-
-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OPL parent permissions not working #1320
Comments
I'm not getting the same results. When I test using your exact parameters, I'm seeing the check pass as expected. What are your exact arguments to the
when, according to your definitions above you should be doing:
The reason your check would be failing is subtle. Your entry/entries for adding Tom and John as members of the developer group goes to the heart of an unrelated issue/concern that someone else has raised. That is the question of subject-id vs subject-sets. You added Tom and John, not as a simple subject-id but as a subject-set, thereby locking forever your necessity to always refer to Tom and John using their full subject-set when performing checks where Tom or John are the subject: Incidentally and as an aside. If you were to change the definition from:
to
your issue would be partially solved. In my fork of keto, I've added some fairly material improvements that would get you the rest of the way. In my fork the following would be the results: Given:
with your OPL you would get the following
|
Preflight checklist
Describe the bug
I am trying to run the rewrite example in ory keto, this is my permission file
basically, i want that any user having the viewers access of parent should have viewer access for any of the childs. I created user group developer that has viewers access for folder keto/ and folder keto/ is parent folder keto/src/. I have two users in developer group.
when i run check for viewers access for the user in developer to keto/ it gives me allowed true, but when i run check for viewers access for keto/src/ it gives me false, even though the parent has the viewers access. As far as i could understand from the permission file the user should have viewers access for the children as well. I tried asking in the slack but it didnt solve that
Reproducing the bug
Relevant log output
No response
Relevant configuration
Version
0.11.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
these are my relationship tuples
The text was updated successfully, but these errors were encountered: