I have a quick question about the idea of validations with spiceDB. I’m wondering what the guidance is to include validations as part of permissions in the schema vs. doing them at the time relationships are generated, e.g. the data is written. Let me give you an example… I’m implementing the idea of a ‘repository unlock’ where a staff user is given access to a repository. All I really need to know is that the user has been granted this ’repo unlock’ to assign them some permission, which looks like:

definition github/repository_unlock {
    relation unlocker: github/user

    permission access = unlocker
}

definition github/repository {
    relation unlock: github/repository_unlock
    permission manage_settings = unlock->access
}

However, there is a validation that says that a user cannot have a repo unlock unless they are a staff member. I think I could model that by:

definition github/site {
    relation staff_member: github/user
    permission staff_access = staff_member
}

definition github/repository_unlock {
    relation unlocker: github/user
    relation site: github/site

    permission access = unlocker & site->staff_access
}

That, however, comes with the big tradeoff that I have to create a relationship for every repository_unlock object to the site (I think a wildcard would help here but that’s another story). If I removed this staff member “validation” in the permission check it is something I could check instead at the point I’m generating the repository_unlock unlocked relations and leave it out of the schema. WDYT?