Permissions Error for User Update with a Role that has a function on the write and create priviledge

I have a role called Auth, that has a membership called User. That User get’s autheticated and logged in. Giving it a key to hit the db. Since it is a member of auth it should have certain privilidges, and they do work if I give them full access, however I want to limit the user to only change their own data. And this is working for all collections beside the User collection itself. I’ll explain.

I am sending this update request to the User collection with the logged in Users credentials.

import { query as q } from "faunadb";
import { authClient, guestClient } from "../../utils/fauna-auth";
import { getAuthCookie } from "../../utils/auth-cookies";
import stripeConfig from "../../lib/stripe";

export default async function unsubscribe(req, res) {

  const token = getAuthCookie(req);

  var element = {};

  element["vip"] = false;
  element["unsub"] = true;
  element["email"] =;
  const current = await authClient(token).query(q.Get(q.CurrentIdentity()));
  element["owner"] = current.ref;

  // Delete the subscription
  // const deletedSubscription = await stripeConfig.subscriptions.del(
  //   req.query.subId
  // );


  await authClient(token)
      q.Update(q.Ref(q.Collection("User"), req.query.user), {
        data: element,
    .then((ret) => console.log(ret));

  try {
  } catch (error) {

Also the is the request object that I am sending to fauna.

  vip: false,
  unsub: true,
  email: '',
  owner: Ref(Collection("User"), "292450448584999433")

Now on the Fauna side I have the following function in the write and create priviledge. Now I Thought that it is checking to see if the owner value equals the identity which is should. But the weird thing is the owner is also a reference to itself, so maybe fauna doesnt like that. I don’t know.
But If I give full write and create permissions it all works.

Also these Lambda functions work fine for other documents, just not for the User collection itself.

My Main goal is to prevent users from writing or creating eachother.


  ["oldData", "newData"],
    Equals(Identity(), Select(["data", "owner"], Var("oldData"))),
      Select(["data", "owner"], Var("oldData")),
      Select(["data", "owner"], Var("newData"))


Lambda("values", Equals(Identity(), Select(["data", "owner"], Var("values"))))

Thanks for any help ahead of time

That would be surprising to me but I have never tried such a case so it could be possible. However, I assume that you have to add that user ref after the user is created. And you are (I think) blocking yourself from doing so by having this part in the role:

      Select(["data", "owner"], Var("oldData")),
      Select(["data", "owner"], Var("newData"))

You could always try to remove that part to see if it makes a difference.

I don’t know if that is the answer as of yet, because I have moved on from that codebase to try something new, but I know it will come back to this, so once I have got back to this I will test removing that section. I am having different permissions error here though.

Just in case I am adding this comment:

The function Identity is deprecated as of API version 4.
You should be using the CurrentIdentity function instead.

So just an fyi. I started building a separate app and ran into the same problem. This solved it for me

Lambda("ref", Equals(Identity(), Select(["ref"], Get(Var("ref")))))

I needed to reference the ref of the User compared to the identity