spicedb
- j
Joey
12/20/2022, 4:07 AMwhat relationships did you write? - d
dabeast
12/20/2022, 4:20 AMI wrote: - d
dabeast
12/20/2022, 4:20 AMgroup:x#member@user:a group:x#manager@user:b - j
Joey
12/20/2022, 4:22 AMdefinition user { relation member_group : group - j
Joey
12/20/2022, 4:22 AM
needs to be written as wellmember_group - d
dabeast
12/20/2022, 4:22 AMI did that too - d
dabeast
12/20/2022, 4:23 AMdefinition user { relation member_group: group permission can_be_viewed = member_group->manager } - j
Joey
12/20/2022, 4:25 AMyou need to write the relationships formember_group - d
dabeast
12/20/2022, 4:29 AMah - d
dabeast
12/20/2022, 4:30 AMDid it but still no luck - j
Joey
12/20/2022, 4:42 AMpermission can_be_viewed = member_group->view_member - j
Joey
12/20/2022, 4:42 AMnot->manager - d
dabeast
12/20/2022, 4:46 AMDid the following:- - d
dabeast
12/20/2022, 4:46 AMdefinition group { relation manager: user relation member: user permission view_member = manager + member } definition user { relation member_group: group permission can_be_viewed = member_group->view_member } - d
dabeast
12/20/2022, 4:47 AMwith:- - d
dabeast
12/20/2022, 4:47 AMrelationships: |- group:x#member@user:a group:x#manager@user:b user:b#member_group@group:x user:a#member_group@group:x - d
dabeast
12/20/2022, 4:47 AMHowever, still getting:- - d
dabeast
12/20/2022, 4:48 AM192:~ $ zed permission lookup-resources group view_member user:b x 192:~ $ zed permission lookup-resources group view_member user:a x - j
Joey
12/20/2022, 4:57 AMyes - j
Joey
12/20/2022, 4:57 AMit is correctly returning groupx - j
Joey
12/20/2022, 4:57 AMyou're asking which groups can the user view - j
Joey
12/20/2022, 4:57 AMand the answer is{x} - d
dabeast
12/20/2022, 5:12 AM192:~ $ zed permission lookup-resources user can_be_viewed user:a b a 192:~ $ zed permission lookup-resources user can_be_viewed user:b a b - d
dabeast
12/20/2022, 5:14 AMSorry, here is the right call. Looking at the schema, there is no special value given to the manager relation, so it makes sense. - d
dabeast
12/20/2022, 5:14 AMBut, doesn't solve the problem. - j
Joey
12/20/2022, 5:16 AMI'm still not clear what the problem is, exactly - d
dabeast
12/20/2022, 5:20 AMGiven the same lookup-resources API call, I'd like user b, a group manager, to see both a and b but user a, a group member, to only see user a. This is to "hide" user b from user a. - d
dabeast
12/20/2022, 5:25 AM
b a192:~ $ zed permission lookup-resources user can_be_viewed user:a 192:~ $ zed permission lookup-resources user can_be_viewed user:b - j
Joey
12/20/2022, 5:25 AMNever mind, I need to think it through more - d
dabeast
12/20/2022, 5:26 AM🙂 It is hurting my brain. I was hoping relations could do this, but am worried this can only be achieved with an attribute?