https://authzed.com logo
Join Discord
Powered by
Using just intersections and exclusions I can get ...
# spicedb
l
Using just intersections and exclusions I can get to the following
Copy code
definition user {}

definition folder {
    relation all: user:*
    relation reader: user

    permission not_read = all - reader
}

definition document {
    relation all: user:*
    relation parent: folder

    permission read = all - parent->not_reader
}
This would give me what I want (if a document can have at most one parent). But it still feels a bit off
d
Hey - yea - maybe like this?
Copy code
definition user {}

definition folder {
  relation viewer: user | user:*
  permission view: viewer
}

definition document {
  relation parent: folder
  relation owner: user

  permission read = owner | folder->view
}
l
Yeah, that is a possibility too. But this would mean removing all owners once it is added to a folder
d
I don't think you would have to remove an owner unless I'm missing something? If a document was added to folder now anyone will be able to read and you can keep the owner (who will also be able to view)
Hi @LarsRan ! Were you able to get what you needed using preconditions?
l
Yes and no, preconditions indeed solved the problem of mutual exclusivity but did not fit nicely right now in our current design. Now I used the zed definition at the top of this thread and that seems to work
Regarding the zedfragment you sent. I think I might not have made the usecase entirely clear. I want all users to have view rights on a document when it is not in a folder, when it is in a folder I want only the users with folder view rights to have document view rights
Thanks for helping me out anyway!
d
Ah - ok! Thanks for clarifying.
PreviousNext
Powered by