https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> I have the following permission mod...
# ory-copilot
m
@chilly-king-10285 I have the following permission model:
Copy code
class Company implements Namespace {
  related: {
    admins: User[]
  }

  permits = {
    owner: (ctx: Context): boolean =>
      this.related.admins.includes(ctx.subject)
  }
}
class LearningPlan implements Namespace {
  related: {
    owners: User[]
    companies: Company[]
  }

  permits = {
    owner: (ctx: Context): boolean =>
      this.related.companies.traverse((parent) => parent.permits.owner(ctx)) ||
      this.related.owners.includes(ctx.subject)
  }
}
With these relations: • Subject 
companies/simpleclub
is 
companies
of Object 
LearningPlan:learning_plans/xyz
c
A message from kapa.ai
Based on the permission model you provided, a user is considered an owner of a 
LearningPlan
if they are either directly listed as an owner in the 
owners
relation of the 
LearningPlan
or if they are an admin of a 
Company
that is listed in the 
companies
relation of the 
LearningPlan
. The 
permits
function in the 
LearningPlan
class checks these conditions. It first traverses the 
companies
relation and checks if the subject (user) is an owner (admin) of any of the companies. If this condition is not met, it checks if the subject is directly listed in the 
owners
relation of the 
LearningPlan
. The 
permits
function in the 
Company
class checks if the subject is listed in the 
admins
relation of the 
Company
. In the relation you provided, the 
Company
with the identifier 
companies/simpleclub
is listed in the 
companies
relation of the 
LearningPlan
with the identifier 
LearningPlan:learning_plans/xyz
. This means that any user who is an admin of 
companies/simpleclub
would be considered an owner of 
LearningPlan:learning_plans/xyz
, according to your permission model. For more information on how to define permissions in Ory, you can refer to the [Ory documentation](https://www.ory.sh/docs/keto/modeling/create-permission-model#define-permissions-in-the-opl).
Open in Slack
PreviousNext
Powered by