Read access logged in Users own document

Hi all,

I’m struggling with the Read access predicate function that should allow the logged in user whose secret has created the fauna client to read their own document

Lambda(["ref"], Equals(CurrentIdentity(), Var("ref")))

isn’t working for me, although

Lambda(["oldData", "newData", "ref"], Equals(CurrentIdentity(), Var("ref")))

is working fine for the write predicate…

Specifically the permission denied error is getting thrown when I call a UDF and if I give all members in the security role blanket read access then the Function works fine.

Query(
  Lambda(
    ["name", "amount", "minimum_amount", "update_amount", "supplier"],
    Let(
      {
        userRef: CurrentIdentity(),
        kitchenRef: Select(["data", "kitchen"], Get(CurrentIdentity()))
      },
      Create(Collection("stock"), {
        data: {
          created_by: Var("userRef"),
          name: Var("name"),
          kitchen: Var("kitchenRef"),
          amount: Var("amount"),
          minimum_amount: Var("minimum_amount"),
          update_amount: Var("update_amount"),
          supplier: Var("supplier")
        }
      })
    )
  )
)

Any help is most appreciated, not having much luck finding any solutions, I found some similar posts here and I’ve tried adjusting the Lambda([“ref”], / Lambda(“ref”, etc but no luck. Pretty new to fauna, thanks in advance!

@hawkstein

Can you share the Role definition ?

Thanks for replying, really appreciated.

{
  ref: Role("users"),
  ts: 1606982510495000,
  name: "users",
  membership: [
    {
      resource: Collection("users")
    }
  ],
  privileges: [
    {
      resource: Collection("users"),
      actions: {
        read: Query(Lambda(["ref"], Equals(CurrentIdentity(), Var("ref")))),
        write: Query(
          Lambda(
            ["oldData", "newData", "ref"],
            Equals(CurrentIdentity(), Var("ref"))
          )
        ),
        unrestricted_read: true
      }
    },
    {
      resource: Index("users_by_email"),
      actions: {
        unrestricted_read: false,
        read: true
      }
    },
    {
      resource: Collection("stock"),
      actions: {
        read: true,
        write: true,
        create: true,
        delete: true,
        history_read: false,
        history_write: false,
        unrestricted_read: false
      }
    },
    {
      resource: Ref(Ref("functions"), "AddStockItem"),
      actions: {
        call: true
      }
    }
  ]
}

The problem it turned out was that the UDF had permissions set via the UI to use the Role “users”

Function Permissions (Fauna Docs)

As soon as I set the Function Role to “none” then the Function worked fine (Still required the Role “users” to have the Function “AddStockItem” within it’s privileges)