Hey there, I've got a question regarding Ory Permission Models. I'm reading the example provided here, and I have the following doubt: 1. I have folder A. 2. Inside folder A, I have document A1, A2, and A3. 3. I have user John. John should be able to view document A1 only if 1. it's viewer of document A1 AND if it's owner of folder A. However, it shouldn't be able to view document A2. So far I haven't managed to figure out how to do this, since when I give access on folder the user gets access to all documents inside it. So I was trying to implement a double check: is the user owner of folder A and is the user viewer of document A1? Only then should he be able to view document A1.

can you give the model that you tried and that did not work?

Eg: we have the following OLP model that defines users, documents and folders. If I want an user to have access to a certain document only if it has permissions on both the folder and the document, is it possible to do so without making two calls to the check api?

// @ts-nocheck

class User implements Namespace {

}

class Document implements Namespace {
  related: {
    owner: User[]
    editor: User[]
    viewer: User[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewer.includes(ctx.subject) ||
      this.related.editor.includes(ctx.subject) ||
      this.related.owner.includes(ctx.subject),
    edit: (ctx: Context): boolean =>
      this.related.editor.includes(ctx.subject) ||
      this.related.owner.includes(ctx.subject),
    delete: (ctx: Context): boolean =>
      this.related.owner.includes(ctx.subject),
    share: (ctx: Context): boolean =>
      this.related.owner.includes(ctx.subject),
  }
}

class Folder implements Namespace {
  related: {
    owner: User[]
    editor: User[]
    viewer: User[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewer.includes(ctx.subject) ||
      this.related.editor.includes(ctx.subject) ||
      this.related.owner.includes(ctx.subject),
    edit: (ctx: Context): boolean =>
      this.related.editor.includes(ctx.subject) ||
      this.related.owner.includes(ctx.subject),    
    delete: (ctx: Context): boolean =>
      this.related.owner.includes(ctx.subject),
    share: (ctx: Context): boolean =>
      this.related.owner.includes(ctx.subject),
  }
}

you need to establish a relation between the document and folder, and then add that in the check so similar to

class User implements Namespace {}

class Document implements Namespace {
  related: {
    viewer: User[]
    parent: Folder[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewer.includes(ctx.subject) &&
      this.related.parent.traverse(folder => folder.permits.view(ctx)),
  }
}

class Folder implements Namespace {
  related: {
    ...
  }

  permits = {
    view: (ctx: Context): boolean => ...
  }
}

Okay, we've just been able to define a permission model that fits our needs. Thanks!