Expand command in CLI fails to interpret intersection

[henkosch]

I have this simple example project with an intersection for permission read:

definition user {}

definition document {
  relation owner: user
  relation reader: user
  permission read = owner & reader
}

document:d1#owner@user:u1
document:d2#owner@user:u1
document:d2#reader@user:u1

assertTrue:
  - document:d2#read@user:u1
assertFalse: 
  - document:d1#read@user:u1

document:d1#read: []
document:d2#read:
- '[user:u1] is <document:d2#owner>/<document:d2#reader>'

Playground url for the example: https://play.authzed.com/s/8T6joqUt7r9_1/schema

On the "Expected Relations" tab the playground shows it correctly that document d2 can be read by user u1, but d1 cannot.

However when I load the same relations locally into spicedb and try to find all the users who can read a document with the expand api using the zed CLI tool, it shows union instead of intersection and also I have no way to tell which users can actually read the document because they are not filtered.

$ zed permission expand read document:d1
document:d1->read
 └── union
      ├── document:d1->owner
      │    └── user:u1
      └── document:d1->manager

$ zed permission expand read document:d2
document:d2->read
 └── union
      ├── document:d2->owner
      │    └── user:u1
      └── document:d2->manager
           └── user:u1

So my questions are:

1. Why does it show union instead of intersection in the expand output?
2. How can I get the final list of users who really have read permission on a document? Similarly to lookup but the other way.

Thank you!

[jakedt]

There is a (previously unknown) bug in the handler which is translating the result from the graph resolver: https://github.com/authzed/spicedb/blob/main/internal/services/v1/permissions.go#L108

This should be INTERSECTION. As tomorrow is a holiday, we will get a fix prepped for Friday.

For 2, there is a LookupSubjects proposal, #261, which you might want to review and leave some feedback on.