Even if you could apply a role to the computed field, you would need to update the Role to add calling the new formula every time you create a new one.
What if you created a wrapper function that only calls formula functions? You could give that the “server” role, which is a little scary but should be okay if you put appropriate guards around it. You want to be absolutely sure you’re only using it with authorized “formula” functions and no other functions.
// FSL
@role(server)
function useFormula(formulaName, doc) {
Function(formulaName)(doc)
}
function formula1(doc) { /*...*/ }
function formula2(doc) { /*...*/ }
// ...
function formulaN(doc) { /*...*/ }
role UserLoggedIn {
membership User
privileges useFormula {
call {
predicate ((formulaName, doc) => {
let me = Query.identity()
// between the identity and doc, be CERTAIN that the
// function named may be called
})
}
}
// add `call` privileges for other formulas
}