Vishnu Prasad
05/15/2024, 5:11 AMvroldanbet
05/15/2024, 8:39 AMVishnu Prasad
05/15/2024, 9:31 AMdefinition repository {
relation read: user
relation write: user
is_hidden: bool
permission view: (read & !is_hidden) + editor
permission edit: editor
}
If i use caveats on the relationship I'll have to read and update the caveat on all read relationships for the given 'repository' with is_hidden is true or false.
Am wondering if there is a cleaner way to achieve this without having to update multiple read edges when one caveat is getting updated.vroldanbet
05/15/2024, 10:31 AMdefinition repository {
relation read: user
relation write: user
is_visible: user:*
permission view: (read & is_visible) + editor
permission edit: editor
}
Vishnu Prasad
05/16/2024, 4:22 AMschema: |-
definition user {}
caveat is_visible(visible bool) {
visible
}
definition resource {
relation write: user
relation read: user
relation read_with_caveat: user with is_visible
relation is_visible: user:*
permission edit = write
permission view_with_wildcard = (read & is_visible) + write
permission view_with_cavevat = read_with_caveat + write
}
relationships: |-
resource:visible_object#is_visible@user:*
resource:hidden_object#write@user:write_user
resource:hidden_object#read@user:read_user1
resource:hidden_object#read@user:read_user2
resource:hidden_object#read_with_caveat@user:read_user1[is_visible:{"visible":false}]
resource:hidden_object#read_with_caveat@user:read_user2[is_visible:{"visible":false}]
resource:visible_object#write@user:write_user
resource:visible_object#read@user:read_user1
resource:visible_object#read@user:read_user2
resource:visible_object#read_with_caveat@user:read_user1[is_visible:{"visible":true}]
resource:visible_object#read_with_caveat@user:read_user2[is_visible:{"visible":true}]
assertions:
assertTrue:
- resource:hidden_object#view_with_wildcard@user:write_user
- resource:visible_object#view_with_wildcard@user:write_user
- resource:visible_object#view_with_wildcard@user:read_user1
- resource:visible_object#view_with_wildcard@user:read_user2
- resource:visible_object#view_with_cavevat@user:read_user1
- resource:visible_object#view_with_cavevat@user:read_user2
assertFalse:
- resource:hidden_object#view_with_wildcard@user:read_user1
- resource:hidden_object#view_with_wildcard@user:read_user2
- resource:hidden_object#view_with_cavevat@user:read_user1
- resource:hidden_object#view_with_cavevat@user:read_user2
validation: null
vroldanbet
05/16/2024, 7:41 AM