https://www.ory.sh/ logo
Join Slack
Powered by
I am trying to run the rewrite example in ory keto...
# talk-keto
e
I am trying to run the rewrite example in ory keto, this is my permission file
Copy code
// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}
basically, i want that any user having the viewers access of parent should have viewer access for any of the childs. I created user group developer that has viewers access for folder keto/ and folder keto/ is parent folder keto/src/. I have two users in developer group. when i run check for viewers access for the user in developer to keto/ it gives me allowed true, but when i run check for viewers access for keto/src/ it gives me false, even though the parent has the viewers access. As far as i could understand from the permission file the user should have viewers access for the children as well #keto
s
e
i am using subject sets
Copy code
{
  "namespace": "Folder",
  "object": "keto/src",
  "relation": "viewers",
  "subject_set": {
    "namespace": "User",
    "object": "Tom"
  }
}
s
can you give all your tuples?
e
Copy code
{
  "relation_tuples": [
    {
      "namespace": "Folder",
      "object": "keto/",
      "relation": "viewers",
      "subject_set": {
        "namespace": "Group",
        "object": "developer",
        "relation": "members"
      }
    },
    {
      "namespace": "Folder",
      "object": "keto/src/",
      "relation": "parents",
      "subject_set": {
        "namespace": "Folder",
        "object": "keto/",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "developer",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "Tom",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "developer",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "John",
        "relation": ""
      }
    },
    {
      "namespace": "File",
      "object": "keto/README.md",
      "relation": "parents",
      "subject_set": {
        "namespace": "Folder",
        "object": "keto/",
        "relation": ""
      }
    }
  ],
  "next_page_token": ""
}
s
What do the logs say? Do you reach the max depth? In case you do, try increasing it in the config
e
nop I'm not reaching the max depth.. there are only these tuples available as i am running it for testing only
logs didn't give any errors as such
any updates, i am still stuck here
6 Views
Open in Slack
PreviousNext
Powered by