Andrii
03/06/2023, 10:45 AMvroldanbet
03/06/2023, 2:46 PMvalid_license
also possible, for illustration purposes, but I assume it would be fine to enforce only with valid_license
. Playground at: https://play.authzed.com/s/iQqJloIJEolt/schema
definition user {}
definition course {
relation student: user
relation teacher: user | user with valid_license
permission view = student + teacher
permission invite_students = teacher
}
caveat valid_license(startDate timestamp, endDate timestamp, now timestamp, receivedProtocol string, expectedProtocol string) {
(startDate > now && now < endDate) && (receivedProtocol == expectedProtocol)
}
Another option, if you want to favour composable caveats instead, is to model it with one relation per caveat referencing the teacher, as you did in your example. Playground link: https://play.authzed.com/s/kaCcGRtStCAS/schema
definition user {}
definition course {
relation student: user
relation teacher: user
relation teacher_with_license: course#teacher with valid_license
relation teacher_with_protocol: course#teacher with valid_protocol
permission view = student + teacher
permission invite_students = teacher & teacher_with_license & teacher_with_protocol
}
caveat valid_license(startDate timestamp, endDate timestamp, now timestamp) {
startDate > now && now < endDate
}
caveat valid_protocol(receivedProtocol string, expectedProtocol string) {
receivedProtocol == expectedProtocol
}
Andrii
03/06/2023, 3:38 PMvroldanbet
03/06/2023, 3:51 PMteacher
relation using the |
operator, but that implicily gives us union (+
) semantics, so it's not exactly what you want. We could potentially model it if we supported something similar to intersection arrow semantics at the relation level: https://github.com/authzed/spicedb/issues/597Andrii
03/06/2023, 3:57 PMvroldanbet
03/06/2023, 3:58 PMAndrii
03/06/2023, 4:02 PMcourse:c1#teacher@user:u1[valid_license]
course:c1#teacher@user:u1[valid_protocol:{"expectedProtocol":"test"}]
Assertion:
assertTrue:
- 'course:c1#invite_students@user:u1 with {"status": "active", "expectedProtocol":"test"}'
And I have simplified valid_license caveat for now:
caveat valid_license(status string) {
status == 'active'
}
So the message I get is Expected relation or permission course:c1#invite_students@user:u1 with {"status": "active", "expectedProtocol":"test"} to exist
Please advice what is wrong here? Full example: https://play.authzed.com/s/CULLu446bbql/assertionsvroldanbet
03/06/2023, 4:49 PMteacher
relation, but the caveat is only valid on the teacher_with_license
and teacher_with_protocol
relations
course:c1#teacher@user:u1[valid_license]
course:c1#teacher@user:u1[valid_protocol:{"expectedProtocol":"test"}]
user
instead of course#teacher
because otherwise you reference all teachers.
you can see it working here https://play.authzed.com/s/cFkuHsGVkCTM/schemaAndrii
03/07/2023, 11:05 AM