OPL: Incorrect Evaluation of Permissions in Ory Keto

[LukaGiorgadze]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When evaluating user permissions in Ory Keto, a discrepancy occurs based on the order of user group checks. When a user is only in the "owners" group, the expected behavior is to return True for the itemView perm. However, when the line this.related.owners.includes(ctx.subject) is moved up in the code block, while keeping the rest of the logic identical, the function incorrectly returns False. This issue arises despite the fact that the code remains technically the same.

This discrepancy manifests when incorporating a check for blocked users, denoted by !this.related.blockedUsers.includes(ctx.subject) && (). The unexpected behavior undermines the intended functionality of permission evaluation and could potentially lead to incorrect access control decisions.

class User implements Namespace {}

class LegalEntityUserGroup implements Namespace {
  related: {
    // predefined roles
    owners: User[];
    administrators: User[];
    creators: User[];
    viewers: User[];
    members: User[];
  };
}

class BlockedUserGroup implements Namespace {
  related: {
    blockedUsers: User[];
  };
}

class LegalEntity implements Namespace {
  related: {
    // pre-deifned roles
    owners: SubjectSet<LegalEntityUserGroup, "owners">[];
    administrators: SubjectSet<LegalEntityUserGroup, "administrators">[];
    creators: SubjectSet<LegalEntityUserGroup, "creators">[];
    viewers: SubjectSet<LegalEntityUserGroup, "viewers">[];
    members: SubjectSet<LegalEntityUserGroup, "members">[];
    blockedUsers: SubjectSet<BlockedUserGroup, "blockedUsers">[];
  };

  permits = {
    own: (ctx: Context): boolean =>
        !this.related.blockedUsers.includes(ctx.subject) &&
        this.related.owners.includes(ctx.subject),

    itemView: (ctx: Context): boolean =>
      !this.related.blockedUsers.includes(ctx.subject) &&
      (this.related.administrators.includes(ctx.subject) ||
      this.related.creators.includes(ctx.subject) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject) || // ⚠️ move this line up and it it won't work.
      this.related.members.includes(ctx.subject)),

  };
}

Reproducing the bug

1. Add User in LegalEntityUserGroup as owner use object legalentity_123;
2. Relate LegalEntityUserGroup to LegalEntity
3. Send request:

./check
?namespace=LegalEntity
&relation=itemView
&object=legalentity_123
&subject_set.namespace=User
&subject_set.object=user_123
&subject_set.relation=

Relevant log output

No response

Relevant configuration

No response

Version

v0.11.1-alpha.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response