https://www.ory.sh/ logo
Join Slack
Powered by
Is this known issue? - Ory keto 0.14.0 - Ory clien...
# ory-selfhosting
b
Is this known issue? • Ory keto 0.14.0 • Ory client php-library ory/client v1.21.1 PHP ory client library, when calling:
Copy code
$permResult = Ory::permission()->checkPermission(
          'Plan',
            $planId,
            'includes_feature',
            null,
            'Feature',
            $featureCheckId,
            '',
        );
Causes error because subject_set.relation needs to be empty but because it is empty, it is not included in the request causing this error:
Copy code
[400] Client error: `GET <http://keto:4466/relation-tuples/check/openapi?namespace=Plan&object=planId&relation=includes_feature&subject_set.namespace=Feature&subject_set.object=featId>` resulted in a `400 Bad Request` response:{"error":{"code":400,"status":"Bad Request","message":"incomplete subject, provide \"subject_id\" or a complete \"subjec (truncated...)
And keto log:
Copy code
keto-1  | time=2025-07-30T23:44:02Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json content-type:application/json user-agent:OpenAPI-Generator/1.0.0/PHP] host:keto:4466 method:GET path:/relation-tuples/check/openapi query:namespace=Plan&object=planId&relation=includes_feature&subject_set.namespace=Feature&subject_set.object=featId remote:172.19.0.37:50472 scheme:http] http_response=map[headers:map[content-type:application/json] size:133 status:400 text_status:Bad Request took:86.667µs]
When doing the same request with curl:
Copy code
/ # curl -s "<http://localhost:4466/relation-tuples/check/openapi>" \
>   -G \
>   --data-urlencode "namespace=Plan" \
>   --data-urlencode "object=planId" \
>   --data-urlencode "relation=includes_feature" \
>   --data-urlencode "subject_set.namespace=Feature" \
>   --data-urlencode "subject_set.object=featId" \
>   --data-urlencode "subject_set.relation="
{"allowed":true}
It works, but:
Copy code
# curl -s "<http://localhost:4466/relation-tuples/check/openapi>" \
>    -G \
>    --data-urlencode "namespace=Plan" \
>    --data-urlencode "object=planId" \
>    --data-urlencode "relation=includes_feature" \
>    --data-urlencode "subject_set.namespace=Feature" \
>    --data-urlencode "subject_set.object=featId" 
{"error":{"code":400,"status":"Bad Request","message":"incomplete subject, provide \"subject_id\" or a complete \"subject_set.*\""}}
works just like the PHP ory/client library. So, my conclusion: PHP ory/client library is not working correctly with the check permissions call when using subject_set.realation value "" (emtpy string)
e
Can you open a issue in the SDK repo?
b
I can
I guess I made the issue to wrong repo 😄
e
Ah. Still let me just notify internally and see what comes of it. Auto generation of SDKs can surface things like this. If you want to mirror it to the SDK repo that would be helpful.
b
Yes, mirrored it to SDK repo now... I just understood that SDK repo == the php sdk repo
it seems to be that createRelationship has little bit different definition than the request methods causing the attributes be "flat" instead of "structured".. function foo(a,b,c,subjet_ns, subject_id, subject_rel) vs function foo(a,b,c,['ns' => foo, 'id' => foo])
But that is explained in the issue 🙂
For now, I fixed making related: 'self' to the config and creating the relations with subjectset.relation as 'self' so also deelete/query/etc works with 'self' too
Open in Slack
PreviousNext
Powered by