Debug best practices for ABAC functions in GraphQL?

I find myself spending a ton of time trial and error when debugging a ABAC permission rule when using GraphQL. The inability to expose any info in the return is debilitating, the Abort doesn’t seem to push anything through to the gql response. Is there anyway to test out permissions rather than trial and error?

Basically anything more helpful than

  "errors": [
      "message": "Insufficient privileges to perform the action.",
      "extensions": {
        "code": "permission denied"

You know you are desperate when you end up using a IsRef(...) and IsObject(...) as your predicate function to test values in your user-defined role as a debug method! :rofl:

First of all, I do agree with you and I know that the Fauna team is aware that there is much room for improvement when it comes to error messages and especially from ABAC. Being able to use Abort in ABAC is high on my wish list as well. Both for debugging but also for returning meaningful errors to the end user. That being said, what I have done which works quite well is to set up a listener locally that updates roles whenever I save them. Then if I run into an issue I start by setting true on the action I’m debugging to ensure I have the basics right. I often do multiple mutations in a single query, so I could be touching multiple collections and indexes.

1 Like