If we delete my-role-id role by accessing the DELETE */roles/my-role-id endpoint, then we are not able to create it back with the POST */roles endpoint. We get the following error:
Unable to create role: Write validation error for POST Write with body {"code":"write_failed_due_to_invalid_input","message":"cannot write a tuple which already exists: user: 'user:shipperizer', relation: 'assignee', object: 'role:my-role-id': invalid write input"} with error code write_failed_due_to_invalid_input error message: cannot write a tuple which already exists: user: 'user:shipperizer', relation: 'assignee', object: 'role:my-role-id': invalid write input
Looked into all the available created tuples using fga tuple read --simple-output --api-url http://127.0.0.1:8080 --store-id $STORE_ID and there is one tuple related to my-role-id that was not removed:
Spoke with @shipperizer earlier today and it is confirmed that this is a bug, cause, in DeleteRole, we remove only privileged tuple and all those assigned to role:x#assignee not simple assignee.
Note: This issue might be present for groups as well, but haven't tested it there.
If we delete
my-role-id
role by accessing the DELETE*/roles/my-role-id
endpoint, then we are not able to create it back with the POST*/roles
endpoint. We get the following error:Looked into all the available created tuples using
fga tuple read --simple-output --api-url http://127.0.0.1:8080 --store-id $STORE_ID
and there is one tuple related tomy-role-id
that was not removed:Spoke with @shipperizer earlier today and it is confirmed that this is a bug, cause, in
DeleteRole
, we remove only privileged tuple and all those assigned torole:x#assignee
not simple assignee.Note: This issue might be present for groups as well, but haven't tested it there.