Hi all! I've got a slight problem with the schema we're running and was wondering if anyone could help?

definition veed/project {
  relation workspace: veed/workspace
  relation folder: veed/folder

  permission membership = ((workspace - folder) & workspace->editor) + folder->read_projects
}

My attempt in english, we're trying to achieve: * If there's a workspace but no folder relation: use workspace->editor * OR there's a folder relation, use the folder->read_projects permission We're trying to use the exclusion operator so that projects that aren't in a folder use the workspace->editor permission. If they are in a folder we want them to use the folder->read_projects permission. The reason for the schema is our app has a top level workspace and sub-level folders that each can contain specific permissions for specific users. A user will be always in a workspace, but doesn't always have access to a folder. This schema kind of works. So when creating a project and assigning both the workspace and folder relation our tests work. However, when only assigning a workspace relation (imagine a top level project not in a folder) and no folder both access checks return false (when we would expect it to return true). Are we missing something obvious here? Thanks! 🙏

are you sure you need the exclusion operator? like is there a reason this isn't just

workspace->editor + folder->read_projects

?

the problem with that is it would give users that are at the workspace level access to all projects in folders that they might not have permission to access. because workspace->editor will always be true. we kind of want a hierarchy, workspace->editor would be a fallback if the folder relation isn't set on the project. At that point we'd assume the project is at the workspace level and available to everyone.

can you put together a repro in a playground and share it here?