diff --git a/src/grpc_service.rs b/src/grpc_service.rs index c3d1f11..abc53a0 100644 --- a/src/grpc_service.rs +++ b/src/grpc_service.rs @@ -51,10 +51,11 @@ impl RelationService for GraphService { return Err(Status::invalid_argument("dst.id must be set")); } - if !graph.has( + if !graph.has_recursive( ("themis_key", &*api_key), "write", ("themis_ns", &*req_dst.namespace), + u32::MAX, ) { return Err(Status::permission_denied( "missing dst.namespace write permissions", @@ -127,10 +128,11 @@ impl RelationService for GraphService { return Err(Status::invalid_argument("dst.id must be set")); } - if !graph.has( + if !graph.has_recursive( ("themis_key", &*api_key), "write", ("themis_ns", &*req_dst.namespace), + u32::MAX, ) { return Err(Status::permission_denied( "missing dst.namespace write permissions", @@ -198,10 +200,11 @@ impl RelationService for GraphService { return Err(Status::invalid_argument("dst.id must be set")); } - if !graph.has( + if !graph.has_recursive( ("themis_key", &*api_key), "read", ("themis_ns", &*req_dst.namespace), + u32::MAX, ) { return Err(Status::permission_denied( "missing dst.namespace write permissions", @@ -272,13 +275,14 @@ impl QueryService for GraphService { return Err(Status::invalid_argument("dst.id must be set")); } - if !graph.has( + if !graph.has_recursive( ("themis_key", &*api_key), "read", ("themis_ns", &*req_dst.namespace), + u32::MAX, ) { return Err(Status::permission_denied( - "missing dst.namespace write permissions", + "missing dst.namespace read permissions", ))?; } diff --git a/src/relation_set.rs b/src/relation_set.rs index 06adfc4..d1c5fb5 100644 --- a/src/relation_set.rs +++ b/src/relation_set.rs @@ -224,6 +224,9 @@ impl RelationSet { .await .unwrap(); for (rel, srcs) in rels_srcs.iter() { + if srcs.is_empty() { + continue; + } let srcs = srcs .iter() .map(|src| {