what would be the recommended approach to model permissions where the relation can be one of multiple namespaces, a user or a group of users and for access to the group would need to traverse? its currently not possible because a warning that the view permit is not on the user is thrown example

class File implements Namespace {

related: { owners: (User | Group)[]; }; permits = { view: (ctx: Context): boolean => this.related.owners.includes(ctx.subject) || this.related.owners.traverse((p) => p.permits.view(ctx)) // error throws here because user doesn't have a permit

};

}

Do you get that error from Keto or your typescript intellisense in the editor?

the error is in Keto

Failed to parse OPL config files at target file:///etc/config/keto/keto_namespaces.ts. audience=application error=map[message:error from 90:19 to 90:25: relation "view" was not declared in namespace "User"

ah damn, you will have to use two releations as a workaround

class File implements Namespace {
  related: {
    owners_user: User[]
    owners_group: Group[]
  };
  permits = {
    view: (ctx: Context): boolean =>
      this.related.owners_user.includes(ctx.subject) ||
      this.related.owners_group.traverse((p) => p.permits.view(ctx)) // error throws here because user doesn't have a permit
  };
}

Great, I think a type guard of some kind would be useful as you suggested. I did try

"permits" in p

but that didn't validate in keto

Yeah the config languages still has quite a lot of limitations