https://authzed.com logo
Join Discord
Powered by
Hi I want to use lookupResources to get
# spicedb
g
Hi, I want to use lookupResources to get all documents that fulfill two requirements: 1.) The user has permission for the document. 2.) The document has a specific permission (relation) to another document. Of course, I can use lookupResources twice and get the intersection of both responses. Is this the best way to do it or would it be possible to do this with only one call? I looked into Caveats, but it does not seem to be possible to use a permission check (the document to document permission in this case) within a caveat.
v
Hi @User , what do you think about this?
Copy code
definition user {}

definition document {
    relation parent_document: document#primary
    relation viewer: user
    relation primary: user:*

    permission view = viewer & parent_document
}
the document has a relation to another document that is tagged as a "primary" document. That document has a "primary" relation which is a wildcard we can intersect with. - if the 
parent_document
does not exist, the document won't show up in the LookupResources call - if the 
parent_document
exists and has the "primary" flag enabled, it will show up in LookupResources call
g
Thank you for your response. If I understand it correctly, I don't think this approach will work for my use case. I am currently using the following schema to look up all children of a document. When I want to look up all resources a user has access to, I would like to use this information to get only the children of a specific document. For this, I would need to input a "parent document ID" into the lookupResources request and use the permission "is_ancestor" as a caveat. definition document { relation direct_child: document relation parent: document // The relationship of a document to all its children, grand children, and so forth. permission is_ancestor = parent + parent->is_ancestor }
v
You cannot do this today. What you want to is to scope down the response of 
LookupResources
to a subset of the graph. This feature request is described in https://github.com/authzed/spicedb/issues/1317 If you were OK with filtering on the client side the children of a specific document, I think you can implement this trivially by using recursion:
Copy code
definition user {}

definition document {
    relation parent: document
    relation viewer: user
    
    permission view = viewer + parent->view 
}
g
Yes, that is exactly what I want. Thank you for your confirmation that I did not miss anything and for pointing me to the feature request.
v
feel free to add your requirements to the issue and thumb it up!
2 Views
PreviousNext
Powered by