feat: clarify the impact of conditions in list-objects/list-users queries

[aaguiarz]

Description

What problem is being solved?

Documents a known limitation: ListObjects/ListUsers accept only a single context per call, so conditions with per-user or per-object attributes that vary across the enumeration set cannot be evaluated correctly.

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

Documentation

• Added clarification notes explaining how Conditions behave with List Objects and List Users APIs, including important limitations around per-object and per-user attribute conditions.
• Added a new Limitations section documenting how conditions interact with enumeration queries and tuple uniqueness constraints.

[coderabbitai]

Walkthrough

This PR adds documentation clarifying how OpenFGA Conditions interact with enumeration APIs and tuple uniqueness. A new "Limitations" subsection is added to the Conditions guide, with corresponding callouts in the List Objects, List Users, and ABAC modeling guides that link back to the limitations reference.

Changes

Conditions Limitations Documentation

Layer / File(s)	Summary
Core Limitations subsection in Conditions guide docs/content/modeling/conditions.mdx	New "Limitations" subsection explains that condition parameters accept only a single context value per call, affecting Check, ListObjects, and ListUsers differently, and clarifies tuple uniqueness constraints for conditional tuples with guidance on intermediary types.
API-level callouts and best-practices guidance docs/content/getting-started/perform-list-objects.mdx, docs/content/getting-started/perform-list-users.mdx, docs/content/best-practices/modeling-abac.mdx	Three related callouts are added: List Objects and List Users guides explain per-object/per-user attribute limitations with links to the Limitations section; ABAC guide clarifies enumeration query behavior differences between stored-attribute and conditional tuple patterns.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openfga/openfga.dev#1170: Modifies enumeration guidance in modeling-abac.mdx and adds related Conditions limitations documentation structure.

Suggested reviewers

• dyeam0
• ttrzeng

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: clarifying documentation about how conditions impact ListObjects and ListUsers enumeration queries.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/warn-enumeration-queries

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://openfga.github.io/openfga.dev/pr-preview/pr-1266/
Built to branch gh-pages at 2026-05-21 00:55 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/content/modeling/conditions.mdx (2)

273-274: ⚡ Quick win

Use consistent terminology across documentation files.

This says "ListUsers does not work as expected" while lines 190 in perform-list-users.mdx and 187 in perform-list-objects.mdx use "may not return correct results." The latter phrasing is more precise since the API can return partial or incorrect results rather than failing entirely.

Suggested consistency fix

-  listUsers does not work as expected: each candidate user has a different `user_clearance`, but only one value can be passed per call.
+  ListUsers may not return correct results: each candidate user has a different `user_clearance`, but only one value can be passed per call.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/content/modeling/conditions.mdx` around lines 273 - 274, Update the
wording in the sentence referencing ListUsers so it uses the same phrasing as
the other docs: replace "does not work as expected" with "may not return correct
results" for the ListUsers example; locate the sentence mentioning "ListUsers"
in conditions.mdx and make the exact phrasing change so all three docs use "may
not return correct results" consistently.

---

270-274: 💤 Low value

Clarify that the example condition is hypothetical.

The clearance_sufficient condition is introduced here as an example but isn't defined in the authorization model shown earlier in this document. Consider adding a brief note like "For example, consider a hypothetical condition..." to make it clear this is for illustration purposes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/content/modeling/conditions.mdx` around lines 270 - 274, The example
uses an undefined condition name and should be labeled as hypothetical: update
the paragraph introducing clearance_sufficient to explicitly say it is a
hypothetical/example condition (e.g., "For example, consider a hypothetical
condition clearance_sufficient(user_clearance: int, resource_sensitivity: int)
..."), so readers know this condition is not defined in the earlier
authorization model; keep references to ListObjects, ListUsers, user_clearance,
and resource_sensitivity unchanged to preserve the illustration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/best-practices/modeling-abac.mdx`:
- Line 347: Add a period at the end of the sentence in the "Enumeration queries"
paragraph so the final clause reads "...See Conditions: Limitations for
details." Locate the paragraph that begins with the bold heading "Enumeration
queries" and references ListObjects and ListUsers and append a trailing period
after "for details".

