Impact
Users who
- use the exclusion operator somewhere in their authorization schema
- have configured their SpiceDB server such that
--write-relationships-max-updates-per-call is bigger than 6500
- issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows
will
- receive a successful response from their
WriteRelationships call, when in reality that call failed,
- receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion
Patches
Upgrade to v.145.2.
Workarounds
Set --write-relationships-max-updates-per-call to 1000.
Impact
Users who
--write-relationships-max-updates-per-callis bigger than 6500will
WriteRelationshipscall, when in reality that call failed,Patches
Upgrade to v.145.2.
Workarounds
Set
--write-relationships-max-updates-per-callto1000.