Biscuit is authorized biscuitsec.org but not in rust code

[dbcfd]

This is the biscuit that results from authorizer.printWorld()

// Facts:
// origin: 0
organization("ffaa76c7-78d2-40f9-98e7-6ea28ec089ce");
user("65e53b33-c8b2-4792-91ac-330a51158d0a");
// origin: 1
right("65e53b33-c8b2-4792-91ac-330a51158d0a", "ffaa76c7-78d2-40f9-98e7-6ea28ec089ce", "read");

// Checks:
// origin: authorizer
check if user($user_id), organization($org_id), right($user_id, $org_id, "read");

// Policies:
allow if true;

authorizer.authorize() in rust fails though with error FailedLogic(Unauthorized { policy: Allow(0), checks: [Authorizer(FailedAuthorizerCheck { check_id: 0, rule: "check if user($user_id), organization($org_id), right($user_id, $org_id, \"read\")" })] })

[dbcfd]

Splitting the parts on https://www.biscuitsec.org/docs/tooling/datalog-playground/ will also fail

[divarvel]

Indeed, the right() fact is defined in an attenuation block and as such is not visible from the authority block or the authorizer: https://doc.biscuitsec.org/getting-started/authorization-policies#blocks

The reason behind this is that blocks can be freely added to a token, so they are only able to restrict what a token can do. Adding a fact, on the contrary, expands what the token can do. One way to expand a token is to sign the block with a well-known key and to reference the public key in the authorizer policy, but that's a rather advanced use-case, where we have multiple trusted authorities.

Why is right() defined in a separate block here? Could it be defined in the authority block or in the authorizer?

[dbcfd]

Yeah, figured out it wasn't in the correct place, but trying to figure out why it was allowed on biscuitsec.org but not in other places. Bug on biscuitsec?