/2022, 4:25 PMJoey
12/08/2022, 4:25 PMseeruyy
12/08/2022, 4:35 PMJoey
12/08/2022, 4:36 PMuser#token
seeruyy
12/08/2022, 4:43 PMuser.token
hcguy
12/08/2022, 5:16 PMJoey
12/08/2022, 5:17 PMassertTrue:
- 'document:foo#view@user:bar with {"some":"context"}'
expressadapter
12/09/2022, 10:50 AMJoey
12/09/2022, 3:25 PMmasd1
12/09/2022, 4:38 PMJoey
12/09/2022, 4:39 PMreader
or writer
, because its actually a set: you're saying "find users in the set of `readers+writers`"masd1
12/09/2022, 4:39 PMJoey
12/09/2022, 4:40 PMmasd1
12/09/2022, 5:07 PMJoey
12/09/2022, 5:15 PMdefinition user {}
definition document {
relation admin: user
relation restricted: user:*
relation viewer: user
permission view = (viewer - restricted) + admin
}
Joey
12/09/2022, 5:15 PMrestricted
emptyJoey
12/09/2022, 5:15 PMuser:*
, causing viewer - restricted
to be emptyJoey
12/09/2022, 5:16 PMdefinition user {}
caveat not_restricted(is_restricted boolean) {
!is_restricted
}
definition document {
relation admin: user
relation viewer: user with not_restricted
permission view = viewer + admin
}
Joey
12/09/2022, 5:16 PMis_restricted
would be passed into the CheckPermission
request