Preflight checklist
Ory Network Project
No response
Describe the bug
When checking permissions of a (User | SubjectSet<Group,"members")[] union, the users are only resolved by "...includes(ctx.subject)" if the group they belong to is the directly attached subject set.
However, directly querying the relation itself will still correctly return the users attached to it.
This behaviour is also exhibited by expand. Where the user subject_id leaf nodes only appear if the group subject set is the direct child.
Reproducing the bug
Create a keto namespace config that uses the User and Group types from the tutorial (including the (User | Group)[] union type for the members relation)
Create a new type that has a (User | SubjectSet<Group,"members")[] union relation and a permission that resolves to this.relation.relationname.includes(ctx.subject)
Create two group objects.
Set Group 1's member subject set to be members of Group 2.
Set a user to be a member of Group 1.
Set Group 2's subject set to be part of the relation on the third type.
Finally, query keto, once against the relation and once against the permit. The relation will fail and the permit will succeed.
Relevant log output
Relevant configuration
import type { Namespace, Context, SubjectSet } from "@ory/keto-namespace-types"
class User implements Namespace {}
class Group implements Namespace {
related: {
members: (User | Group)[]
}
}
class Feature implements Namespace {
related: {
readers: (User | SubjectSet<Group, "members">)[]
editors: (User | SubjectSet<Group, "members">)[]
}
permits = {
read: (ctx: Context): boolean =>
this.related.readers.includes(ctx.subject) || this.related.editors.includes(ctx.subject),
edit: (ctx: Context): boolean =>
this.related.editors.includes(ctx.subject)
}
}
Version
0.14.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response
Preflight checklist
Ory Network Project
No response
Describe the bug
When checking permissions of a (User | SubjectSet<Group,"members")[] union, the users are only resolved by "...includes(ctx.subject)" if the group they belong to is the directly attached subject set.
However, directly querying the relation itself will still correctly return the users attached to it.
This behaviour is also exhibited by expand. Where the user subject_id leaf nodes only appear if the group subject set is the direct child.
Reproducing the bug
Create a keto namespace config that uses the User and Group types from the tutorial (including the (User | Group)[] union type for the members relation)
Create a new type that has a (User | SubjectSet<Group,"members")[] union relation and a permission that resolves to this.relation.relationname.includes(ctx.subject)
Create two group objects.
Set Group 1's member subject set to be members of Group 2.
Set a user to be a member of Group 1.
Set Group 2's subject set to be part of the relation on the third type.
Finally, query keto, once against the relation and once against the permit. The relation will fail and the permit will succeed.
Relevant log output
Relevant configuration
Version
0.14.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response