I can’t get this syntax to work? SpiceDB #spicedb

Join Discord

I can’t get this syntax to work?

# spicedb

Spencer

04/02/2025, 3:43 PM

I can’t get this syntax to work?

kartikay

04/02/2025, 4:30 PM

Combining the two caveats into a single one would work here, afaik multiple caveats for a single relation is currently unsupported, you can open an issue for this

yetitwo

04/02/2025, 5:11 PM

correct, relations can only have a single caveat

Spencer

04/02/2025, 5:59 PM

I see. Thank you.

yetitwo

04/02/2025, 6:59 PM

you can have multiple variations of a relation with different caveats, though

yetitwo

04/02/2025, 6:59 PM

not sure if that fits your use case

yetitwo

04/02/2025, 7:00 PM

Copy code

definition resource {
  relation viewer: user | user with expiration | user with ip_blocklist
}

if that makes sense

Spencer

04/02/2025, 8:50 PM

thanks @yetitwo appreciate the help. one thing I struggle with caveats is passing along the set value to permissions

yetitwo

04/02/2025, 8:51 PM

as in what the call looks like?

Spencer

04/02/2025, 8:52 PM

here's one of my definitions

Copy code

definition solution {
    // Environment Relationship
    relation environment: environment

    // Access Relations
    relation owner: organization
    relation launcher: user | usergroup#member

    // Admin Console Permissions
    permission view = owner->view_solutions
    permission manage = owner->manage_solutions
    permission submit_content = owner->submit_solution_content
    permission approve_review = owner->approve_solution_review
    permission approve_test = owner->approve_solution_test
    permission delete = owner->delete_solutions

    // Deploy Permissions
    // Users must be both a launcher and environment member to launch the solution
    permission launch = launcher & environment->member
}

Spencer

04/02/2025, 8:54 PM

and i want the permission to

submit_content

to be conditional based on whether or not the solution is what i'm calling an

internal

solution, meaning the organization has deemed it to be internal, so i want to allow other users to of the organization to submit_content ... so i tried adding an internal caveat

Copy code

caveat internal(internal bool){
  internal == true
}

but i couldn't figure out how to pass along this boolean to conditionally add a different user as part of the content review

Spencer

04/02/2025, 8:56 PM

Copy code

definition solution {
  relation owner: organization | organization with internal
  permission submit_content = organization>submit_solution_content + (if internal then include organization>manage_solutions) <<<<<
}

Spencer

04/02/2025, 8:57 PM

Copy code

solution:my_internal_solution#owner@organization:my_org[internal]
solution:my_solution#owner@organization:my_org

Spencer

04/02/2025, 8:59 PM

but maybe i shouldn't be trying to use caveats here 😢

yetitwo

04/02/2025, 9:02 PM

my rule of thumb is that if something can be expressed with a relation, it should

yetitwo

04/02/2025, 9:04 PM

so if there isn't something that would vary at request time that figures into the permission computation

yetitwo

04/02/2025, 9:04 PM

i wouldn't use a caveat there

yetitwo

04/02/2025, 9:04 PM

and you can use reflexive or wildcard relations to represent "boolean" ideas

yetitwo

04/02/2025, 9:20 PM

here's an example: https://play.authzed.com/s/cn5qYpMXUphj/schema

yetitwo

04/02/2025, 9:20 PM

the use of arrows is kinda subtle but this sounds like the behavior you're after

Spencer

04/02/2025, 10:59 PM

oh cool, you're referencing resource again ... okay! super helpful

Spencer

04/02/2025, 11:04 PM

before you sent this example ... we kind of did this, which I'm trying to think if works to 🤔 or if I need to modify mine to work more similar to how your example self references itself

Copy code

definition solution {
    relation owner: organization
    relation internal_to: organization
    
    permission submit_content = internal_to->manage_solutions + owner->submit_solution_content
}

yetitwo

04/03/2025, 2:14 PM

that seems like it works fine as well

yetitwo

04/03/2025, 2:14 PM

in that case you're treating two relations between the same two resources as having different semantics, which is a fine and normal thing

Spencer

04/03/2025, 2:20 PM

However your example is able to filter out users who aren’t internal, whereas mine seems to still allow external users to access my internal solution … ugh

Spencer

04/03/2025, 2:23 PM

Am I able to save a schema instance and share it with you, I don’t see like a save button on the playground? I’m only like 3 days into learning and using spiceDB, so I’m still learning the ropes. But I’d love to show you the assertion that I believe is a gap in my implementation compared to yours

yetitwo

04/03/2025, 2:32 PM

you click the "Share" button and it saves a copy and gives you a sharing uRL

Spencer

04/03/2025, 3:46 PM

@yetitwo okay here's my example https://play.authzed.com/s/QDACWubU67aM/schema the access i'm trying to prevent is that even if a solution is "deploy_to" 2 different organizations it should only give my launch permissions to users who are part of the "internal_to" organization ... this should prevent access to outside orgs i should venmo you a coffee if you help me figure this out

yetitwo

04/03/2025, 6:53 PM

is it not enough to add

& internal_to->member

to the

launch

permission? am i missing something?

Spencer

04/04/2025, 8:43 PM

No you’re right! I got it. Thanks to your help. Appreciate it

yetitwo

04/04/2025, 8:51 PM

sure thing!

4 Views

Previous Next