Am I overseeing something, or is that a bug? I try to run in the dashboard a Query as a Role, but I’m getting Insufficient privileges, although the Role should have sufficient privileges:
Hi @Mike We’re investigating this. I do agree with you; The Role is pretty clear! read: true
That said, we’re having trouble replicating. Are you able to cause this issue consistently and provide steps?
I was curious if there could be document references in your Questions that could be causing the permission error, but you can see here that my Bits
collection contains references the Role doesn’t have permission to.
I also checked if this was related to Role-based UDF call works in dashboard but not query from site despite correct token. I tried a number of ways to get the Role to essentially be ignored, but I couldn’t. This other issue is related to roles with a membership, and your Role doesn’t have a membership.
@ptpaterson Indeed, the document references creating the Problem. But only a specific one.
The document that I tried to access with the role:
{
id: "388614001847697611",
coll: Question,
ts: Time("2024-02-02T10:34:02.570Z"),
title: "Name of Shareholder 1?",
masterQuestion: MasterQuestion.byId("388607667910738123"),
version: 1,
owner: User.byId("388613051535851728")
}
If I add read
privileges to MasterQuestion
too, but not to User
it works.
role OwnerExist {
privileges Question {
write {
predicate ((originalDoc, newDoc) => {
newDoc.owner != null || originalDoc.owner != null
})
}
read
}
privileges MasterQuestion {
read
}
}
So it seems MasterQuestion
is breaking the workflow somehow, but not User
I also add the other two referenced documents; maybe you see there is a problem:
User document:
{
id: "388613051535851728",
coll: User,
ts: Time("2024-02-02T10:18:56.280Z"),
name: "Mike"
}
User definition:
collection User {
}
MasterQuestion document:
{
id: "388607667910738123",
coll: MasterQuestion,
ts: Time("2024-02-02T08:53:22.050Z"),
title: "Name of Shareholder {{}}?"
}
MasterQuestion definition
collection MasterQuestion {
history_days 0
}
Out of curiosity and for future simplicity, Is it technically possible to impersonate me to access my database to debug it directly there?