Howdy all! I'm evaluating using SpiceDB/Authzed as our central permission service. Like many others, I'm trying to wrap my head around how to use ZedTokens. So I have a couple of questions:
1. As I understand it, the canonical example of using ZedTokens is something like this: user Alice has access to document X and at some point you remove Alice's access to this document. If you then
afterwards proceed to update the contents of the document, you want to store a ZedToken with that document that is at least as up-to-date as the moment the content of the doc was changed so that when a permission check for that doc is made for Alice, you can pass that ZedToken when doing a Check with SpiceDB (or use
full_consistent
) which guarantees that Alice's access removal from the doc (that happened before the content change) is honored.
Question: What call to SpiceDB do you do when updating the document contents to get a fresh ZedToken?
2. How does it work when you have a certain permission to be able to
delete a document and you remove that permission from Alice? As the content of that particular doc has not changed, there was no need to store an up-to-date ZedToken. How do you still make sure Alice doesn't delete the doc within the 5 seconds after her permission to do so was removed?