defradb icon indicating copy to clipboard operation
defradb copied to clipboard

Published 20 hours ago verified publisher icon sourcenetwork

An actor granted a write permission still can't write unless also given read permission

Open shahzadlone opened this issue 5 months ago • 12 comments

An actor granted a write permission still can't write unless also given read permission

Example Policy where reader can strictly only read and writer can strictly only write:

name: Test Policy

description: A Policy

actor:
  name: actor

resources:
  users:
    permissions:
      read:
        expr: owner + reader

      write:
        expr: owner + writer

    relations:
      owner:
        types:
          - actor

      reader:
        types:
          - actor

      writer:
        types:
          - actor

Then the policy above (assume XYZ is resulting policyID) is linked in a schema that is loaded:

type Users @policy(id: XYZ, resource: "users") {
	name: String
	age: Int
}

Now if the owner (index 1) makes a relationship giving write access to the second actor (index 2) in our testing frame work like syntax:

testUtils.AddDocActorRelationship{
	DocID: 0,
	RequestorIdentity: 1,
	TargetIdentity: 2,
	Relation: "writer",
}

The identity 2 still can not mutate due to lack of read permission.

testUtils.UpdateDoc{
	Identity: immutable.Some(2), // This identity can still not update.
	DocID: 0,
	Doc: `
		{
			"name": "Shahzad Lone"
		}
	`,
	ExpectedError: "document not found or not authorized to access",
}

Some existing tests that document this:

  • TestACP_OwnerGivesUpdateWriteAccessToAnotherActorWithoutExplicitReadPerm_OtherActorCantUpdate
  • TestACP_OwnerGivesUpdateWriteAccessToAnotherActorWithoutExplicitReadPerm_OtherActorCantDelete

shahzadlone avatar Sep 10 '24 20:09 shahzadlone