Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected
For example, given this schema:
definition user {}
caveat somecaveat(somefield int) {
somefield == 42
}
definition group {
relation member: user
}
definition resource {
relation viewer: group#member with somecaveat
permission view = folder->view
}
If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected.
Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.
Do not use caveats or do not use caveats on an indirect subject type with multiple entries
{ "nvd_published_at": "2024-09-18T18:15:07Z", "cwe_ids": [ "CWE-269", "CWE-285" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-18T17:42:46Z" }