Give a role access to a function without giving it read access to the whole collection

I want to create a function to fetch a document by ID (and some related data). I want to be able to call this function from the browser (public) without giving public access to any other data.
If the browser user does not know the ID of a document, nothing can be fetched at all. Similar to how unlisted Youtube videos work.
I tried creating a role with a “Call” permission to my function. This does not work, because I also need to give Read permissions to the whole Collection to be able to call my index.
But this gives that role access to the whole collection. Which I definitely do not want.
How can this be achieved?
Everything inside the function should work. Everything outside should be a NO go.

For now I am wrapping this function in a serverless function


Hi @rova please refer to this blog post

@Shadid, this blog post does not tell how to limit user access to only call UDFs. Granting access to also everything that UDF needs is extremely bad.

If I have a UDF that allows users to send (and therefore – create) messages, that also gives every client that can call this UDF the ability to override any message of any user.

Everything that lies behind UDF should be able to be non-accessible by default the same way private variables and methods encapsulated within classes in OOP.

@rova, you may want to upvote his feature request:

@Orimay that’s a valid concern. Let me get back to you with another example where you can keep UDF variables strictly private.

Thank you! But it’s not only about variables. It’s about access to collections. If my UDF writes to a collection, I don’t want user to be able to write to this collection directly.


Oh, and about other UDFs, of course. I want to compose UDFs of private-access UDFs and make public only the ones that my users gonna call directly.

If you want to grant only permissions to a UDF, then you need to provide a Role predicate that restricts calling the UDF for very specific cases. You can get the context about the user from the CurrentIdentity and make a check that all affected documents are actually under the user’s control before the function is permitted to be called.

That would be bad to grant them access to everything, but in practice, you don’t. You can provide User Roles with a predicate that makes sure that they can only read documents they own, write documents they own AND have write access, write to documents that belong to a group so long as the user is part of that same group, etc.

Limiting UDF calls is not really what I want, I found out that it is possible.

Limiting and fine tuning every possible document access seems like a hell amount of work. Also, what if I want user to edit someone’s message object (say, on forum) by giving a like? With UDF, I can specify the exact behavior I want. But that would enforce me to also allow direct access to the message collection.

I don’t only want to control access to collections, I want to control the data itself, so that it was impossible, for instace, to specify a thouthand likes at once for a document :slight_smile:

@rova, @ptpaterson explained that we can do this. We can use user roles to limit users on what UDFs they may call, and those UDFs may have Admin role assinged to be able to deal with whatever they need. This way, nothing has to be exposed to the end users, except for those UDFs they need.

Thanks will give this a decent look today!