Problem with arbitrary relations
Gromitmugs opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
Hi, I have a few problems here of using an arbitrary relation, though i'm not sure whether what i'm trying to do is the right way.
So, I made a namespace which has the relations as follows:
- viewers
- editors
My idea is that ,for the relationship tuples created in this namespace, their relation will not be any of the relation that is defined in a namespace configuration. Instead, I intend to use other tuples to define any arbitrary relation to be a subject set of the existing relations. For example,
// The relation Admin of User:MyApp is an Editor of User:MyApp
{
Namespace: lo.ToPtr("User"),
Object: lo.ToPtr("MyApp"),
Relation: lo.ToPtr("editors"),
SubjectSet: &ory.SubjectSet{
Namespace: "User",
Object: "MyApp",
Relation: "Admin",
},
},
// The relation Normal of User:MyApp is a Viewer of User:MyApp
{
Namespace: lo.ToPtr("User"),
Object: lo.ToPtr("MyApp"),
Relation: lo.ToPtr("viewers"),
SubjectSet: &ory.SubjectSet{
Namespace: "PlatformUser",
Object: "MyApp",
Relation: "Normal",
},
},my direct tuples are
// Add Test Users
{
Namespace: lo.ToPtr("User"),
Object: lo.ToPtr("MyApp"),
Relation: lo.ToPtr("Admin"),
SubjectId: lo.ToPtr("TestAdminUser"),
},
{
Namespace: lo.ToPtr("User"),
Object: lo.ToPtr("MyApp"),
Relation: lo.ToPtr("Normal"),
SubjectId: lo.ToPtr("TestNormalUser"),
},my namespace config:
class User implements Namespace {
related: {
viewers: User[]
editors: User[]
}
permits = {
view: (ctx: Context): boolean =>
this.related.viewers.includes(ctx.subject) ||
this.related.editors.includes(ctx.subject),
edit: (ctx: Context): boolean =>
this.related.editors.includes(ctx.subject),
}
}Expected Output
It is expected that a TestNormalUser has the view permit to the User:MyApp, and a TestAdminUser has the view and edit permits to the User:MyApp.
Reproducing the bug
The problem arises when I try checking if the subject_id: TestNormalUser has the edit relation, the payload is below:
{
"namespace": "User",
"object": "MyApp",
"relation": "edit",
"subject_id": "TestNormalUser"
} //expecting a "false" response but got an errorAlso it outputs the same when asking for view relation for TestAdminUser
{
"namespace": "User",
"object": "MyApp",
"relation": "view",
"subject_id": "TestAdminUser"
} //expecting a "true" response but got an errorBut it works just fine when asking for edit relation for TestAdminUser
{
"namespace": "User",
"object": "MyApp",
"relation": "edit",
"subject_id": "TestAdminUser"
} //got a "true" responseRelevant log output
for the first check payload
{
"error": {
"code": 400,
"status": "Bad Request",
"reason": "relation \"Admin\" does not exist",
"message": "The request was malformed or contained invalid parameters"
}
for the second check payload
{
"error": {
"code": 400,
"status": "Bad Request",
"reason": "relation \"Normal\" does not exist",
"message": "The request was malformed or contained invalid parameters"
}
}Relevant configuration
No response
Version
v0.11.1-alpha.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response