From 596b448a3e8ccada33f9d6d1d50e0fd0259b3cd6 Mon Sep 17 00:00:00 2001 From: barco Date: Thu, 19 Sep 2024 15:39:49 +0200 Subject: [PATCH] feat: introduce hierarchy for can_relations it goes `can_delete` >> `can_edit` >> `can_view` can create is not touched by this since it gets special treatment --- internal/authorization/schema.openfga | 50 +++++++++++++-------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga index c6834ded1..7d9a71376 100644 --- a/internal/authorization/schema.openfga +++ b/internal/authorization/schema.openfga @@ -14,9 +14,9 @@ type role define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged - + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged + type group relations define privileged: [privileged] @@ -24,61 +24,61 @@ type group define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged type identity relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged - + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged + type scheme relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged - + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged + type client relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged type provider relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged type rule relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged # need to model how to assign applications for the login UI, if copying current model or adjusting it type application relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged + define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged