To check for a permission in Ory Keto, you can use the

checkPermissionOrError

method of the Ory Keto API. This method is used to check whether a subject has a certain relation to an object, which is essentially a permission check. Here is the API endpoint for this method:

GET /relation-tuples/check

The parameters for this method are as follows: - `namespace`: Namespace of the Relationship - `object`: Object of the Relationship - `relation`: Relation of the Relationship - `subject_id`: SubjectID of the Relationship - `subject_set.namespace`: Namespace of the Subject Set - `subject_set.object`: Object of the Subject Set - `subject_set.relation`: Relation of the Subject Set - `max-depth`: Maximum depth to check You can also use the

POST /relation-tuples/check/openapi

endpoint to check a permission using a POST request. The request body for this method should be a JSON object with the following properties: - `namespace`: Namespace to query - `object`: Object to query - `relation`: Relation to query - `subject_id`: SubjectID to query - `subject_set`: An object with properties

namespace

,

object

, and

relation

Here is an example of a request body:

json {   "namespace": "your-namespace",   "object": "your-object",   "relation": "your-relation",   "subject_id": "your-subject-id",   "subject_set": {     "namespace": "your-subject-set-namespace",     "object": "your-subject-set-object",     "relation": "your-subject-set-relation"   } }

Please replace

"your-namespace"

,

"your-object"

,

"your-relation"

,

"your-subject-id"

,

"your-subject-set-namespace"

,

"your-subject-set-object"

, and

"your-subject-set-relation"

with your actual values. For more information, please refer to the [Ory Keto API Reference](https://www.ory.sh/docs/keto/reference/rest-api).

In Ory Keto, permissions are essentially a form of relations. When you check for a permission, you're essentially checking whether a subject (e.g., a user) has a certain relation to an object (e.g., a file or a resource). This is why the permission check involves specifying the relationship. For example, if you have a relationship where a user (subject) is a member of a group (object), and you have a permission rule that members of this group can view a certain file, then checking the 'view' permission for this user on the file is essentially checking whether this user-to-group relationship exists. The permission model in Ory Keto allows you to define concrete permissions that a user gets by being a member of a group or having a certain relationship. These permissions are then checked against the relationships. For instance, if 'owners' can 'view' a file and the 'view' permission is checked, then the 'owners' relation is looked up in the relationships database. So, when you're checking for a permission, you're actually checking for a specific relationship. This is why the API methods for checking permissions require you to specify the relationship parameters. For more information, you can refer to the [Ory Keto documentation](https://www.ory.sh/docs/keto/concepts/relation-tuples) on relationships and permissions.

To check if user A has the 'edit' permission for a document, you would use the same method as checking for any other permission in Ory Keto. You would check if the user (subject) has the 'edit' relation to the document (object). Given that in your model every owner is also an editor of a document, if user A is an owner of the document, they should also be able to edit it. Here's an example of how you might check this using the Ory Keto API:

GET /relation-tuples/check?namespace=document&object=document-id&relation=edit&subject=userA

Replace

document-id

and

userA

with the actual ID of the document and the user respectively. This request will return a boolean value indicating whether the 'edit' permission is granted or not. For more information, you can refer to the [Ory Keto documentation](https://www.ory.sh/docs/keto/guides/simple-access-check-guide#synchronous-authorization-flow) on checking permissions.

The code you've provided is a TypeScript class that represents a Document in the Ory Keto permission model. This class is implementing the

Namespace

interface from the

@ory/keto-namespace-types

package. The

related

property of the class defines the relationships that a Document can have with Users and Folders. These relationships include

owners

,

editors

,

viewers

,

deleters

, and

parents

. The

permits

property of the class defines the permissions that a User can have on a Document. These permissions include

view

,

edit

, and

delete

. Each permission is a function that takes a

Context

object and returns a boolean value indicating whether the subject in the context has the permission. Here's a breakdown of the permissions: - `view`: A User can view a Document if they are a viewer, editor, or owner of the Document. - `edit`: A User can edit a Document if they are an editor or owner of the Document. - `delete`: A User can delete a Document if they are a deleter or owner of the Document. Each permission function checks if the subject in the context is included in the corresponding relationship array. Here's the code you provided:

typescript class Document implements Namespace {   related: {     owners: User[]     editors: User[]     viewers: User[]     deleters: User[]     parents: Folder[]   }    permits = {     view: (ctx: Context) : boolean =>       this.related.viewers.includes(ctx.subject) ||       this.related.editors.includes(ctx.subject) ||       this.related.owners.includes(ctx.subject),      edit: (ctx: Context): boolean =>       this.related.editors.includes(ctx.subject)||       this.related.owners.includes(ctx.subject),      delete: (ctx: Context): boolean =>       this.related.deleters.includes(ctx.subject)||       this.related.owners.includes(ctx.subject),   } }

For more information on how to define permissions in the Ory Permission Language (OPL), you can refer to the [Ory Keto documentation](https://www.ory.sh/docs/keto/modeling/create-permission-model#define-permissions-in-the-opl).

To check if user A has the 'view' permission for a document, you would use the same method as checking for any other permission in Ory Keto. You would check if the user (subject) has the 'view' relation to the document (object). Given that in your model every editor is also a viewer of a document, if user A is an editor of the document, they should also be able to view it. Here's an example of how you might check this using the Ory Keto API:

GET /relation-tuples/check?namespace=document&object=document-id&relation=view&subject=userA

Replace

document-id

and

userA

with the actual ID of the document and the user respectively. This request will return a boolean value indicating whether the 'view' permission is granted or not. For more information, you can refer to the [Ory Keto documentation](https://www.ory.sh/docs/keto/guides/simple-access-check-guide#synchronous-authorization-flow) on checking permissions.

Yes, the code you provided should facilitate this. In your code, the

view

permission is granted to a user if they are in the

viewers

,

editors

, or

owners

array. So if user A is in the

editors

array, they should also have the

view

permission according to your permission model. Here's the relevant part of your code:

typescript permits = {{   view: (ctx: Context) : boolean =>     this.related.viewers.includes(ctx.subject) ||     this.related.editors.includes(ctx.subject) ||     this.related.owners.includes(ctx.subject),   // ... }}

This code checks if the subject (user A in your case) is included in the

viewers

,

editors

, or

owners

array. If they are, the function returns

true

, indicating that the user has the

view

permission. So, if you add user A to the

editors

array, the

view

function should return

true

when called with a context where the subject is user A. This means that user A has the

view

permission.

To check the 'view' permission for user A on a document in this case, you would use the

view

function in the

permits

object of your

Document

class. You would call this function with a context where the subject is user A. Here's an example of how you might do this in TypeScript:

typescript const userA = new User('userA'); const document = new Document();  // Add userA to the editors array document.related.editors.push(userA);  // Create a context for userA const ctx = { subject: userA };  // Check the view permission const canView = document.permits.view(ctx);  console.log(canView);  // This should log 'true' if userA has the view permission

In this code,

User

and

Document

are assumed to be classes that you have defined. The

User

class should have a constructor that takes a string argument for the user ID, and the

Document

class should be defined as in the code you provided. Please note that this is a simplified example and your actual code might be more complex. For example, you might need to fetch the document and the user from a database, and the user ID might be obtained from an authenticated request. For more information on how to define permissions in the Ory Permission Language (OPL), you can refer to the [Ory Keto documentation](https://www.ory.sh/docs/keto/modeling/create-permission-model#define-permissions-in-the-opl).