Joey
12/03/2021, 8:59 PM& site->staff_member
if you think you'll need the site for other thingsbryana
12/03/2021, 8:59 PMJoey
12/03/2021, 8:59 PMJoey
12/03/2021, 8:59 PMJoey
12/03/2021, 8:59 PMJoey
12/03/2021, 8:59 PMbryana
12/03/2021, 9:00 PMbryana
12/03/2021, 9:00 PMJoey
12/03/2021, 9:01 PMJoey
12/03/2021, 9:01 PMBryan
12/04/2021, 1:48 AMdefinition role {
relation member: user
}
definition repo {
relation delete_issuer: role#member
permission delete_issue = delete_issuer
}
will work. The style of grouping this schema models doesn't fit the use case I'm trying to model 😅 I've attached a diagram to (hopefully) help explain how custom roles are modeled at GitHub.
GitHub has a notion of a UserRole
which creates a link between a user monalisa
, a repo repo1
, and a role repo_manager
. The permissions that repo_manager
grants monalisa
is valid only on repo1
. A different user geoff
can get the role repo_manager
on a different repo repo2
. The two grants are indepentent of each other. At this point, monalisa
has no permissions on repo2
. Likewise, geoff
has no permissions on repo1
. I attempted to model this in the attached diagram.
Using the schema above, here's how monalisa
could get the repo_manager
role for repo1
. First make monalisa
a member of repo_manager
role:repo_manager#member@user:monalisa
Next, let repo_manager
members have the delete_issuer
relationship for `repo1`:
repo:repo1#delete_issuer@role:repo_manager#member
The same thing can be done for geoff
to give them the repo_manager
role on repo2
. We can check to make sure monalisa
has the delete_issue
permission on repo1
and geoff
has the delete_issue
permission on `repo2`:
assertTrue:
- repo:repo1#delete_issue@user:monalisa
- repo:repo2#delete_issue@user:geoff
We can also check to make sure monalisa
has no permissions on repo2
and geoff
has no permissions on `repo1`:
assertFalse:
- repo:repo2#delete_issue@user:monalisa
- repo:repo1#delete_issue@user:geoff
Uh-oh, these don't pass! monalisa
has access to repo2
and geoff
has access to repo1
. 🙀Bryan
12/04/2021, 1:48 AMJoey
12/04/2021, 1:52 AMJoey
12/04/2021, 1:57 AMJoey
12/04/2021, 2:43 AMrole_manager
is a defined Github role type), and its per user per repo, you can do something like this: https://play.authzed.com/s/Ci8GGHHCNeg3/schemaBryan
12/04/2021, 3:17 AMread
, write
, admin
, etc. They a set of permissions which GitHub decides and they cannot be changed. Your playground is an excellent example of how we can model those. The difficult situations come with custom roles. Orgs can have custom roles, which are roles that represent a collection of permissions that the org admins can hand-pick.
So if a user has the write
role on a repo, I can follow your playground and make a write
role a relation on the repository
definition. But if a user has a custom role, it's trickier. I can't write it directly into the schema like write
because I don't know the permissions the custom role allows. The custom role can have permissions dynamically added and removed at the org admins' discretion.Joey
12/04/2021, 3:21 AMJoey
12/04/2021, 3:21 AMJoey
12/04/2021, 3:22 AMBryan
12/04/2021, 4:44 AMbenz
12/06/2021, 4:45 PMJoey
12/06/2021, 4:50 PMcreate_permission
include the users who have permission to create an issue comment on the parent project?benz
12/06/2021, 5:16 PMJoey
12/06/2021, 5:22 PMbenz
12/07/2021, 2:31 AMuser
12/07/2021, 6:03 PMJake
12/07/2021, 6:03 PMspicedb migrate
user
12/07/2021, 6:04 PMJake
12/07/2021, 6:04 PMJake
12/07/2021, 6:04 PM