Allow operator IN list for resource element #1274
Description
Category
Cedar language or syntax features/changes
Describe the feature you'd like to request
Is there any reason why the following syntax is not permitted for resource element:
resource in [PhotoApp::Photo::"vacationPhoto.jpg", PhotoApp::Photo::"birthdayPhoto.jpg"] ?
Whereas the same functionnality functionnality is ok for the action element:
//matches any of the listed actions
action in [Action::"listAlbums", Action::"listPhotos", Action::"view"]
Describe alternatives you've considered
If I want to have the same functionnality for the resource element, I have considered the following approaches:
1/ First approach
permit (
principal == PhotoApp::User::"alice",
action == PhotoApp::Action::"viewPhoto",
resource
) when {
resource in [PhotoApp::Photo::"vacationPhoto.jpg",PhotoApp::Photo::"birthdayPhoto.jpg"]
};
It looks weird to have no defined constraints on resource in scope, whereas there is a constraint in the condition clause related to the resource ID itself
2/ Second approach
Have 2 permissions:
permit (
principal == PhotoApp::User::"alice",
action == PhotoApp::Action::"viewPhoto",
resource == PhotoApp::Photo::"vacationPhoto.jpg"
);
permit (
principal == PhotoApp::User::"alice",
action == PhotoApp::Action::"viewPhoto",
resource == PhotoApp::Photo::"birthdayPhoto.jpg"
);
But that would lead to a huge number of permissions
Additional context
No response
Is this something that you'd be interested in working on?
- 👋 I may be able to implement this feature request
-
⚠️ This feature might incur a breaking change