keto
keto copied to clipboard
OPL: Incorrect Evaluation of Permissions in Ory Keto
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
When evaluating user permissions in Ory Keto, a discrepancy occurs based on the order of user group checks. When a user is only in the "owners" group, the expected behavior is to return True
for the itemView
perm. However, when the line this.related.owners.includes(ctx.subject)
is moved up in the code block, while keeping the rest of the logic identical, the function incorrectly returns False
. This issue arises despite the fact that the code remains technically the same.
This discrepancy manifests when incorporating a check for blocked users, denoted by !this.related.blockedUsers.includes(ctx.subject) && ()
. The unexpected behavior undermines the intended functionality of permission evaluation and could potentially lead to incorrect access control decisions.
class User implements Namespace {}
class LegalEntityUserGroup implements Namespace {
related: {
// predefined roles
owners: User[];
administrators: User[];
creators: User[];
viewers: User[];
members: User[];
};
}
class BlockedUserGroup implements Namespace {
related: {
blockedUsers: User[];
};
}
class LegalEntity implements Namespace {
related: {
// pre-deifned roles
owners: SubjectSet<LegalEntityUserGroup, "owners">[];
administrators: SubjectSet<LegalEntityUserGroup, "administrators">[];
creators: SubjectSet<LegalEntityUserGroup, "creators">[];
viewers: SubjectSet<LegalEntityUserGroup, "viewers">[];
members: SubjectSet<LegalEntityUserGroup, "members">[];
blockedUsers: SubjectSet<BlockedUserGroup, "blockedUsers">[];
};
permits = {
own: (ctx: Context): boolean =>
!this.related.blockedUsers.includes(ctx.subject) &&
this.related.owners.includes(ctx.subject),
itemView: (ctx: Context): boolean =>
!this.related.blockedUsers.includes(ctx.subject) &&
(this.related.administrators.includes(ctx.subject) ||
this.related.creators.includes(ctx.subject) ||
this.related.viewers.includes(ctx.subject) ||
this.related.owners.includes(ctx.subject) || // ⚠️ move this line up and it it won't work.
this.related.members.includes(ctx.subject)),
};
}
Reproducing the bug
- Add User in LegalEntityUserGroup as owner use object legalentity_123;
- Relate LegalEntityUserGroup to LegalEntity
- Send request:
./check
?namespace=LegalEntity
&relation=itemView
&object=legalentity_123
&subject_set.namespace=User
&subject_set.object=user_123
&subject_set.relation=
Relevant log output
No response
Relevant configuration
No response
Version
v0.11.1-alpha.0
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker Compose
Additional Context
No response