_thommas
10/23/2023, 10:38 AMvroldanbet
10/23/2023, 12:16 PMlock
status is of dynamic nature (e.g. in that it's not persisted in your applications database and it's determined at request time), I wouldn't model this with caveats. You can certainly do it, it' just not the right tool for the job.
I'm missing a bit of context of what you are trying to achieve, but assuming you want to unauthorize access to a locked resource, you can always do something like this
definition document {
relation viewer: user
relation locked: user:*
permission view = viewer - locked
}
What you achieve here is that by using the wildcard you can deny access to everybody by writing the to locked
._thommas
10/23/2023, 1:51 PM_thommas
10/23/2023, 1:56 PMFor:
- RootDocument
- If status is [SOME CUSTOM VALUE]
- For users with Workspace Role [SOME CUSTOM VALUE]
- If Collaborator Role [SOME CUSTOM VALUE]
- Allow 'comments'
For:
- Document
- If status is [SOME CUSTOM VALUE]
- For users with Workspace Role [SOME CUSTOM VALUE]
- If Collaborator Role is [SOME CUSTOM VALUE]
- Allow [‘complete_steps’, ’enter_data’, ‘create_comments’]
- If action allowed on document.rootDocument
And I'm like hold on satan. Don't worry, we'll design a system that can scale but let's solve the baby steps first._thommas
10/23/2023, 2:09 PMdefinition document {
relation viewer: user
relation locked: user:*
permission view = viewer - locked
}
If I understand well, I would need to create a locked relation between 'document:1234' and 'user:*' in the DB when I'm locking a document?
And that would work without caveat actually.Joey
10/23/2023, 2:58 PMvroldanbet
10/23/2023, 3:31 PMvroldanbet
10/23/2023, 3:32 PM