i'm not entirely sure it solves your SpiceDB #spicedb

i'm not entirely sure it solves your

yetitwo

03/14/2025, 1:47 PM

i'm not entirely sure it solves your problem, but one way to model "boolean" stuff is to have a relation from the object to itself

Copy code

definition resource {
  relation is_public: resource
  relation viewer: user
  permission view = viewer + is_public
}

and then you write

resource:1#is_public@resource_1

to enable that "flag"

matko031

03/17/2025, 10:01 PM

this would be useful, but I don't quite understand how is it supposed to work. If

resource:1#is_public@resource_1

is set, how exactly does

viewer + is_public

evaluate to all users since viewer and is_public are relationships with two different types?

yetitwo

03/17/2025, 10:03 PM

it doesn't matter - the union of the set of relations is nonempty, even though the types are different

Joey

03/17/2025, 10:05 PM

to evaluate to all users, you'd need to write a wildcard

Joey

03/17/2025, 10:06 PM

relation viewer: user | user:*

matko031

03/17/2025, 10:28 PM

Copy code

definition user {}

definition resource {
  relation is_public: resource
  relation viewer: user
  permission view = viewer + is_public
}

---

resource:resource1#is_public@resource:resource1

resource:resource1#viewer@user:user1
resource:resource2#viewer@user:user1

Here I have two resources and two users. user1 is viewer of both resources and user2 is viewer of non. resource1 has is_public flag set. But in case of both resources, only user1 (the viewer) can view it, so I don't quite understand what is is_public flag changing exactly? https://cdn.discordapp.com/attachments/1350103155039277067/1351321424224059422/image.png?ex=67d9f3a5&is=67d8a225&hm=f050ff3370ff8a54d730ea7184dbc0f1f42a9085dc87f0a3ed5872566bf66b51&

Joey

03/17/2025, 10:30 PM

it doesn't

Joey

03/17/2025, 10:30 PM

if you want to mark it as public, use a wildcard as I showed above ^

Joey

03/17/2025, 10:30 PM

and then only write the wildcard if it is public

yetitwo

03/17/2025, 10:33 PM

ah, then i was wrong there :/

yetitwo

03/17/2025, 10:33 PM

i may have been thinking of the use of it in intersection logic

matko031

03/17/2025, 10:36 PM

ah ok, but is there a way to do boolean flags or not? Ultimately I am working on a drive system where I have the following:

Copy code

definition archive {
    relation owner: team // archive has one owner that is a team
    relation administrators: user // archive has multiple adminstrators who are users

    /* Who can view the archive? */
    // setting this relationship for certain archive would enable any user to view it
    relation viewers: user:* 
    // administrators and owner team members can always view the archive
    permission view = administrators + owner->members + viewers

    /* Who can edit the archive? */
    // setting this relationship for certain archive would enable either any user to view it or members of a specific team to view it
    // Application logic should ensure this is only ever set for the owner team
    relation editors : user:* | team#members
    // administrators can always edit the archive
    permission edit = administrators + editors

    // Only administrators can delete the archive
    permission delete = administrators
}

I am a bit stuck at the

Copy code

// Application logic should ensure this is only ever set for the owner team
relation editors : user:* | team#members

and am wondering if there's a way to not have to enforce this in application logic but create a relation that would work something like this:

relation editors: user:* | owner#members

so that there is no possibility of some non-owner team to get the edit permission

Joey

03/17/2025, 10:44 PM

yes

Joey

03/17/2025, 10:44 PM

you can write a relationship from the same resource to itself, pointing to another relation or permission

Joey

03/17/2025, 10:44 PM

it works as a boolean

Joey

03/17/2025, 10:44 PM

but you also need that relation to point to subject(s)

matko031

03/17/2025, 10:48 PM

could you give me an example, cause I don't quite follow what you mean with

pointing to another relation or permission

Joey

03/18/2025, 11:30 AM

Copy code

definition resource {
  relation some_flag: resource#someotherrelation
  relation viewer: user
  relation someotherrelation: user
  permission view = viewer + some_flag
}

Joey

03/18/2025, 11:30 AM

write some_flag pointing to the resource's own

someotherrelation

IF it is enabled

matko031

03/19/2025, 10:12 PM

Amazing, thanks a lot! Just out of curiosity, when I do this everything works as expected:

Copy code

definition team {
    relation member: user // team has multiple members who are users
}

definition user {}

definition archive {
    relation owner: team // archive's owner is a team
    permission owner_member = owner->member
    
    relation archive_administrator: user // archive's administrator is an user
    
    /* Who can edit the archive? */
    // Setting this relationship for certain archive would enable the members of owner team to edit it
    relation owner_members_can_edit: archive#owner_member
    // administrators can always edit the archive
    permission edit = archive_administrator + owner_members_can_edit
}

--- 
archive:archive1#owner@team:team1
archive:archive1#owner_members_can_edit@archive:archive1#owner_member -> now members of team1 can edit archive1

matko031

03/19/2025, 10:12 PM

However, when I tried to do this, so that I don't have to create synthetic owner_member permission, it does not work:

Copy code

definition team {
    relation member: user // team has multiple members who are users
}

definition user {}

definition archive {
    relation owner: team // archive's owner is a team
    
    relation archive_administrator: user // archive's administrator is an user
    
    /* Who can edit the archive? */
    relation owner_members_can_edit: archive#owner
    // administrators can always edit the archive
    permission edit = archive_administrator + owner_members_can_edit->member
}

---

// user2 is member of team1
team:team1#member@user:user2

// team1 owns archive 1
archive:archive1#owner@team:team1

// use1 is administrator of archive1
archive:archive1#archive_administrator@user:user1


// archive 1 can be edited by owner team members
archive:archive1#owner_members_can_edit@archive:archive1#owner

matko031

03/19/2025, 10:13 PM

and

owner_members_can_edit->member

doesn't even show up in check watches https://cdn.discordapp.com/attachments/1350103155039277067/1352042377237237772/image.png?ex=67dc9316&is=67db4196&hm=f1a4ab02e502a1f3813643042cdd7e207449e085f1804051bec057df4d59f6ac&

Joey

03/19/2025, 10:16 PM

arrows operate over the subject, not the subject relation

Joey

03/19/2025, 10:17 PM

owner_members_can_edit->member

is pointing to

member

on the archive

Joey

03/19/2025, 10:17 PM

not on the owner under archive

Joey

03/19/2025, 10:17 PM

there should be a warning about it in the Playground

Joey

03/19/2025, 10:17 PM

https://cdn.discordapp.com/attachments/1350103155039277067/1352043413440172082/Screenshot_2025-03-20_at_12.17.43_AM.png?ex=67dc940d&is=67db428d&hm=c7923d007654910873c22707bcb1b3e068567585f02c4a174536b903742ec589&

matko031

03/19/2025, 10:23 PM

I am running playground in docker, so I didn't have the warning, but in the authzed playground I do indeed get it. Anyhow, thanks for the help!

5 Views

Previous Next