+ "details": "### Impact\n\nOn schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.\n\nFor example, given this schema:\n\n```\ndefinition user {}\n\ndefinition office {\n\trelation parent: office\n\trelation manager: user\n\tpermission read = manager + parent->read\n}\n\ndefinition group {\n\trelation parent: office\n\tpermission read = parent->read\n}\n\ndefinition document {\n\trelation owner: group with equals\n\tpermission read = owner->read\n}\n\ncaveat equals(actual string, required string) {\n\tactual == required\n}\n```\n\nand these relationships:\n\n```\noffice:headoffice#manager@user:maria\noffice:branch1#parent@office:headoffice\ngroup:admins#parent@office:branch1\ngroup:managers#parent@office:headoffice\ndocument:budget#owner@group:admins[equals:{\"required\":\"admin\"}]\ndocument:budget#owner@group:managers[equals:{\"required\":\"manager\"}]\n```\n\nPermission for `'document:budget#read@user:maria with {\"actual\" : \"admin\"}'` is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.\n\n### Patches\nUpgrade to v1.44.2.\n\n### Workarounds\nDo not use caveats in your schema over an arrow’ed relation.",
0 commit comments