Bryan
12/04/2021, 1:48 AMdefinition role {
relation member: user
}
definition repo {
relation delete_issuer: role#member
permission delete_issue = delete_issuer
}
will work. The style of grouping this schema models doesn't fit the use case I'm trying to model 😅 I've attached a diagram to (hopefully) help explain how custom roles are modeled at GitHub.
GitHub has a notion of a UserRole
which creates a link between a user monalisa
, a repo repo1
, and a role repo_manager
. The permissions that repo_manager
grants monalisa
is valid only on repo1
. A different user geoff
can get the role repo_manager
on a different repo repo2
. The two grants are indepentent of each other. At this point, monalisa
has no permissions on repo2
. Likewise, geoff
has no permissions on repo1
. I attempted to model this in the attached diagram.
Using the schema above, here's how monalisa
could get the repo_manager
role for repo1
. First make monalisa
a member of repo_manager
role:repo_manager#member@user:monalisa
Next, let repo_manager
members have the delete_issuer
relationship for `repo1`:
repo:repo1#delete_issuer@role:repo_manager#member
The same thing can be done for geoff
to give them the repo_manager
role on repo2
. We can check to make sure monalisa
has the delete_issue
permission on repo1
and geoff
has the delete_issue
permission on `repo2`:
assertTrue:
- repo:repo1#delete_issue@user:monalisa
- repo:repo2#delete_issue@user:geoff
We can also check to make sure monalisa
has no permissions on repo2
and geoff
has no permissions on `repo1`:
assertFalse:
- repo:repo2#delete_issue@user:monalisa
- repo:repo1#delete_issue@user:geoff
Uh-oh, these don't pass! monalisa
has access to repo2
and geoff
has access to repo1
. 🙀