Do membership predicates work in V10?

Hello,
I am trying to use a membership predicate to allow certain users to gain access to a role. Currently it is working in V4, but I would like to do the same in V10. However I cant get it to work, anybody here who can help?

The definition of a Role must be entirely in v4 or entirely in v10. You won’t be able to update only the membership predicate with v10 if the permissions are still defined with v4.

Yeah, I understand.

I now know what i did wrong, I made and edited the role document manually via the interface on the left side, this would completely break membership predicates.

I made a role via the shell like this as a test:

Role.create({
  name: 'CanReadParamsTest',
  privileges: [{ resource: 'Parameters', actions: { read: true }},{ resource: 'test', actions: { read: true}}],
  membership: [{ resource: 'Users', predicate: 'user => user.isAdmin'}]
})

Which worked, only allowing users with the isAdmin bool set to true to access parameters and test. However if I then went and manually added another privilege (not using the shell), to the role document the membership predicate would break and every user would get access to all privileges.

Does this mean editing roles manually is a bad practice or is this whole thing a bug?

Can you clarify what you mean here? By “manual” do you mean the dashboard UI? And by “another privilege”, do you mean a whole new object in the privileges array, or another action for an existing resource?

Note that the v4 Dashboard works by using FQL v4, so updating your Role with the v4 Dashboard UI is not compatible with Roles defined using v10. That said, if the update is working and silently breaking then there may be something we can/should do to prevent the update in the first place.

Please provide specific steps for how to replicate your issue, and we can take a deeper look.

Thanks!

sorry for the late reply,

yes I meant via the dashboard ui in v10, you can open the role document and add in lines without using the shell.

lets say I made a role called user via the shell with a predicate so that only users with the bool hasDog have the role. This does work since it was made via the shell.

image

However when I add a privilege object or an action via the document(not shell) so that the user would be able to read another collection, the membership predicate does not work anymore and now every user logged in via a credential can access the Dogs collection regardless if the bool is set to true or false.

everything is done within V10.

let me know if you need more info.

@ptpaterson Any feedback on this issue?