You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For DX reasons, because user:* has very specific interpretation when used as a user, we should not allow objects to be user:* (user:an*ne and user:*anne* should still be allowed). Allowing them leads confusion and causes some users to mistakenly think that the below means anne will have access to all documents:
One way of doing this is by changing this ID regex from:
[^#:\\s]+
to
(?=[^\\*])[^#:\\s]+
but other methods are also OK.
The result should be that calling ValidateObject('user:*') or ValidateUser('team:*#member') should fail but ValidateUser('user:*') should succeed
Note that the OpenFGA API currently allows user:* and document:* as an object, and this would be a breaking change.
We should raise this with the server team as well as with the community to ensure that their use-cases are still being met (in case anyone is using <type>:* as an object).
The text was updated successfully, but these errors were encountered:
As part of the new validation functions, object uses the object and the type + id rules, user uses: object or object + relation or type + id
See: https://github.com/openfga/language/blob/main/pkg/js/validator/validate-rules.ts
For DX reasons, because
user:*
has very specific interpretation when used as a user, we should not allow objects to beuser:*
(user:an*ne
anduser:*anne*
should still be allowed). Allowing them leads confusion and causes some users to mistakenly think that the below means anne will have access to all documents:One way of doing this is by changing this ID regex from:
[^#:\\s]+
to
(?=[^\\*])[^#:\\s]+
but other methods are also OK.
The result should be that calling
ValidateObject('user:*')
orValidateUser('team:*#member')
should fail butValidateUser('user:*')
should succeedNote that the OpenFGA API currently allows
user:*
anddocument:*
as an object, and this would be a breaking change.We should raise this with the server team as well as with the community to ensure that their use-cases are still being met (in case anyone is using
<type>:*
as an object).The text was updated successfully, but these errors were encountered: