Allow permission checks as part of a precondition for WriteRelationships

[tarjanik]

Hi, as far as I understand the Write Relationships endpoint only allows direct relations in prceconditions.

In some cases, it would be required to check a permission and change memberships at the same time. E.g. a user wants to add another user to the resource. First we'd check if the requester has actual permission to do so (in a hirerarchical system, it's not a simple relation check, but a calculated permission), then we add the actual user.

Sure, we can first validate, then in a separate request do the change, yet it is not the same transaction.

Is there any way around this, or any plans to support such a usecase? Thanks

[easyCZ]

We've (at Gitpod) have come across a similar use-case. We want to be able to perform a check for valid permissions followed by a write of new relationships in the same transaction.

Ideally, we'd be able to compose the same request payload that we send in a CheckPermission into the WriteRelationships.Preconditions to have that transactional guarantee, and only perform one operation rather than two.

[jzelinskie]

This functionality makes a lot of sense, but definitely would impact write performance for complex checks.

I've labeled this APIv2 because if we introduced it, I think we'd want a clean slate where a v2.WriteRelationships.Preconditions would be a list of checks rather than relationships.