ABAC role help for update function

Hi,

I have a Users collection for user authentication and to store an object called “collection”, document structure below:
{
“ref”: Ref(Collection(“Users”), “303368775189660174”),
“ts”: 1626101824550000,
“data”: {
“email”: “test@email.com”,
“collection”: {
“123345”: 123345,
“165634”: 165634,
“1722381”: 1722381
}
}
}

I Login user and use the (ret) => ret.secret of the authenticated user to create a new client using the user’s secret and am able to retrieve the collection object fine but am having issues running the following:

query(
q.Update(
q.Select(
“ref”,
q.Get(q.Match(q.Index(“users_by_email”), “test@email.com”))
),
{
data: {
collection: {“123”: 123},
},
}
)

to update the user’s document (only access to their own document) using the following Write permission:

Lambda(
[“oldData”, “newData”],
And(
Equals(Identity(), Select([“data”, “email”], Var(“oldData”))),
Equals(
Select([“data”, “email”], Var(“oldData”)),
Select([“data”, “email”], Var(“newData”))
)
)
)

My understanding is that they should be able to update collections object and not able to edit the email object but I still receive:

PermissionDenied {name: “PermissionDenied”, message: “permission denied”, description: “Insufficient privileges to perform the action.”, requestResult: RequestResult}

Hi,

At first glance it looks like everything is right. So we’ll need a little more detail to see what’s happening and to figure out why your ABAC isn’t working as expected. Please run:

Get(Role('role_name'))

Substituting the name of the role being used for “role_name”. Then share the output on this post.

Thanks,
Cory