relation deletion must be done through the api as events delete all relationships

internal/permissions/errors.go

@@ -7,4 +7,5 @@ var (
 	ErrAssignmentFailed                   = errors.New("assignment failed")
 	ErrUnassignmentFailed                 = errors.New("unassignment failed")
 	ErrUnexpectedRoleDeleteFailed         = errors.New("unknown role delete error")
+	ErrUnexpectedRelationshipDeleteFailed = errors.New("unknown relationship delete error")
 )

internal/permissions/relationships.go

@@ -21,6 +21,39 @@ type ResourceRelationship struct {
 	SubjectID  gidx.PrefixedID
 }
 
+type ResourceRelationshipRequest struct {
+	Relation  string `json:"relation"`
+	SubjectID string `json:"subject_id"`
+}
+
+type ResourceRelationshipDeleteResponse struct {
+	Success bool `json:"success"`
+}
+
+func (c *Client) DeleteResourceRelationship(ctx context.Context, resourceID gidx.PrefixedID, relation string, relatedResourceID gidx.PrefixedID) error {
+	path := fmt.Sprintf("/api/v1/resources/%s/relationships", resourceID.String())
+
+	body, err := encodeJSON(ResourceRelationshipRequest{
+		Relation:  relation,
+		SubjectID: relatedResourceID.String(),
+	})
+	if err != nil {
+		return err
+	}
+
+	var response ResourceRelationshipDeleteResponse
+
+	if _, err := c.DoRequest(ctx, http.MethodDelete, path, body, &response); err != nil {
+		return err
+	}
+
+	if !response.Success {
+		return ErrUnexpectedRelationshipDeleteFailed
+	}
+
+	return nil
+}
+
 func (c *Client) ListResourceRelationships(ctx context.Context, resourceID gidx.PrefixedID, relatedResourceType string) ([]ResourceRelationship, error) {
 	query := url.Values{
 		"resourceType": []string{relatedResourceType},

internal/service/process_relationships.go

@@ -102,16 +102,6 @@ func (s *service) processRelationships(ctx context.Context, eventType string, re
 		})
 	}
 
-	for _, relatedResourceID := range deleteParentRelationships {
-		processEvents = append(processEvents, events.ChangeMessage{
-			SubjectID: relationships.Resource.PrefixedID(),
-			EventType: string(events.DeleteChangeType),
-			AdditionalSubjectIDs: []gidx.PrefixedID{
-				relatedResourceID,
-			},
-		})
-	}
-
 	for _, relation := range createSubjectRelationships {
 		processEvents = append(processEvents, events.ChangeMessage{
 			SubjectID: relation.Resource.PrefixedID(),
@@ -122,14 +112,23 @@ func (s *service) processRelationships(ctx context.Context, eventType string, re
 		})
 	}
 
+	for _, relatedResourceID := range deleteParentRelationships {
+		err = s.perms.DeleteResourceRelationship(ctx, relationships.Resource.PrefixedID(), string(RelateParent), relatedResourceID)
+		if err != nil {
+			rlogger.Errorw("error deleting parent relationship",
+				"parent.resource.id", relatedResourceID.String(),
+			)
+		}
+	}
+
 	for _, relation := range deleteSubjectRelationships {
-		processEvents = append(processEvents, events.ChangeMessage{
+		err = s.perms.DeleteResourceRelationship(ctx, relation.Resource.PrefixedID(), string(relation.Relation), relationships.Resource.PrefixedID())
-			SubjectID: relation.Resource.PrefixedID(),
+		if err != nil {
-			EventType: string(events.DeleteChangeType),
+			rlogger.Errorw("error deleting relationship",
-			AdditionalSubjectIDs: []gidx.PrefixedID{
+				"relation", relation.Relation,
-				relationships.Resource.PrefixedID(),
+				"subject.id", relation.Resource.PrefixedID().String(),
-			},
+			)
-		})
+		}
 	}
 
 	for _, event := range processEvents {