Question: "Reverse" permission check #1211
Description
Hello!
I faced a problem which is trivial at a first glance, but I still didn't find any elegant way of dealing with it.
When creating relations between definitions, is it possible to make "parent" permission depend on "child" permission?
I'll give an example:
I have a site with many sections. Site has admin and moderator roles, where moderator roles are given only to separate sections, and admin role is global.
Here is simplified schema:
definition site {
relation site_admin: user
permission is_site_admin = site_admin
permission can_view_admin_panel = site_admin
}
definition section {
relation site: site
relation section_moderator: user
permission can_view_admin_panel = site->can_view_admin_panel + section_moderator
permission can_edit_article = site->is_site_admin + section_moderator
}
From the docs I know that I can inherit permissions from site in the section (to give edit right to admin on any entity, for example). But I don't know if there is a way to inherit permissions backwards?
For example, site has 100 sections and moderator has access to just 1 of them. Now to check if user can enter admin site I'm making 1 check for site + 100 checks (1 per section) for sections, to see if user has can_view_admin_panel permission in at least a one of them.
It seems so temptious to have a way of just checking site->can_view_admin_panel based on "has at least one can_view_admin_panel permission in linked sections"
Is it possible to do this check simple by authzed? Or maybe I designed this schema wrong from the very beginning?
Can you recommend me a way of idiomatic resolution for this kind of problem, please?