Removing excluded users (#171)

* Removing excluded users * Removing ObjectOrUserset which was only useful in the context of excluded users
openfga · Jun 13, 2024 · f33cb24 · f33cb24
1 parent 394820d
commit f33cb24
Show file tree

Hide file tree

Showing 5 changed files with 2,138 additions and 2,216 deletions.
diff --git a/docs/openapiv2/apidocs.swagger.json b/docs/openapiv2/apidocs.swagger.json
diff --git a/openfga/v1/openfga.proto b/openfga/v1/openfga.proto
@@ -49,13 +49,6 @@ message User {
   }
 }
 
-message ObjectOrUserset {
-  oneof user {
-    Object object = 1;
-    UsersetUser userset = 2;
-  }
-}
-
 // Userset.
 //
 // A set or group of users, represented in the `<type>:<id>#<relation>` format

diff --git a/openfga/v1/openfga_service.proto b/openfga/v1/openfga_service.proto
@@ -765,8 +765,9 @@ service OpenFGAService {
         "You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.\n"
         "The response will contain the related users in an array in the \"users\" field of the response. These results may include specific objects, usersets \n"
         "or type-bound public access. Each of these types of results is encoded in its own type and not represented as a string."
-        "In certain cases of negation via the `but not` operator, some results are marked as excluded from the main set of results. These exclusions \n"
-        "are returned in the `excluded_users` property and should be handled appropriately at the point of implementation."
+        "In cases where a type-bound public acces result is returned (e.g. `user:*`), it cannot be inferred that all subjects\n"
+        "of that type have a relation to the object; it is possible that negations exist and checks should still be queried\n"
+        "on individual subjects to ensure access to that document."
         "The number of users in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_USERS_DEADLINE "
         "and by the upper bound specified in the flag OPENFGA_LIST_USERS_MAX_RESULTS, whichever is hit first.\n"
         "The returned users will not be sorted, and therefore two identical calls may yield different sets of users."
@@ -891,12 +892,6 @@ message ListUsersResponse {
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: ""}
   ];
-
-  repeated ObjectOrUserset excluded_users = 2 [
-    json_name = "excluded_users",
-    (google.api.field_behavior) = REQUIRED,
-    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: ""}
-  ];
 }
 
 message StreamedListObjectsRequest {