Read access logged in Users own document

hawkstein · December 2, 2020, 6:36pm

Hi all,

I’m struggling with the Read access predicate function that should allow the logged in user whose secret has created the fauna client to read their own document

Lambda(["ref"], Equals(CurrentIdentity(), Var("ref")))

isn’t working for me, although

Lambda(["oldData", "newData", "ref"], Equals(CurrentIdentity(), Var("ref")))

is working fine for the write predicate…

Specifically the permission denied error is getting thrown when I call a UDF and if I give all members in the security role blanket read access then the Function works fine.

Query(
  Lambda(
    ["name", "amount", "minimum_amount", "update_amount", "supplier"],
    Let(
      {
        userRef: CurrentIdentity(),
        kitchenRef: Select(["data", "kitchen"], Get(CurrentIdentity()))
      },
      Create(Collection("stock"), {
        data: {
          created_by: Var("userRef"),
          name: Var("name"),
          kitchen: Var("kitchenRef"),
          amount: Var("amount"),
          minimum_amount: Var("minimum_amount"),
          update_amount: Var("update_amount"),
          supplier: Var("supplier")
        }
      })
    )
  )
)

Any help is most appreciated, not having much luck finding any solutions, I found some similar posts here and I’ve tried adjusting the Lambda([“ref”], / Lambda(“ref”, etc but no luck. Pretty new to fauna, thanks in advance!

Jay-Fauna · December 2, 2020, 10:27pm

@hawkstein

Can you share the Role definition ?

hawkstein · December 3, 2020, 8:11am

Thanks for replying, really appreciated.

{
  ref: Role("users"),
  ts: 1606982510495000,
  name: "users",
  membership: [
    {
      resource: Collection("users")
    }
  ],
  privileges: [
    {
      resource: Collection("users"),
      actions: {
        read: Query(Lambda(["ref"], Equals(CurrentIdentity(), Var("ref")))),
        write: Query(
          Lambda(
            ["oldData", "newData", "ref"],
            Equals(CurrentIdentity(), Var("ref"))
          )
        ),
        unrestricted_read: true
      }
    },
    {
      resource: Index("users_by_email"),
      actions: {
        unrestricted_read: false,
        read: true
      }
    },
    {
      resource: Collection("stock"),
      actions: {
        read: true,
        write: true,
        create: true,
        delete: true,
        history_read: false,
        history_write: false,
        unrestricted_read: false
      }
    },
    {
      resource: Ref(Ref("functions"), "AddStockItem"),
      actions: {
        call: true
      }
    }
  ]
}

hawkstein · December 6, 2020, 2:03pm

The problem it turned out was that the UDF had permissions set via the UI to use the Role “users”

Function Permissions (Fauna Docs)

As soon as I set the Function Role to “none” then the Function worked fine (Still required the Role “users” to have the Function “AddStockItem” within it’s privileges)

Topic		Replies	Views
Serving secrets Help authentication , best-practices	2	391	June 3, 2021
Authenticated user doesn't have permission to create documents Help	3	1522	April 18, 2023
Index read authorization with predicate condition and multiple terms Help functions , indexes , authorization	5	235	July 19, 2023
Permission denied when run query as a specific document in fuana shell Help udfs , abac	9	669	June 14, 2022
Permissions Error for User Update with a Role that has a function on the write and create priviledge Help fql , authentication , functions	4	591	July 15, 2021

Read access logged in Users own document

Related topics