---

Nitpick comments:
In `@docs/content/modeling/conditions.mdx`:
- Around line 273-274: Update the wording in the sentence referencing ListUsers
so it uses the same phrasing as the other docs: replace "does not work as
expected" with "may not return correct results" for the ListUsers example;
locate the sentence mentioning "ListUsers" in conditions.mdx and make the exact
phrasing change so all three docs use "may not return correct results"
consistently.
- Around line 270-274: The example uses an undefined condition name and should
be labeled as hypothetical: update the paragraph introducing
clearance_sufficient to explicitly say it is a hypothetical/example condition
(e.g., "For example, consider a hypothetical condition
clearance_sufficient(user_clearance: int, resource_sensitivity: int) ..."), so
readers know this condition is not defined in the earlier authorization model;
keep references to ListObjects, ListUsers, user_clearance, and
resource_sensitivity unchanged to preserve the illustration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 660cbb5a-48c3-49b3-90cd-dc9dc402cb2f

📥 Commits

Reviewing files that changed from the base of the PR and between d27a128 and 8bc66c3.

📒 Files selected for processing (4)

• docs/content/best-practices/modeling-abac.mdx
• docs/content/getting-started/perform-list-objects.mdx
• docs/content/getting-started/perform-list-users.mdx
• docs/content/modeling/conditions.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add missing period at end of sentence.

The line ends with "for details" but is missing a period.

Punctuation fix

-- **Enumeration queries**: Stored-attribute patterns (relationship tuples) work fully with [ListObjects](../getting-started/perform-list-objects.mdx) and [ListUsers](../getting-started/perform-list-users.mdx) without requiring context. Conditional relationship tuples have limitations with these queries — if a condition parameter varies per user, ListUsers cannot supply the correct value for each candidate, and similarly for ListObjects with per-object attributes not stored in the tuple context. See [Conditions: Limitations](../modeling/conditions.mdx#conditions-and-enumeration-queries-listobjects--listusers) for details
+- **Enumeration queries**: Stored-attribute patterns (relationship tuples) work fully with [ListObjects](../getting-started/perform-list-objects.mdx) and [ListUsers](../getting-started/perform-list-users.mdx) without requiring context. Conditional relationship tuples have limitations with these queries — if a condition parameter varies per user, ListUsers cannot supply the correct value for each candidate, and similarly for ListObjects with per-object attributes not stored in the tuple context. See [Conditions: Limitations](../modeling/conditions.mdx#conditions-and-enumeration-queries-listobjects--listusers) for details.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/content/best-practices/modeling-abac.mdx` at line 347, Add a period at
the end of the sentence in the "Enumeration queries" paragraph so the final
clause reads "...See Conditions: Limitations for details." Locate the paragraph
that begins with the bold heading "Enumeration queries" and references
ListObjects and ListUsers and append a trailing period after "for details".

[Copilot]

Pull request overview

This PR improves the documentation around a known limitation of using conditions with enumeration-style relationship queries, clarifying when ListObjects / ListUsers may produce surprising results due to request context being shared across the whole call.

Changes:

• Added a new “Conditions and enumeration queries” limitation section to the conditions documentation.
• Added :::info callouts to the “Perform a List Objects call” and “Perform a List Users call” guides to highlight the limitation and link to the detailed explanation.
• Updated the ABAC modeling best-practices page to mention enumeration-query implications when choosing between modeling approaches.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
docs/content/modeling/conditions.mdx	Documents enumeration-query limitations for conditions under the “Limitations” section.
docs/content/getting-started/perform-list-users.mdx	Adds an info callout warning about conditions with per-user attributes in ListUsers.
docs/content/getting-started/perform-list-objects.mdx	Adds an info callout warning about conditions with per-object attributes in ListObjects.
docs/content/best-practices/modeling-abac.mdx	Adds guidance about enumeration-query compatibility when selecting ABAC modeling patterns.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.