Authenticated user doesn't have permission to create documents

alexb148 · August 21, 2020, 9:22pm

Hello, I am new to Fauna DB, and have a million noob questions, so apologies.

I want to create a site where users can register, login, and then CRUD their own documents, whilst not having access to docs created by other users.

The problem is I am struggling to make sense of user access when authenticated, and I cannot create or read any data when logged in.

This is what I have so far, which to the best of my knowledge is how to do things.

FYI I am doing this in javascript.

1 - Connect to the DB using my global secret key

import faunadb from 'faunadb';
const q = faunadb.query;
const client = new faunadb.Client({ secret: process.env.REACT_APP_FAUNA_KEY });

2 - The user logs in, and I save their secret key

.query(q.Login(q.Match(q.Index('users_by_email'), 'me@me.com'), { password: 'password' }))
  .then((res) => {
    userSecret = res.secret
  })

3 - Create a new connection using the user’s secret key

userClient = new faunadb.Client({ secret: userSecret });

4 - Try to create a new document

userClient
.query(q.Create(q.Collection('notes'), { data: { testData: 'test data' } }))

At this point, I get a permission denied error:

Insufficient privileges to perform the action.

I understand that the user doesn’t have permission to create documents here, and I’ve been through the ABAC tutorial using the shell, but I can’t figure out how to grant permissions for a user.

Do I need to somehow pass a user id when creating a document?
Do I need to change permission on the database or collection?

And a more “best-practice” question, am I going about this the right way - i.e. would multiple users actually store their data in one single collection, or should I be creating a database or collection per user?

Thanks for your help!

Jay-Fauna · August 22, 2020, 11:55pm

The Token you received with Login function() does not have enough previleges to create a document. To address this, you need to create a Role and attach it to a Membership .

This tutorial is good read https://css-tricks.com/rethinking-twitter-as-a-serverless-app/

These screenshots should also help you to understand on how you can create a role, assign it with different privileges and its membership to a collection. Please note that you can do all of this in FQL too. More informationhere.

alexb148 · September 14, 2020, 4:31pm

Thank you, this info was very helpful - I have successfully set up roles that allow users to read and write to particular collections.

However, this has thrown up further questions (there’s a lot of complexity to get my head around, and making sense of exactly what’s going on in all these FQL tutorials isn’t always easy).

1 - Should I create a managed role + secret key for the sole purpose of user registration, that can ONLY create new users, and nothing else? I would assume for security that this role should be able to write to my “users” collection, but not do anything else.

2 - I’m struggling to determine the correct way to link documents to a user, and prevent users accessing other people’s documents.

Are documents automatically linked to a user behind the scenes, or do I need to do this manually? If manually, should I be assigning users my own unique ID that I can then reference in other documents, or should I use the built in ref object?

I can see in this screenshot some sample code for verifying that the user is logged in, which seems to be what I need, but am not sure how exactly it works, or what variables such as “terms” refers to.

At a basic level, my logged in user creates a document (in this case a note):

client
  .query(
    q.Create(q.Collection('notes'), {
      data: {
        id: 1,
        note: 'Lorem ipsum dolor sit amet'
      }
    })
  )

And then I would like to fetch the note by id:

client.query(q.Get(q.Match(q.Index('notes_by_id'), 1))).then((res) => {
  console.log(res);
});

Currently, and user can read any node, which is not ideal.

Instinct tells me I need to assign my new document to a user (if this isn’t done automatically) and then update the lambda query in my role to validate this, but I cannot figure out the exact specifics of this.

Am I thinking along the right lines, and is anyone able to help clarify some of these points? Thank you!

Topic		Replies	Views
After authentication how to change the key or role? Help authentication	2	499	December 23, 2020
Fauna DB returns error stating "permission denied" when querying related type, what privileges do I need to grant? Help graphql , roles , authorization	3	424	January 5, 2022
Read access logged in Users own document Help fql , authentication	4	502	May 4, 2021
Read only auth for graphql Help graphql , authentication , best-practices	3	581	May 4, 2021
Serving secrets Help authentication , best-practices	2	356	June 3, 2021

Authenticated user doesn't have permission to create documents

Related Topics