02/22/2023, 10:03 PM
We ran into a problem in our schema that could have been avoided by following a SpiceDB best practice. Specifically, a permission's definition should not contain the relation of another resource. Rather it should only contain 'local' relations or permissions of those relations (I can't remember where I read it). Here's a minimal example version of what was happening:
definition actor {

definition user {
    relation self: actor
    permission use = self

definition organization {
    relation member: user
    permission use = member->use

definition foo {
    relation parent: organization
    // ERROR! We should only be calling permissions on the `parent` relation, not relations of the `parent`.
    permission use = parent->member    // this should be parent->use
If we had a linter that warned us not to call
in the
resource definition, we would have avoided the bug. So I wanted to see if there was a linter project already available/underway. If not, I'll probably start work on one so we can run it as part of our CI.