From e8d2add209d121c9b7ed4daf6bd6503cb838f6b5 Mon Sep 17 00:00:00 2001 From: barco Date: Thu, 19 Sep 2024 15:39:49 +0200 Subject: [PATCH] feat: introduce hierarchy for can_relations it goes `can_delete` >> `can_edit` >> `can_view` can create is not touched by this since it gets special treatment --- internal/authorization/schema.openfga | 50 +++++++++++++-------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga index c6834ded1..7ca85c7a1 100644 --- a/internal/authorization/schema.openfga +++ b/internal/authorization/schema.openfga @@ -14,9 +14,9 @@ type role define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged - + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit + type group relations define privileged: [privileged] @@ -24,61 +24,61 @@ type group define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit type identity relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged - + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit + type scheme relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged - + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit + type client relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit type provider relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit type rule relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit # need to model how to assign applications for the login UI, if copying current model or adjusting it type application relations define privileged: [privileged] - + define can_create: [user, role#assignee, group#member] or admin from privileged define can_delete: [user, role#assignee, group#member] or admin from privileged - define can_edit: [user, role#assignee, group#member] or admin from privileged - define can_view: [user, user:*, role#assignee, group#member] or admin from privileged + define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete + define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit