openfga.dev icon indicating copy to clipboard operation
openfga.dev copied to clipboard
verified publisher icon openfga

fix(docs): use relation 'reader' instead of 'can_view' in perform-check.mdx

Open maxloge opened this issue 8 months ago • 1 comments

Description

The "Getting Started" use inconsistent relationship names between the Update Relationship Tuples and Perform a Check sections:

Step Page Relation
1. Create tuple update-tuples.mdx reader
2. Check tuple perform-check.mdx can_view

Someone who follows the instructions in order will receive a 400 Bad Request / ValidationException when calling the Check API, even though the example in the doc claims that the result is allowed: true.

A user following the example in Python with

    body = ClientCheckRequest(
        user="user:anne",
        relation="can_view",
        object="document:Z",
    )

would get the following Traceback:

Traceback (most recent call last):
  File "<string>", line 6, in <module>
  File "<string>", line 2, in <module>
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/client/client.py", line 650, in check
    api_response = self._api.check(body=req_body, **kwargs)
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/open_fga_api.py", line 255, in check
    return self.check_with_http_info(body, **kwargs)
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/open_fga_api.py", line 388, in check_with_http_info
    return self.api_client.call_api(
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/api_client.py", line 565, in call_api
    return self.__call_api(
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/api_client.py", line 344, in __call_api
    raise e
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/api_client.py", line 278, in __call_api
    response_data = self.request(
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/api_client.py", line 641, in request
    return self.rest_client.request(
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/rest.py", line 507, in request
    self.handle_response_exception(raw_response)
  File "/home/vscode/.local/lib/python3.10/site-packages/openfga_sdk/sync/rest.py", line 333, in handle_response_exception
    raise ValidationException(http_resp=response)
openfga_sdk.exceptions.ValidationException: (400)
Reason: Bad Request

I've also updated the explanation regarding the result since:

export FGA_API_URL=http://openfga:8080 && \
export FGA_STORE_ID=01JSWBHVGB4VSPPNCCV8R4SBSW && \
export FGA_MODEL_ID=01JSWQNDX7MPVM29P39ACTH9EN

$ curl -i -s -X POST \
  "${FGA_API_URL}/stores/${FGA_STORE_ID}/check" \
  -H "Content-Type: application/json" \
  -d '{
    "authorization_model_id": "'"${FGA_MODEL_ID}"'",
    "tuple_key": {
      "user": "user:anne",
      "relation": "reader",
      "object": "document:Z"
    }
  }' && printf "\n"

returns

HTTP/1.1 200 OK
Content-Type: application/json
Openfga-Authorization-Model-Id: 01JSWQNDX7MPVM29P39ACTH9EN
Openfga-Store-Id: 01JSWBHVGB4VSPPNCCV8R4SBSW
Vary: Origin
X-Request-Id: 50d7c9e8-2400-4e48-bdea-3c42a07f9183
Date: Tue, 29 Apr 2025 02:15:53 GMT
Content-Length: 32

{"allowed":true,"resolution":""}


$ curl -i -s -X POST \
  "${FGA_API_URL}/stores/${FGA_STORE_ID}/check" \
  -H "Content-Type: application/json" \
  -d '{
    "authorization_model_id": "'"${FGA_MODEL_ID}"'",
    "tuple_key": {
      "user": "user:anne",
      "relation": "writer",
      "object": "document:Z"
    }
  }' && printf "\n"

returns

HTTP/1.1 200 OK
Content-Type: application/json
Openfga-Authorization-Model-Id: 01JSWQNDX7MPVM29P39ACTH9EN
Openfga-Store-Id: 01JSWBHVGB4VSPPNCCV8R4SBSW
Vary: Origin
X-Request-Id: c06bbc2d-d326-4422-8e59-16e92edee840
Date: Tue, 29 Apr 2025 02:16:16 GMT
Content-Length: 33

{"allowed":false,"resolution":""}

and

$ curl -i -s -X POST \
  "${FGA_API_URL}/stores/${FGA_STORE_ID}/check" \
  -H "Content-Type: application/json" \
  -d '{
    "authorization_model_id": "'"${FGA_MODEL_ID}"'",
    "tuple_key": {
      "user": "user:anne",
      "relation": "can_view",
      "object": "document:Z"
    }
  }' && printf "\n"

returns

HTTP/1.1 400 Bad Request
Content-Type: application/json
Openfga-Authorization-Model-Id: 01JSWQNDX7MPVM29P39ACTH9EN
Openfga-Store-Id: 01JSWBHVGB4VSPPNCCV8R4SBSW
Vary: Origin
X-Request-Id: afff79c3-cf8b-4d9d-a7fa-c9bd189786f9
Date: Tue, 29 Apr 2025 02:16:40 GMT
Content-Length: 79

{"code":"validation_error","message":"relation 'document#can_view' not found"}

Fix

In perform-check.mdx, change the example relation from can_view to reader so it matches the tuple created in the previous page and the relation that is used in the other pages of the Getting Started section of the documentation.

After the fix, the end-to-end example executed by a user reading the documentation linearly using the instructions of the precedent page will works as expected.

The explanation below the example regarding the expected result has also been updated to be more specific.

References

The mismatch is visible on these pages:

  • Tuple write example (uses reader): https://openfga.dev/docs/getting-started/update-tuples#02-calling-write-api-to-add-new-relationship-tuples
  • Check example (uses can_view): https://openfga.dev/docs/getting-started/perform-check#02-calling-check-api

Review Checklist

  • [x] I have clicked on "allow edits by maintainers".
  • [ ] I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • [x] The correct base branch is being used, if not main
  • [ ] I have added tests to validate that the change in functionality is working as expected

maxloge avatar Apr 28 '25 23:04 maxloge

Thanks @maxloge - will take a look at this soon!

rhamzeh avatar May 06 '25 02:05 rhamzeh