https://authzed.com logo
Join Discord
Powered by
Hi all! I've created this schema where users are ...
# spicedb
u
Hi all! I've created this schema where users are part of projects and they have edit or view access to certain apps inside that projects. I want to know how I can get all the apps in a project which a user has access to.
Copy code
definition coplanedev/app {
    relation editor: coplanedev/user
    relation viewer: coplanedev/user
    relation project: coplanedev/project
    permission edit = editor + project->editor + project->owner
    permission view = viewer + editor + project->viewer + project->owner + project->editor
}


definition coplanedev/project {
    relation owner: coplanedev/user
    relation editor: coplanedev/user
    relation viewer: coplanedev/user
}

definition coplanedev/user {}
v
👋🏻 @ukanwat in order to list the resources a subject has access to you use the LookupResources API method (https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.LookupResources). That would give you "all the apps a user has view/edit permission", but across all projects, not a specific one. Other than post-filtering that list in the application, I'm not sure how that could be done, perhaps the rest of the authzed team can help here. I would perhaps suggest some changes to the schema to avoid duplication:
Copy code
definition coplanedev/app {
    relation editor: coplanedev/user
    relation viewer: coplanedev/user
    relation project: coplanedev/project

    permission edit = editor + project->edit
    permission view = viewer + project->view + edit
}


definition coplanedev/project {
    relation owner: coplanedev/user
    relation editor: coplanedev/user
    relation viewer: coplanedev/user
    relation apps: coplanedev/app

    permission edit = owner + editor
    permission view = viewer + edit
}

definition coplanedev/user {}
u
I might add services other than apps so duplication is kind of a requirement. One must be able to set user permissions at the project level and the services levels (such as apps).
I watched the authzed youtube video where you guys talked about modelling github permissions and this somewhat similar to that.
v
oh that duplication is fine, I was referring to the duplication going on on the app permission definition. What I did was refactoring that into its own permission at the project level, and reference that from the app permissions
u
Ah.. I didn't notice that. Thanks I didn't know you can reuse permissions.
v
np! it's essentially DRY and composition
u
Got it. For now I will do post-filtering but If a better solution comes up please let me know.
v
cc @Joey in case you have thoughts on how to scope down 
LookupResources
results based on another relation ("return apps the user has access to in the context of a given container project") ☝️
j
you could add another relation listing the projects under an app, then lookup over that
u
could you explain a bit more?
j
Copy code
definition coplanedev/project {
    relation owner: coplanedev/user
    relation editor: coplanedev/user
    relation viewer: coplanedev/user
    relation apps: coplanedev/app

    permission edit = owner + editor
    permission view = viewer + edit

    permission viewable_apps = apps->view
}
and issue 
LookupResources
on 
viewable_apps
now, you'd probably want to optimize that a bit, but it should work
actually, sorry
you want the apps
not the projects
you'd need to create a combination resource if you wanted to get the apps themselves, which is a bit messy
u
Okay cool.
PreviousNext
Powered by