844600078504951838 #spicedb

Channels

Joey

12/20/2022, 2:09 AM

view_member

is either true or false for a particular resource and subject

dabeast

12/20/2022, 2:30 AM

Ok. But is there a way to instantiate the following expected relations:-

user:a#view_member:
- “[user:a] is <group:x#member>"
- “[user:b] is <group:x#manager>”
user:b#view_member:
- “[user:b] is <group:x#manager>”

dabeast

12/20/2022, 2:31 AM

(this effectively "hides" user b from user a using the same

view_member

permission)

Joey

12/20/2022, 2:42 AM

not really; they both still have

view_member

permission

dabeast

12/20/2022, 2:43 AM

Ok. Would a

caveat

be appropriate here?

Joey

12/20/2022, 2:44 AM

the first goal is to frame the exact API request you'd like to make

Joey

12/20/2022, 2:44 AM

then I'd have more context to answer

dabeast

12/20/2022, 2:48 AM

Ok, here goes, I think my unfamiliarity with the notation is confusing things. I'd like to write a view of users that user a (who is the manager of a group) and user b (who is only a member) can use. In that view I want a and b to see {a} and {a,b} respectively. I thought I could write that view in an extensible way using the lookup-resources API by using one permission,

view_member

, but couldn't figure out how to, hence my question.

Joey

12/20/2022, 2:50 AM

lookup resources doesn't really exposes views; it simply says on which resources a particular subject has a particular permission

Joey

12/20/2022, 2:50 AM

I suppose you could use a caveat to adjust the results

Joey

12/20/2022, 2:50 AM

but it would be a non-standard approach

dabeast

12/20/2022, 2:50 AM

Ok. Is there a caveat that you would suggest?

Joey

12/20/2022, 2:50 AM

now if you defined a

can_be_viewed

permission on the user

Joey

12/20/2022, 2:51 AM

you could set up a schema where lookupresources returns all viewable users for a particular other user

dabeast

12/20/2022, 2:58 AM

Something like this?:-

definition user {
relation member_group : group#manager
permission can_be_viewed = member_group->group#view_member
}

Joey

12/20/2022, 2:58 AM

definition user {
 relation member_group : group
 permission can_be_viewed = member_group->view_member
}

Joey

12/20/2022, 2:58 AM

in theory

Joey

12/20/2022, 2:59 AM

can_be_viewed

will only be true for any user that shares a group with this user

Joey

12/20/2022, 2:59 AM

but that means across all groups

Joey

12/20/2022, 2:59 AM

so if the user is a member of groups A, B and C, then anyone in A, B or C will have

can_be_viewed

permission on that user

dabeast

12/20/2022, 3:14 AM

Am trying on the playground but not getting far. Any chance of a code example 🙂 or is this too non-standard?

Joey

12/20/2022, 3:17 AM

The schema above should work with the group defined as well

dabeast

12/20/2022, 3:22 AM

I tried

definition group {
relation manager: user
relation member: user
permission view_member = manager + member
}

but am not sure what the lookup-resources call should be

Joey

12/20/2022, 3:25 AM

Playground doesn’t run lookup resources currently

dabeast

12/20/2022, 3:27 AM

Putting it into local so I can run

zed

... Any thoughts on what my call should be?

Joey

12/20/2022, 3:28 AM

lookup user canbeviewed user:anotheruser

dabeast

12/20/2022, 3:42 AM

Hmm, didn't work.

dabeast

12/20/2022, 3:43 AM

zed permission lookup-resources user can_be_viewed user:b

gives no output

Joey

12/20/2022, 3:44 AM

Did you write the relationships?

dabeast

12/20/2022, 3:46 AM

Yes.