ABAC in Auth Model with self relation

[velmohan]

I need to model an auth-model requirement where the authorization policy depends on the status of a resource. My requirement is similar to the one discussed here. In my case, whether a user has can_delete relation depends on whether the document is draft or published.

How could I model such an attribute check? I tried the solution discussed in the previous thread as follows but it does not seem to work unless I misunderstood the solution. Here is a sample that shows what I have tried.

type user

type group
  relations
    define member: [user]

type folder
  relations
    define owner: [user]
    define admin: [group]
    define draft_status: [folder]
   define published_status: [folder]
    define can_delete_draft: owner or member from admin
    define can_delete_published:  member from admin
    define can_delete: (draft_status and can_delete_draft) or (published_status and can_delete_published)

As you would see, I added the following relation

define draft_status: [folder]

and included the following contextual tuple in the query. But, the query returned Allowed=false. (See https://play.fga.dev/stores/create/?id=01JEQDW5BJKBX7260M96T43S20)

Check({
    "object": "folder:1",
    "relation": "can_delete",
    "user": "user:x",
    "contextual_tuples": {
        "tuple_keys": [
            {"object": "folder:1", "relation": "draft_status", "user": "folder:1"} 
        ]
    }

[velmohan]

I found the mistake in my auth model. The can_delete permission should be defined as

    define can_delete: can_delete_draft from draft_status or can_delete_published from published_status

instead of

    define can_delete: (draft_status and can_delete_draft) or (published_status and can_delete_published)