SpiceDB exclusions can result in no permission returned when permission expected

Background Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected. For example, given this schema: “`zed definition user {} definition folder { relation member: user relation banned: user permission view = member – banned } definition resource { relation folder: folder permission view = folder->view } “` If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned Impact Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. Workarounds…Read More