#if my DSL is something like this:

1 messages · Page 1 of 1 (latest)

tender zodiac
#

Hello @lofty furnace ,

entity user {}

entity group {
  relation supervisor @user
  relation member @user
}

entity submission {
  relation group @group

  relation owner @user
  action view = owner or (group.member and group.supervisor)
}

If you design it this way, it completely satisfies the requirement: 'Is it possible to declare that a supervisor can view a submission as long as one of the members can?'

Could you explain why you don’t want to add a group relation to the submission entity?

lofty furnace
#

in the case of a user joining a new group/leaving, does it mean i have to unlink/link all the users submissions (add and delete some tuples) to the new group as well for this to work?

lofty furnace
#

Hi @tender zodiac , (sorry for the ping, just bumping my follow up question 🙏 )

To elaborate on what I am trying to do (maybe this is an xy problem, i am not sure):

I may have more than two kinds of groups

  • one kind of group for classes (that may have a supervisor)
  • and the other kinds (possibly one group per assignment if the assignment requires a group submission)

so if a student is in Group A (his class) and makes 2 group submissions (to problem 1 with Group B) and (problem B with group C), it sounds like I would have to link all the submissions to group A which sounds like a duplication of data that seems to be there (membership to group A), so I was wondering if it was possible to not do that.

lament hound
#

hi @lofty furnace, i have couple questions about this use-case.

  • can any supervisor of a class where a student is enrolled see any submissions of that particular student?
  • why do you structure assignments and classes as same level? is there any reason for that?
lofty furnace
#

hi @lament hound !

  1. yes
  2. hmm what i am trying to do is:
  • suppose there is a course of 400 students, there could be smaller classes (group) of about 20 people (tutorial groups with a teaching assistant)
  • all students need to complete the assignment (make a submission)

so for me - they ("group") both belong to the course

(i guess my concern with linking a submission to a group directly is if the user changes groups it sounds like i need to look up all the user's submissions to change the groups to keep it consistent and i am not sure if that is normal)

#

heres my current perm file in case i missed out important information

entity user {}

entity role {
    relation assignee @user
}

entity organisation {
    relation owner @user

    relation admin @user
    relation observer @user

    action edit_roles = owner
    action delete = owner
    action edit = delete or admin
    action view = edit or observer
}
# 
entity project {
    relation org @organisation
    relation member @user
    
    // assignable to roles
    relation view_problems_access @role#assignee
    relation create_problems_access @role#assignee
    relation edit_problems_access @role#assignee
    relation delete_problems_access @role#assignee

    relation view_restricted_problems_access @role#assignee
    relation edit_restricted_problems_access @role#assignee
    relation delete_restricted_problems_access @role#assignee

    relation make_submission_access @role#assignee
    relation view_own_submission_access @role#assignee
    relation view_others_submission_access @role#assignee

    // actions from above roles (to combine with org permissions)
    action create_problems = org.edit or create_problems_access
    
    action view = view_restricted_problems or view_unrestricted_problems

    action view_restricted_problems = org.view or view_restricted_problems_access
    action view_unrestricted_problems = view_restricted_problems or view_problems_access 
    action edit_restricted_problems = org.edit or edit_restricted_problems_access
    action edit_unrestricted_problems = edit_restricted_problems or edit_restricted_problems_access
    action delete_restricted_problems = org.edit or delete_restricted_problems_access
    action delete_unrestricted_problems = delete_restricted_problems or delete_problems_access

    action make_submission = org.edit or make_submission_access
    action view_others_submission = org.view or view_others_submission_access
    action view_own_submission = view_others_submission or view_own_submission_access

    action view_roles = org.view
    action edit_roles = org.edit
    action add_roles = edit_roles
    action delete_roles = edit_roles
}
# 
entity problem {
    relation project @project

    // for special problems (e.g. exam problems)
    attribute restricted boolean

    action view = (project.view_restricted_problems) or (project.view_unrestricted_problems not restricted)
    action edit = (project.edit_restricted_problems) or (project.edit_unrestricted_problems not restricted)
    action delete = (project.delete_restricted_problems) or (project.delete_unrestricted_problems not restricted)

    permission make_submission = view and project.make_submission
    permission view_own_submission = view and project.view_own_submission
    permission view_others_submission = view and project.view_others_submission
}

entity group {
    relation member @user
}

entity submission {
    relation problem @problem

    // only one of these two should be non-empty
    relation owner @user
    relation group_owner @group

    action view = ((owner or group_owner.member) and problem.view_own_submission) or (problem.view_others_submission not owner)
}
#

(thank you!)