Merge pull request #419 from canonical/feat/ofga-authmodel-hierarchy

feat: introduce hierarchy for can_relations
canonical · Sep 20, 2024 · 09682b6 · 09682b6
2 parents 11c0f88 + 596b448
commit 09682b6
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga
@@ -14,71 +14,71 @@ type role
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
+
 type group
  relations
     define privileged: [privileged]
     define member: [user, group#member]
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 type identity
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-  
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
+
 type scheme
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
+
 type client
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 type provider
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 type rule
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged
 
 # need to model how to assign applications for the login UI, if copying current model or adjusting it
 type application
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or can_delete or admin from privileged
+    define can_view: [user, user:*, role#assignee, group#member] or can_edit or admin from privileged