Title
a
alex87
01/25/2023, 10:15 AMHey there, could someone help me with a modelling/query question? I have created a model, relationships and checks in the playground: https://play.authzed.com/s/aHaDwQZnO42n/schema . I have a time_events object for which I can get all users which are allowed to e.g. edit, view,.. But how can I model a permission where I can get all time_events for which my user has e.g. view or edit rights? E.g. my user can be a manager and I want to get all time events for my direct reports for which I am allowed to edit. I do not find a suitable way, maybe I am only stuck and you can help me to come to the right solution? 🙂
v
vroldanbet
01/25/2023, 10:31 AM👋🏻 it sounds like you want to intersect the permissions of 2 different users, which is not something the system really supports today. What you can do is do 2
LookupResourcesLookupResources(user: themanager, permission:edit, resource_type: time_eventsLookupResources(user: thereport, permission:edit, resource_type: time_eventsa
alex87
01/25/2023, 3:59 PMHi @vroldanbet , thanks for looking at my example and pointing me to the lookup api. If I want to get all documents a user is allowed to edit, wouldn`t it be suficient to use only one lookup call? If I use LookupResources(user: alice, permission:edit, resource_type: time_events) wouldnt it return all time_events alice is allowed to edit? In my case alice has a relation to manager and managers are allowed to edit the time events for bob. Hence I should get the time_events object of bob returned? If I want to do the same for another user, e.g. bob (who owns the time event of bob), I would not get any return object, because bob is not allowed to edit it?
v
vroldanbet
01/25/2023, 4:23 PMoh yeah, I kinda understood your quest as you needed to merge the enumeration of resources from 2 users, but yeah, if all you need is getting the resources for alice, that'd work with one API call
yes, you'd get the resources for bob when checking for alice
and correct, if bob does not have any edit permissions on any time events, you'd get no results
a
alex87
01/25/2023, 5:19 PMDo you know if Lookup api is the only way or if there is also a possiblity to model this in a nice way, as a permission? e.g. in the user object add a permission to get all time_events my user is able to edit?
v
vroldanbet
01/25/2023, 6:34 PMthere is no other option. Permissions describe how the response is computed. It's then the API method that allows you to do different things with the permission, so having different API methods to compute over the permission the right way to go IMO