Individual permissions can't be checked with REST API
kaiba42 opened this issue · 4 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
https://inspiring-lichterman-l25lz6u2q1.projects.oryapis.com
Describe the bug
In Ory Permission Language, a user defines a namespace, and the relations
(defined as related
) and permits
for objects within that namespace.
Keto has one REST API endpoint for checking the permissions of a subject: relation-tuples/check
.
This endpoint takes 4 arguments (passed as either query params for GET requests, or in a JSON body for POST requests):
- namespace
- object
- relation
- subject_id
None of these arguments specify the permission to be checked against the permits
in a permissions model defined with Ory Permission Language. The caller is only able to check against the relations
in a permissions model.
This seems like a fundamental issue, or there may be some alternative endpoint that checks against permits
that I am unaware of.
Reproducing the bug
None -- the bug is the absence of core functionality.
Relevant log output
No response
Relevant configuration
No response
Version
Ory Network
On which operating system are you observing this issue?
None
In which environment are you deploying?
Ory Network
Additional Context
No response
I see that keys from both permits
and related
can be passed to the relation
input.
There aren't any docs that tell you what can be passed into the relation input though. I feel like that's pretty key to using Ory Keto. The documentation for the relation argument is currently:
relation | string | Relation to query
This is not informative of usage.
Totally agree, lost some time trying to understand exactly what you described.
+1 to this - it's very confusing