https://authzed.com logo
Join Discord
Powered by
Hi folks in spiceBb is there a way we
# spicedb
v
Hi folks in spiceBb is there a way we can add attributes to a Node I know we can use caveats on relationships. But what if i need an attribute on the node itself?
v
Hi, no, in SpiceDB there is no notion of attributes in a node. What are you trying to achieve?
v
Am trying to achieve something like this
Copy code
definition repository {
    relation read: user
    relation write: user
    is_hidden: bool
    permission view: (read & !is_hidden) + editor
    permission edit: editor
}
If i use caveats on the relationship I'll have to read and update the caveat on all read relationships for the given 'repository' with is_hidden is true or false. Am wondering if there is a cleaner way to achieve this without having to update multiple read edges when one caveat is getting updated.
v
yeah that's not how caveats are designed. Caveats are applied on the relationship, not on the permission. This can be implemented without caveats using the wildcard:
Copy code
definition repository {
    relation read: user
    relation write: user
    is_visible: user:*

    permission view: (read & is_visible) + editor
    permission edit: editor
}
v
@vroldanbet Thank you got the below working. Just wondering what would be a better approach to take between the both
Copy code
schema: |-
  definition user {}
  caveat is_visible(visible bool) {
      visible
  }
  definition resource {
    relation write: user
    relation read: user
      relation read_with_caveat: user with is_visible
    relation is_visible: user:*
    permission edit = write
    permission view_with_wildcard = (read & is_visible) + write
    permission view_with_cavevat = read_with_caveat + write
  }
relationships: |-
  resource:visible_object#is_visible@user:*
  resource:hidden_object#write@user:write_user
  resource:hidden_object#read@user:read_user1
  resource:hidden_object#read@user:read_user2
  resource:hidden_object#read_with_caveat@user:read_user1[is_visible:{"visible":false}]
  resource:hidden_object#read_with_caveat@user:read_user2[is_visible:{"visible":false}]
  resource:visible_object#write@user:write_user
  resource:visible_object#read@user:read_user1
  resource:visible_object#read@user:read_user2
  resource:visible_object#read_with_caveat@user:read_user1[is_visible:{"visible":true}]
  resource:visible_object#read_with_caveat@user:read_user2[is_visible:{"visible":true}]
assertions:
  assertTrue:
    - resource:hidden_object#view_with_wildcard@user:write_user
    - resource:visible_object#view_with_wildcard@user:write_user
    - resource:visible_object#view_with_wildcard@user:read_user1
    - resource:visible_object#view_with_wildcard@user:read_user2
    - resource:visible_object#view_with_cavevat@user:read_user1
    - resource:visible_object#view_with_cavevat@user:read_user2
  assertFalse:
    - resource:hidden_object#view_with_wildcard@user:read_user1
    - resource:hidden_object#view_with_wildcard@user:read_user2
    - resource:hidden_object#view_with_cavevat@user:read_user1
    - resource:hidden_object#view_with_cavevat@user:read_user2
validation: null
v
@Vishnu Prasad definitely avoid using caveats unless strictly necessary - you'll get more performance out of the pure relationship based approach
2 Views
PreviousNext
Powered by