https://authzed.com logo
#spicedb
Title
# spicedb
n

niodice

09/12/2022, 11:41 PM
Looking for guidance on how I might model some relationships. Suppose I have a
foo
object and I am granting
view
permissions on a
foo
based on the visibility of the
foo
(where visibility is an application logic, and could be
only_me
,
friends
, or
everyone
. I have a sample schema that works
Copy code
definition foo {
  relation token: token
  relation friends: foo

  // representing the visibility settings of `foo`. Only 1 of these relations should be logically set at any given time.
  relation viz_me: foo
  relation viz_friends: foo
  relation viz_everyone: token:*

  // intermediary results
  permission friends_tokens = friends->token

  permission view = (viz_everyone + viz_me->token + viz_friends->friends_tokens)
}
But it is a little bit clunky. Suppose for example that a
foo
is configured in the application as
only_me
visibility -- meaning that only tokens with the
token
relation can view it. If that changes to
friends
, then I need to: - Check if
viz_me
or
viz_everyone
is set, and un-set it - Set
viz_friends
relation This pattern is common in our application and so I'm looking for a way to effectively work with this pattern. Ideally, I'd like to set just one relation and update it with something that represents the set of tokens. I think that this would be possible if I could write a statement like this:
Copy code
definition foo {
  relation token: token
  relation friends: foo

  relation viz_tokens: token

  permission view = viz_tokens
}
And set the
viz_tokens
, when writing the relationship, to something like
token:*
, or
$THIS->token
, or
$THIS->friends->token
. That way I get an atomic update, and don't need to worry about managing the fact that
Only 1 of these relations should be logically set at any given time.