• ?

    user

    9 months ago
    I'm pretty sure there is not an issue, but we may be sketched out an internal design doc.
  • ?

    user

    9 months ago
    If you create one, we'll scrape up our thoughts and add them
  • vroldanbet

    vroldanbet

    9 months ago
    I'll do that 👌🏻
  • vroldanbet

    vroldanbet

    9 months ago
    Happy weekend! 👋🏻
  • c

    cjs

    9 months ago
    Hi! I'm on the GitHub team working on modeling our authz with spicedb, and had a question about "self" relationships. A resource can live under an organization or a user (think repos or packages). In order to see if a user can create a resource under an organization, it's simple to model it with a
    member
    check.
    definition github/organization {
      ...
      permission create_resource = membership
    }
    I'm looking at the user owned case, and want to limit creating resources owned by the user to the user only. Is there a
    self
    relationship available in the schema language? I'd like to be able to define:
    definition github/user {
      ...
      permission create_resource = self
    And then have an assertion:
    assertTrue:
      - github/user:cjs#create_package@github/user:cjs
    assertFalse:
      - github/user:cjs#create_package@github/user:rando
    The alternative is to define a container that can be owned by a user (or org) that holds the
    create_resource
    permissions.
  • Jake

    Jake

    9 months ago
    for quay we did this in a container called
    namespace
  • Jake

    Jake

    9 months ago
    there is no "self" relationship as such, though you could define one but then you would need to actually bind the user to itself using that relation name
  • Jake

    Jake

    9 months ago
    create relationship("github/user:cjs", "self", "github/user:cjs")
  • Jake

    Jake

    9 months ago
    having the namespace container is really convenient for converting users to orgs
  • c

    cjs

    9 months ago
    I like the
    namespace
    concept better. You're not creating a resource on the user, but in the user's
    namespace
    .