alexkorotkikh
03/03/2022, 7:03 PMdefinition org {
relation admin: user
relation member: user
relation partner: partner
permission view = admin + member + partner
}
definition user {
relation self: user
relation org: org
permission view = self + org->admin + org->partner
}
definition partner {}
definition transaction {
relation org: org
relation user: user
permission view = user + org->admin + org->partner
permission edit = user + org->admin
}
We are trying to answer the question "who can view transactions". The idea that the transaction can be viewed by the user who made it, but the admin of the org to which this transaction belongs, and by the partner of the org. As long as we are talking about referencing transaction by id, everything is clear, for the set of relarionships
org:foo#partner@partner:bar
transaction:baz#org@org:foo
assertion transaction:baz#view@partner:bar
evaluates to true
.
What is not clear is, how it should work for the use case when we get multiple transactions based on some filters and pagination. I've read about the Lookup API and found this article https://authzed.com/blog/acl-filtering-in-authzed/, but it's not clear how the workflow should actually look like. Let's extend the example above with one more org-to-partner relationship, and one more transaction for this org
org:qux#partner@partner:bar
transaction:quuz#org@org:qux
Now let's say that partner:bar
requests to view all the transactions of org:qux
. If I use the Lookup API to get the list of all transaction that this partner has access to, I wlil receive 2 transactions id, transaction:baz
and transaction:quuz
.