winstaan
04/27/2023, 5:18 PMfolder
can be assigned to a user - who then has the can_manage
permission on it and all descendents. Pretty standard stuff, but the quirk is that an assignee should remove permission from any assignee made further up the tree. I have this schema -
definition user {}
definition platform {
relation default_assignee: user
permission can_manage = default_assignee
}
definition folder {
relation parent: folder | platform
relation direct_assignee: user
// this permission should traverse to parent->can_manage only if direct_assignee relationship is empty
permission can_manage = direct_assignee + parent->can_manage
}
definition file {
relation parent: folder
permission can_manage = parent->can_manage
}
( https://play.authzed.com/s/mPTg5isqHSCb/schema has this, test data and assertions for the desired behaviour).
I'm stumped on how to express folder.can_manage
- '+' isn't right. Any hints gratefully received 🙂