#Hi I'm trying out Permify for my

1 messages · Page 1 of 1 (latest)

odd cobalt
#

Hi @quick wave, welcome to the community 👋

Regarding with your question, I think modifying the folder entity should enough:

entity folder {
    relation owner @user
    relation creator @user
    relation reviewer @user
    relation group @projectGroup
    relation project @project  // Add this line

    permission edit = owner or group.owner
    permission question_create = creator or owner or group.owner
    permission view = reviewer or creator or owner or group.owner
    permission folder_create = owner or group.owner or project.owner  // Modify this line
}

Does this makes sense?

quick wave
#

Not really because folder has no relation with project. It's created inside group so that's why I put the folder_create permission in the group entity because in the end I will need to verify something like ' is userX is able to create folder in groupY '

odd cobalt
#

So what about adding moving the folder_create permission to the project entity ?

By doing this we are stating every project owner can create folder.

quick wave
#

I think it's the same problem because folder is not a sub-object of project.
I'm actually trying to authorize this endpoint: POST /api/group/{group_id}/folder
which has no information about the project.

Another workaround I could think of is explicitly adding the project_owner relation in the group:

entity projectGroup {
    relation owner @user
    relation project_owner @user

    permission view = owner
    permission edit = owner
    permission project_create = owner
    permission folder_create = owner or project_owner
}

Just wondering if there's more elegant way to do this 😅

odd cobalt
#

Since we cannot get the project_id from the endpoint, we should add it under projectGroup as you said. The access check payload would similar to this:

   entity: {
        type: "projectGroup",
        id: "{group_id}"
    },
    permission: “folder”_create,
    subject: {
        type: “user”,
        id: “{user_id}”
    }

and it will evaluate if user_id is has project_owner relation in the given projectGroup. Thats should work fine but tbh not a good dx since its better to get project owners from project entity since we already implemented the projectGroup relation there. I will think about this a little more and circle back if I find something more elegant.