unexpected expand/lookup behaviour with wildcard permissions #358
Assignees
Labels
area/api v0
Affects the v0 API
area/tooling
Affects the dev or user toolchain (e.g. tests, ci, build tools)
kind/bug
Something is broken or regressed
priority/2 medium
This needs to be done
Comments
|
Appears that we need to support wildcard in the subjectset that the developer API is using for its expected relations determination: spicedb/pkg/membership/membership.go Line 192 in 6f66209 |
josephschorr
added
area/api v0
|
After discussion, we might also need to do handle in Lookup (Expand already has it in the correct place) |
|
Closed by recent fixes, as addressed in GHSA-7p8f-8hjm-wm92. See commit: 15bba2e |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reproduction: https://play.authzed.com/s/Ay9ZZJBrGDKu (check validation tab)
As I run some experiments with the new wildcard permissions feature, I stumbled upon an apparently unexpected behaviour when doing lookup/expand. Permissions that effectively end up in
user* & usersetbehave correctly with Check API, but not with Lookup/Expand API (which is presumably what's used in thevalidationtab in the playground).In the original issue, we discussed that SpiceDB will have special treatment to
user:*relationship when performing Lookup/Expand API, which is reasonable because it would lead to "listing all public resources" phenomenon. However, whenuser:*is chained with other algebraic operators like&and-, I think the current implementation semantics seem unexpected. The desirable outcome would be:<user:userset> - <user:*> = empty<user:userset> & <user:*> = <user:userset>The text was updated successfully, but these errors were encountered: