https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> if I have the following OPL: ```imp...
# ory-copilot
h
@chilly-king-10285 if I have the following OPL:
Copy code
import { Namespace, Context, SubjectSet } from '@ory/keto-namespace-types';

class User implements Namespace {}

class Team implements Namespace {
    related: {
        members: User[];
    };

    permits = {
        containsUser: (ctx: Context): boolean => this.related.members.includes(ctx.subject),
    };
}

class Project implements Namespace {
    related: {
        editors: (User | SubjectSet<Team, "members">)[];
    };
    permits = {
        edit: (ctx: Context): boolean =>
            this.related.editors.includes(ctx.subject)
    };
}
And I had the following relationships persisted: • User A is member of Team B • Project C has Team B referenced in the 
SubjectSet<Team, "members">
section in the 
editors
relationship Would you expect a check operation for 
edit
on Project C for User A to be allowed?
c
A message from kapa.ai
Yes, based on the OPL you provided, a check operation for 
edit
on Project C for User A should be allowed. Here's why: - User A is a member of Team B, as defined in the 
members
relationship of the 
Team
class. - Team B is listed in the 
editors
relationship of the 
Project
class, which means all members of Team B, including User A, are considered editors of Project C. - The 
edit
permission in the 
Project
class checks if the subject (in this case, User A) is included in the 
editors
relationship. Since User A is a member of Team B and Team B is an editor of Project C, User A is considered an editor of Project C. Therefore, a check operation for 
edit
on Project C for User A should return true, indicating that User A is allowed to edit Project C. This is based on the OPL and the relationships you provided. Please note that the actual result may vary depending on the specific implementation and the state of the relationships at the time of the check operation. For more information on how OPL works, you can refer to the [Ory Permission Language specification](https://www.ory.sh/docs/keto/reference/ory-permission-language#examples) and the [Ory API Reference](https://www.ory.sh/docs/reference/api).
h
@chilly-king-10285: that’s what I thought. And yet it doesn’t seem to be the case. I have the following test code to try and prove this:
Copy code
func TestKeto(b *testing.T) {
	// ...
	
	writeClient := grpcPermissionsClient.WriteClient
	checkClient := grpcPermissionsClient.CheckClient

	team := uuid.NewString()
	project := uuid.NewString()
	user := uuid.NewString()

	// add team to project
	_, err = writeClient.TransactRelationTuples(context.Background(), &acl.TransactRelationTuplesRequest{
		RelationTupleDeltas: []*acl.RelationTupleDelta{
			{
				Action: acl.RelationTupleDelta_ACTION_INSERT,
				RelationTuple: &acl.RelationTuple{
					Namespace: "Project",
					Object:    project,
					Relation:  "editors",
					Subject:   acl.NewSubjectSet("Team", team, ""),
				},
			},
		},
	})
	require.NoError(b, err)

	// check no access
	res, err := checkClient.Check(context.Background(), &acl.CheckRequest{
		Tuple: &acl.RelationTuple{
			Namespace: "Project",
			Object:    project,
			Relation:  "edit",
			Subject:   acl.NewSubjectSet("User", user, ""),
		},
	})
	require.NoError(b, err)
	assert.False(b, res.Allowed)

	// add user to team
	_, err = writeClient.TransactRelationTuples(context.Background(), &acl.TransactRelationTuplesRequest{
		RelationTupleDeltas: []*acl.RelationTupleDelta{
			{
				Action: acl.RelationTupleDelta_ACTION_INSERT,
				RelationTuple: &acl.RelationTuple{
					Namespace: "Team",
					Object:    team,
					Relation:  "members",
					Subject:   acl.NewSubjectSet("User", user, ""),
				},
			},
		},
	})
	require.NoError(b, err)

	// check for access
	res, err = checkClient.Check(context.Background(), &acl.CheckRequest{
		Tuple: &acl.RelationTuple{
			Namespace: "Project",
			Object:    project,
			Relation:  "edit",
			Subject:   acl.NewSubjectSet("User", user, ""),
		},
	})
	require.NoError(b, err)
	assert.True(b, res.Allowed)
}
This fails on the final assert - this returns false when you’d expect it to return true Any idea what’s going on?
c
A message from kapa.ai
Hmm, I don't know enough to give you a confident answer yet. The code you provided seems correct based on the OPL and the relationships you described. The final assert should indeed return true, indicating that User A has the 
edit
permission on Project C. However, there could be several reasons why the final assert is returning false. It could be due to a misconfiguration, a bug in the Ory Keto service, or an issue with the state of the relationships at the time of the check operation. I would recommend checking the following: 1. Ensure that the Ory Keto service is correctly configured and running without errors. You can refer to the [Ory Keto documentation](https://www.ory.sh/keto/docs/) for more information on how to configure and use the service. 2. Check the state of the relationships before and after the 
TransactRelationTuples
operations. Make sure that the relationships are correctly created and that they reflect the state you described. 3. Try to isolate the issue by creating a minimal test case that reproduces the problem. This could help you identify if the issue is with the OPL, the relationships, or the Ory Keto service itself. 4. If you're still unable to resolve the issue, consider reaching out to the Ory community or the Ory support for help. They might be able to provide more specific guidance based on your particular setup and use case.
2 Views
Open in Slack
PreviousNext
Powered by