https://authzed.com logo
#spicedb
Title
# spicedb
v

vroldanbet

11/10/2021, 12:16 PM
Hi 'yall! Was having a look at https://github.com/authzed/spicedb/issues/1 and was looking at workarounds until support for "public" keyword is added. Joseph describes an approach in "Provide guidance on how customers can implement it themselves". I found that forcing callsites to perform 2 checks is flawed, as it leaks implementation details, could be easily overlooked by devs. I have an alternative that, while it also comes with its own set of tradeoffs, addresses the "multiple check", wanted to bounce it and see what your thoughts are. Didn't actually try it out in the playground
Copy code
definition user {}
definition allusers {
  relation member: user
}

definition video {
  relation viewer: user
  relation public: allusers

  permission view: user | public -> member
}

allusers:0#member@user:userA
video:X#public@allusers:0

if authzed.check(video(‘x’).view, userA):
  ...
Tradeoff: - data redundancy: a relation must be added for each new user in the system - anonymous users need to be modelled as a singleton user