https://authzed.com logo
Title
w

winstaan

04/27/2023, 5:18 PM
Hi, I'm trying to model a hierarchy of folders where any
folder
can be assigned to a user - who then has the
can_manage
permission on it and all descendents. Pretty standard stuff, but the quirk is that an assignee should remove permission from any assignee made further up the tree. I have this schema -
definition user {}

definition platform {
    relation default_assignee: user

    permission can_manage = default_assignee
}

definition folder {
    relation parent: folder | platform
    relation direct_assignee: user

    // this permission should traverse to parent->can_manage only if direct_assignee relationship is empty
    permission can_manage = direct_assignee + parent->can_manage
}

definition file {
    relation parent: folder

    permission can_manage = parent->can_manage
}
( https://play.authzed.com/s/mPTg5isqHSCb/schema has this, test data and assertions for the desired behaviour). I'm stumped on how to express
folder.can_manage
- '+' isn't right. Any hints gratefully received 🙂