Authenticated user doesn't have permission to create documents

Hello, I am new to Fauna DB, and have a million noob questions, so apologies.

I want to create a site where users can register, login, and then CRUD their own documents, whilst not having access to docs created by other users.

The problem is I am struggling to make sense of user access when authenticated, and I cannot create or read any data when logged in.

This is what I have so far, which to the best of my knowledge is how to do things.

FYI I am doing this in javascript.

1 - Connect to the DB using my global secret key

import faunadb from 'faunadb';
const q = faunadb.query;
const client = new faunadb.Client({ secret: process.env.REACT_APP_FAUNA_KEY });

2 - The user logs in, and I save their secret key

.query(q.Login(q.Match(q.Index('users_by_email'), ''), { password: 'password' }))
  .then((res) => {
    userSecret = res.secret

3 - Create a new connection using the user’s secret key

userClient = new faunadb.Client({ secret: userSecret });

4 - Try to create a new document

.query(q.Create(q.Collection('notes'), { data: { testData: 'test data' } }))

At this point, I get a permission denied error:

Insufficient privileges to perform the action.

I understand that the user doesn’t have permission to create documents here, and I’ve been through the ABAC tutorial using the shell, but I can’t figure out how to grant permissions for a user.

Do I need to somehow pass a user id when creating a document?
Do I need to change permission on the database or collection?

And a more “best-practice” question, am I going about this the right way - i.e. would multiple users actually store their data in one single collection, or should I be creating a database or collection per user?

Thanks for your help!

The Token you received with Login function() does not have enough previleges to create a document. To address this, you need to create a Role and attach it to a Membership .

This tutorial is good read

These screenshots should also help you to understand on how you can create a role, assign it with different privileges and its membership to a collection. Please note that you can do all of this in FQL too. More informationhere.

1 Like

Thank you, this info was very helpful - I have successfully set up roles that allow users to read and write to particular collections.

However, this has thrown up further questions (there’s a lot of complexity to get my head around, and making sense of exactly what’s going on in all these FQL tutorials isn’t always easy).

1 - Should I create a managed role + secret key for the sole purpose of user registration, that can ONLY create new users, and nothing else? I would assume for security that this role should be able to write to my “users” collection, but not do anything else.

2 - I’m struggling to determine the correct way to link documents to a user, and prevent users accessing other people’s documents.

Are documents automatically linked to a user behind the scenes, or do I need to do this manually? If manually, should I be assigning users my own unique ID that I can then reference in other documents, or should I use the built in ref object?

I can see in this screenshot some sample code for verifying that the user is logged in, which seems to be what I need, but am not sure how exactly it works, or what variables such as “terms” refers to.

At a basic level, my logged in user creates a document (in this case a note):

    q.Create(q.Collection('notes'), {
      data: {
        id: 1,
        note: 'Lorem ipsum dolor sit amet'

And then I would like to fetch the note by id:

client.query(q.Get(q.Match(q.Index('notes_by_id'), 1))).then((res) => {

Currently, and user can read any node, which is not ideal.

Instinct tells me I need to assign my new document to a user (if this isn’t done automatically) and then update the lambda query in my role to validate this, but I cannot figure out the exact specifics of this.

Am I thinking along the right lines, and is anyone able to help clarify some of these points? Thank you!