Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does the object support the expression like '/cats/*' to indicate all items starts with '/cats/' #1484

Open
3 of 5 tasks
ghujki opened this issue Dec 14, 2023 · 1 comment
Open
3 of 5 tasks

Does the object support the expression like '/cats/*' to indicate all items starts with '/cats/' #1484

ghujki opened this issue Dec 14, 2023 · 1 comment
Labels
bug Something is not working.

Comments

@ghujki
Copy link

ghujki commented Dec 14, 2023

Preflight checklist

Ory Network Project

No response

Describe the bug

The object doesn`t support expression of '*'

Reproducing the bug

I added this to the API when I following the cats example to allow anyone to view the items under the folder of /cats
{ "namespace": "videos", "object": "/cats/*", "relation": "view", "subject_id": "*" }

but it doesn`t work as expected

Relevant log output

{
    "allowed": false
}

Relevant configuration

No response

Version

keto_0.11.1-alpha.0-windows_64bit

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response
@ghujki ghujki added the bug Something is not working. label Dec 14, 2023
@cmmoran
Copy link

cmmoran commented Jan 10, 2024

I think you may be taking a narrow view of what object is. In your scenario, an object represents an entity within some arbitrary hierarchy. This isn't always the case. Some objects are just objects; no hierarchy at all.

I would submit that it's not keto's job to figure this out. This can be solved via constructs currently available within keto.

For example, if you add a parent relation to your videos namespace, you could add a permits that would allow view on an arbitrary object if that object has a parent that allows view on the given subject.

/* ... omitted for brevity ... */

// Note, I'm using "Videos" but the correct namespace name _should be_ "Video" (singular)
class Videos implements Namespace {
  related: {
    owner: Videos[]
  }

  permits = {
    can_view: (ctx: Context): boolean =>
      this.related.owner.traverse((o) => o.permits(ctx))
  }
}

NOTE: I did not test the above logic. The parser in my brain says it's AOK. I wasn't aiming for code completion. I wished to give an example of one theoretical way this isn't really an issue and can be implemented in one of a few different ways.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ghujki @cmmoran