<@U04UQ68083H>My keto permissions is not working c...
# ory-copilotb
billions-leather-15882
07/30/2025, 10:51 PM@chilly-king-10285My keto permissions is not working correctly or my check is not working correctly. Where is the problem?
import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"
// Represents a feature in the system (e.g., invoicing.create_invoice)
class Feature implements Namespace {}
// Represents a plan grouping features
class Plan implements Namespace {
related: {
features: Feature[]
}
permits = {
includes_feature: (ctx: Context): boolean =>
this.related.features.includes(ctx.subject)
}
}
// Represents a subscription for a tenant to a plan and/or features
class Subscription implements Namespace {
related: {
tenant: Tenant[],
plan: Plan[],
features: Feature[]
}
permits = {
has_feature: (ctx: Context): boolean =>
// this.related.features.includes(ctx.subject) ||
this.related.plan.traverse((plan) => plan.permits.includes_feature(ctx))
}
}
class User implements Namespace {}
class Group implements Namespace {
related: {
members: (User | Group)[]
}
}
class Tenant implements Namespace {
related: {
owners: User[],
subscriptions: Subscription[]
}
permits = {
allows_feature_use: (ctx: Context): boolean =>
this.related.subscriptions.traverse(sub => sub.permits.has_feature(ctx))
}
}
/ # curl -s "http://localhost:4466/relation-tuples"
{"relation_tuples":[{"namespace":"Feature","object":"featId","relation":"self","subject_id":"feature:featId"},{"namespace":"Subscription","object":"subId","relation":"plan","subject_id":"planId"},{"namespace":"Tenant","object":"tenantId","relation":"subscriptions","subject_id":"subId"},{"namespace":"Plan","object":"planId","relation":"features","subject_id":"featId"},{"namespace":"Subscription","object":"subId","relation":"tenant","subject_id":"tenantId"},{"namespace":"Feature","object":"featDirectId","relation":"self","subject_id":"feature:featDirectId"}],"next_page_token":""}
/ # curl -s "http://localhost:4466/relation-tuples/check/openapi" \
-G \
--data-urlencode "namespace=Tenant" \
--data-urlencode "object=tenantId" \
--data-urlencode "relation=allows_feature_use" \
--data-urlencode "subject_id=featId"{"allowed":false} It should return allowed:true I want to see if tenant has a feature (in tenant -> subscription -> plan -> feature)
b
brief-egg-61061
07/30/2025, 10:51 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 10:51 PMBased on your OPL model and the relation tuples provided, your intention is to check if a tenant has access to a feature via the chain: Tenant → Subscription → Plan → Feature. However, your permission check is returning
{"allowed": false}true Copy code
typescript includes_feature: (ctx: Context): boolean => this.related.features.includes(ctx.subject) Copy code
typescript has_feature: (ctx: Context): boolean => this.related.plan.traverse((plan) => plan.permits.includes_feature(ctx)) Copy code
typescript allows_feature_use: (ctx: Context): boolean => this.related.subscriptions.traverse(sub => sub.permits.has_feature(ctx))Tenant:tenantId#subscriptions@subIdSubscription:subId#plan@planIdPlan:planId#features@featId Copy code
GET /relation-tuples/check/openapi?namespace=Tenant&object=tenantId&relation=allows_feature_use&subject_id=featId{"allowed": false}includes_featurectx.subjectPlan.related.featuresFeature[] Copy code
{
"namespace": "Plan",
"object": "planId",
"relation": "features",
"subject_id": "featId"
}"featId"Feature:featId"features"Subscription.has_feature Copy code
typescript has_feature: (ctx: Context): boolean => this.related.features.includes(ctx.subject) || this.related.plan.traverse((plan) => plan.permits.includes_feature(ctx))traversetraversetraversesubject_id=featId"featId"traversetransitivetraverse Copy code
GET /relation-tuples/check/openapi?namespace=Plan&object=planId&relation=includes_feature&subject_id=featIdtruetraversetransitiveb
billions-leather-15882
07/30/2025, 10:56 PM@chilly-king-10285 Keto version 0.14.0
And after adding the Feature:featId to the plan, it is still returning allowed false:
{"relation_tuples":[{"namespace":"Subscription","object":"subId","relation":"plan","subject_id":"planId"},{"namespace":"Feature","object":"featId","relation":"self","subject_id":"Feature:featId"},{"namespace":"Subscription","object":"subId","relation":"tenant","subject_id":"tenantId"},{"namespace":"Plan","object":"planId","relation":"features","subject_id":"Feature:featId"},{"namespace":"Tenant","object":"tenantId","relation":"subscriptions","subject_id":"subId"},{"namespace":"Feature","object":"featDirectId","relation":"self","subject_id":"Feature:featDirectId"}],"next_page_token":""}
/ # curl -s "http://localhost:4466/relation-tuples/check/openapi" \
> -G \
> --data-urlencode "namespace=Tenant" \
> --data-urlencode "object=tenantId" \
> --data-urlencode "relation=allows_feature_use" \
> --data-urlencode "subject_id=Feature:featId"
{"allowed":false}
b
brief-egg-61061
07/30/2025, 10:57 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 10:57 PMGiven your OPL model, relation tuples, and the use of Keto v0.14.0, your expectation is correct: the check should return
{"allowed": true}{"allowed": false} Copy code
json {"namespace":"Plan","object":"planId","relation":"features","subject_id":"Feature:featId"} Copy code
--data-urlencode "subject_id=Feature:featId"traversetraverseallowed: falsefalsetruetraversetransitivetraverseb
billions-leather-15882
07/30/2025, 11:00 PM@chilly-king-10285 what is the latest keto version?
