Fix inversion of negation permissions

aserto-dev · Jul 13, 2024 · 0b446f2 · 0b446f2
1 parent c294797
commit 0b446f2
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/graph/check_test.yaml b/graph/check_test.yaml
@@ -62,6 +62,12 @@ types:
       can_share: can_write & parent->can_share
       can_invite: parent->can_read - viewer
 
+      # viewer can be user or group but owner can only be user
+      negation_type_subset: viewer - owner
+
+      # viewer can be user or group but owner can only be user
+      intersection_type_subset: viewer & owner
+
   cycle:
     relations:
       parent: cycle

diff --git a/model/inverse.go b/model/inverse.go
@@ -55,6 +55,22 @@ func (i *inverter) invert() *Model {
 		}
 	}
 
+	for _, o := range i.im.Objects {
+		for _, p := range o.Permissions {
+			if !p.IsExclusion() {
+				continue
+			}
+
+			if p.Exclusion.Exclude == nil {
+				// It is possible for the 'Exclude' term to be empty in in inverted model if the object type
+				// cannot have the relation/permission being excluded.
+				// In this case, the exclusion permission becomes a single-term union.
+				p.Union = PermissionTerms{p.Exclusion.Include}
+				p.Exclusion = nil
+			}
+		}
+	}
+
 	return i.im
 }
 

diff --git a/model/types.go b/model/types.go
@@ -227,6 +227,9 @@ type PermissionTerm struct {
 }
 
 func (pr *PermissionTerm) String() string {
+	if pr == nil {
+		return "<nil>"
+	}
 	s := string(pr.RelOrPerm)
 	if pr.Base != "" {
 		s = string(pr.Base) + "->" + s