Yeah, I was unable to figure out to execute the predicate (no way that I could find) so i was kind of stuck, basically, it means we have to manage our own roles in some other way, which seems completely redundant when the engine already knows the answer, and moreover, it knows the answer about multiple and overlapping roles.
My current workaround is a table of user document ref, with an entry for a role name, then I hookup the predicate to use an index to check them. A set of UDFs for managing the collection.
I guess another option would be make a set of collctions “userIsRoleA”, “userIsRoleB” and use the collection to manage them, that seems easy, but not really scalable if there are a lot of roles.
Maybe another implementation would to simply have CurrentIdentity return a list of applicable roles as well as the identity. or as mentioned above, a function that simply allow me to invoke the predicate, might be a more general purpose and useful thing.
Why this matters? So from a database perspective it doesn’t, you can lock everything down just fine, but when you’re working on a full stack application, the front might want to know things like ‘They can’t modify this item, so we shouldn’t give them the option to try’. Sure it’s a best effort on the front end, and the backend will apply the right policies, but it does provide a better user experience.
Sorry for the slow reply, real work called for a bit, as this is a personal spare time project.