feat: introduce hierarchy for can_relations

it goes `can_delete` >> `can_edit` >> `can_view` can create is not touched by this since it gets special treatment
canonical · Sep 20, 2024 · 596b448 · 596b448
1 parent 11c0f88
commit 596b448
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga
@@ -14,71 +14,71 @@ type role
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
+
 type group
  relations
     define privileged: [privileged]
     define member: [user, group#member]
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 type identity
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-  
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
+
 type scheme
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
+
 type client
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 type provider
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 type rule
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 # need to model how to assign applications for the login UI, if copying current model or adjusting it
 type application
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged