feat: introduce hierarchy for can_relations

it goes `can_delete` >> `can_edit` >> `can_view` can create is not touched by this since it gets special treatment
canonical · Sep 19, 2024 · e8d2add · e8d2add
1 parent bfec41f
commit e8d2add
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga
@@ -14,71 +14,71 @@ type role
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
+
 type group
  relations
     define privileged: [privileged]
     define member: [user, group#member]
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 type identity
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-  
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
+
 type scheme
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
+
 type client
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 type provider
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 type rule
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 # need to model how to assign applications for the login UI, if copying current model or adjusting it
 type application
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit