OPL: nested traverse are not allowed #1131
Assignees
Labels
bug
Something is not working.
Comments
|
I have a bit more condensed version of this bug. OPL: class Project implements Namespace {
related: {
companies: Company[]
}
permits = {
view: (ctx: Context) => this.related.companies.traverse(company => company.related.users.includes(ctx.subject))
}
}
class User implements Namespace {}
class Company implements Namespace {
related: {
users: User[]
}
}So User has view permit on Project if he is in Company. Relations: {
"namespace": "Company",
"object": "zenmo",
"relation": "users",
"subject_id": "User:erik"
},
{
"namespace": "Project",
"object": "myproj",
"relation": "companies",
"subject_id": "Company:zenmo"
}Permission check which returns false but should return true: POST /relation-tuples/check/openapi
{
"namespace": "Project",
"object": "myproj",
"relation": "view",
"subject_id": "User:erik"
} |
cmmoran
added a commit
to cmmoran/keto
that referenced
this issue
Jan 2, 2024
warning: extremely experimental
cmmoran
added a commit
to cmmoran/keto
that referenced
this issue
Jan 2, 2024
warning: extremely experimental
cmmoran
added a commit
to cmmoran/keto
that referenced
this issue
Jan 17, 2024
warning: extremely experimental
cmmoran
added a commit
to cmmoran/keto
that referenced
this issue
Jan 20, 2024
warning: extremely experimental
cmmoran
added a commit
to cmmoran/keto
that referenced
this issue
Feb 7, 2024
warning: extremely experimental
|
Could I ask where Keto OPL currently sits with nested traversals? I just started using Keto again after a few months break, and spent a painful amount of time trying to get the following to work, only to find this limitation and issue via Slack 😅 import { Namespace, Context } from "@ory/keto-namespace-types"
class User implements Namespace {}
class Team implements Namespace {
related: {
owners: User[]
members: User[]
}
permits = {
delete: (ctx: Context): boolean => this.related.owners.includes(ctx.subject),
manage: (ctx: Context): boolean => this.related.owners.includes(ctx.subject),
}
}
class Project implements Namespace {
related: {
teams: Team[]
}
permits = {
manage: (ctx: Context): boolean => this.related.teams.traverse((t) => t.permits.manage(ctx)),
contribute: (ctx: Context): boolean => this.permits.manage(ctx),
}
}
class File implements Namespace {
related: {
projects: Project[]
}
permits = {
write: (ctx: Context): boolean => this.related.projects.traverse((p) => p.permits.manage(ctx)),
read: (ctx: Context): boolean => this.related.projects.traverse((p) => p.permits.contribute(ctx)),
}
}With the following relations [
{
"namespace": "Team",
"object": "my_team",
"relation": "owners",
"subject_id": "User:taylor"
},
{
"namespace": "Project",
"object": "my_project",
"relation": "teams",
"subject_id": "Team:my_team"
},
{
"namespace": "File",
"object": "my_file",
"relation": "projects",
"subject_id": "Project:my_project"
}
]If I make the following requests, I get Yet, if I do the following, I get Any concrete information/status on this would be really useful, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight checklist
Describe the bug
It is not allowed to have nested traverse expressions.
Reproducing the bug
This is however only a limitation on the OPL level. The same result can be achieved by using:
which is a lot more complex and harder to manage.
Relevant log output
No response
Relevant configuration
No response
Version
v0.10.0
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: