Permission to edit only identity related user

I added the following predicate, assuming it will allow only the logged in user to edit their document, without letting them edit the email address. But it doesn’t work (getting permission denied)

      resource: Collection("User"),
      actions: {
        read: true,
        write: Query(
            ["oldData", "newData"],
              Equals(Identity(), Var("oldData")),
                Select(["data", "email"], Var("oldData")),
                Select(["data", "email"], Var("newData"))
        create: false,
        delete: false,
        history_read: false,
        history_write: false,
        unrestricted_read: false

Any ideas?

This will never be true Equals(Identity(), Var("oldData")) Identity() returns the ref of the current User in this case. What are you trying to check there? That the email of the new and old matches the current user?

If you add a third argument “ref” to the Lambda and match that with Identity() then it should work.

1 Like

Also not sure what you are trying to check but you probably will need the reference for comparison with Identity(). There is a third parameter for write to get that reference.

Thanks! that worked just fine!

I was trying to create a write role that a user can only write to their document, so others won’t be able to change their data