https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Am I doing something wrong in this ...
# ory-copilot
b
@chilly-king-10285 Am I doing something wrong in this permissions model code? The 
read
permission check works in the API, but 
readAll
does not.
Copy code
// Define Account
class Account implements Namespace { }

// Define Tenant
class Tenant implements Namespace {
  related: {
    members: Account[] // Accounts in this tenant
    admins: Account[]  // Accounts that are administrators of this tenant
  };

  permits = {
    // User can see the tenant
    read: (ctx: Context): boolean =>
      this.related.members.includes(ctx.subject) ||
      this.related.admins.includes(ctx.subject),

    readAll: (ctx: Context): boolean =>
      this.related.admins.includes(ctx.subject)
  };
}
b
A message from kapa.ai
Based on the provided knowledge sources and the code you've shared, there doesn't appear to be anything inherently wrong with your permissions model. However, I can offer some insights and potential reasons why the 
readAll
permission check might not be working as expected. 1. Syntax and Structure: The syntax and structure of your permissions model appear to be correct according to the Ory Permission Language (OPL) specification. Your 
Tenant
class implements the 
Namespace
interface, defines related accounts (members and admins), and specifies permission functions (
read
and 
readAll
). 2. Permission Definitions: The 
read
and 
readAll
permissions are defined correctly. The 
read
permission allows both members and admins to read the tenant, while 
readAll
is restricted to admins only. 3. Potential Issues: a. Relationship Data: Ensure that you have correctly set up the relationships between accounts and tenants. The 
readAll
permission will only work if the account checking the permission is actually listed in the 
admins
relation for that tenant. b. Permission Check Implementation: Make sure you're using the correct API call to check the 
readAll
permission. The way you check permissions might differ from how you check relationships. c. Nested Traversals: Your model doesn't use nested traversals, but it's worth noting that Ory Keto currently has limitations with nested traversals, as mentioned in this [Github issue](https://github.com/ory/keto/issues/1131). 4. Debugging Steps: - Double-check that the relationships are correctly set up for the tenant and account you're testing with. - Verify that you're using the correct API call to check the 
readAll
permission. - Try simplifying the 
readAll
permission temporarily (e.g., always return true) to see if the issue is with the permission definition or the relationship data. 5. Testing: As suggested in the [Ory documentation on creating permission models](https://www.ory.sh/docs/keto/modeling/create-permission-model#test-permissions), it's important to test your permission model thoroughly. Consider writing automated tests that insert relationships and check permissions through the SDK. If you've verified all these points and the issue persists, it might be helpful to share more details about how you're setting up the relationships and how you're making the permission check API calls. Additionally, checking the Ory Keto logs might provide more insight into what's happening during the permission check.
b
@chilly-king-10285 How would I test by always returning true?
b
A message from kapa.ai
New message text here
3 Views
Open in Slack
PreviousNext
Powered by