b
brief-egg-61061
07/30/2025, 11:00 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 11:00 PMBased on the available knowledge sources, the latest Ory Keto image tags listed are from July 25, 2025. However, the specific version numbers are not provided in the knowledge sources—only image hashes are shown, such as
beebb63c5cd4a58b218a792027b34d231735dc05097934fff2bda05c808d962a92f52140f80dff83b
billions-leather-15882
07/30/2025, 11:01 PM@chilly-king-10285 should I create a bug report for that?
b
brief-egg-61061
07/30/2025, 11:01 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 11:01 PMBased on the knowledge sources, there is already an open issue regarding problems with the
traversetraverseb
billions-leather-15882
07/30/2025, 11:01 PM@chilly-king-10285 explain traverse operator and how should I use it?
b
brief-egg-61061
07/30/2025, 11:01 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 11:02 PMThe
traversetraversetraversetruetrue Copy code
typescript this.related.parents.traverse((parent) => parent.permits.view(ctx))viewtraverse Copy code
typescript class Document implements Namespace { related: { viewers: User[] parents: Folder[] } permits = { view: (ctx: Context): boolean => this.related.viewers.includes(ctx.subject) || this.related.parents.traverse((parent) => parent.permits.view(ctx)), } }traversetraverseparentsmemberstraversetraversetraverseb
billions-leather-15882
07/30/2025, 11:32 PM@chilly-king-10285 I simplified the test:
Now I have:
class Feature implements Namespace {}
// Represents a plan grouping features
class Plan implements Namespace {
related: {
features: Feature[]
}
permits = {
includes_feature: (ctx: Context): boolean =>
this.related.features.includes(ctx.subject)
}
}
But still:
/ # curl -s "http://localhost:4466/relation-tuples?namespace=Plan&object=planId&relation=features"
{"relation_tuples":[{"namespace":"Plan","object":"planId","relation":"features","subject_set":{"namespace":"Feature","object":"featId","relation":""}}],"next_page_token":""}
/ # curl -s "http://localhost:4466/relation-tuples?subject_id=featId"
{"relation_tuples":[{"namespace":"Feature","object":"featId","relation":"self","subject_id":"featId"}],"next_page_token":""}
/ # curl -s "http://localhost:4466/relation-tuples/check/openapi" -G --data-urlencode "namespace=Plan" --data-urlencode "object=planId" --data-urlencode "relation=includes_feature" --data-urlencode "su
bject_id=feature:featId"
{"allowed":false}
/ # curl -s "http://localhost:4466/relation-tuples/check/openapi" -G --data-urlencode "namespace=Plan" --data-urlencode "object=planId" --data-urlencode "relation=includes_feature" --data-urlencode "su
bject_id=featId"
{"allowed":false}
b
brief-egg-61061
07/30/2025, 11:32 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 11:32 PMBased on your simplified test and the knowledge sources, here’s what’s happening: ### Your Model
Copy code
typescript class Feature implements Namespace {} class Plan implements Namespace { related: { features: Feature[] } permits = { includes_feature: (ctx: Context): boolean => this.related.features.includes(ctx.subject) } }PlanfeaturesFeatureobject: featIdPlan:planIdfeatIdfeature:featIdincludesthis.related.features.includes(ctx.subject)featuresfeatures Copy code
json {"namespace":"Plan","object":"planId","relation":"features","subject_set":{"namespace":"Feature","object":"featId","relation":""}}"featId""feature:featId"Featuresubject_idsubject_setsubject_id=featIdsubject_id=feature:featIdsubject_id=featIdsubject_id=feature:featIdfeaturessubject_set: {namespace: "Feature", object: "featId", relation: ""}allowed: truesubject_setsubject_id/relation-tuples/check/openapi Copy code
bash curl -s "<http://localhost:4466/relation-tuples/check/openapi>" \ -G \ --data-urlencode "namespace=Plan" \ --data-urlencode "object=planId" \ --data-urlencode "relation=includes_feature" \ --data-urlencode "subject_set.namespace=Feature" \ --data-urlencode "subject_set.object=featId" \ --data-urlencode "subject_set.relation="{"allowed": true}subject_idsubject_setfeaturessubject_setb
billions-leather-15882
07/30/2025, 11:38 PM@chilly-king-10285 Ok now it works, but it seems that in the PHP client library, there is a bug.
$permResult = Ory::permission()->checkPermission(
'Plan',
$planId,
'includes_feature',
null,
'Feature',
$featureCheckId,
'',
);
Should create that same request as curl, but because the relation is empty string, the PHP library will not put that to the request: [400] Client error:
GET <http://keto:4466/relation-tuples/check/openapi?namespace=Plan&object=planId&relation=includes_feature&subject_set.namespace=Feature&subject_set.object=featId>400 Bad Requestb
brief-egg-61061
07/30/2025, 11:38 PMA message from kapa.ai
brief-egg-61061
07/30/2025, 11:39 PMBased on the knowledge sources, your analysis is correct: when using a subject set in a permission check, the
relationnamespaceobjectrelation400 Bad Requestnamespaceobjectrelationrelationrelationsubject_set4 Views