You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When evaluating user permissions in Ory Keto, a discrepancy occurs based on the order of user group checks. When a user is only in the "owners" group, the expected behavior is to return True for the itemView perm. However, when the line this.related.owners.includes(ctx.subject) is moved up in the code block, while keeping the rest of the logic identical, the function incorrectly returns False. This issue arises despite the fact that the code remains technically the same.
This discrepancy manifests when incorporating a check for blocked users, denoted by !this.related.blockedUsers.includes(ctx.subject) && (). The unexpected behavior undermines the intended functionality of permission evaluation and could potentially lead to incorrect access control decisions.
classUserimplementsNamespace{}classLegalEntityUserGroupimplementsNamespace{related: {// predefined rolesowners: User[];administrators: User[];creators: User[];viewers: User[];members: User[];};}classBlockedUserGroupimplementsNamespace{related: {blockedUsers: User[];};}classLegalEntityimplementsNamespace{related: {// pre-deifned rolesowners: SubjectSet<LegalEntityUserGroup,"owners">[];administrators: SubjectSet<LegalEntityUserGroup,"administrators">[];creators: SubjectSet<LegalEntityUserGroup,"creators">[];viewers: SubjectSet<LegalEntityUserGroup,"viewers">[];members: SubjectSet<LegalEntityUserGroup,"members">[];blockedUsers: SubjectSet<BlockedUserGroup,"blockedUsers">[];};permits={own: (ctx: Context): boolean=>!this.related.blockedUsers.includes(ctx.subject)&&this.related.owners.includes(ctx.subject),itemView: (ctx: Context): boolean=>!this.related.blockedUsers.includes(ctx.subject)&&(this.related.administrators.includes(ctx.subject)||this.related.creators.includes(ctx.subject)||this.related.viewers.includes(ctx.subject)||this.related.owners.includes(ctx.subject)||// ⚠️ move this line up and it it won't work.this.related.members.includes(ctx.subject)),};}
Reproducing the bug
Add User in LegalEntityUserGroup as owner use object legalentity_123;
Preflight checklist
Ory Network Project
No response
Describe the bug
When evaluating user permissions in Ory Keto, a discrepancy occurs based on the order of user group checks. When a user is only in the "owners" group, the expected behavior is to return
True
for theitemView
perm. However, when the linethis.related.owners.includes(ctx.subject)
is moved up in the code block, while keeping the rest of the logic identical, the function incorrectly returnsFalse
. This issue arises despite the fact that the code remains technically the same.This discrepancy manifests when incorporating a check for blocked users, denoted by
!this.related.blockedUsers.includes(ctx.subject) && ()
. The unexpected behavior undermines the intended functionality of permission evaluation and could potentially lead to incorrect access control decisions.Reproducing the bug
Relevant log output
No response
Relevant configuration
No response
Version
v0.11.1-alpha.0
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker Compose
Additional Context
No response
The text was updated successfully, but these errors were encountered: