I think it’s more clean personally (but more work) and the secure way in case you want to secure it from the frontend to create a role for your UDF and give your user access to call the UDF
I would like to use roles to restrict users to documents only within their own tenant. Every document in my database should have a “tenantRef” relationship to a Tenant collection. I have a User collection and role applied to them, and have have successfully been able to use predicate functions to programmatically restrict users to accessing other objects only in their tenant when they access them directly.
The problems start when I try to use UDFs. If I lock down the user to only be able to call UDFs and apply the exact same predicate to the role of a UDF the user can call, it always seems to fail with “permission denied” and “Insufficient privileges to perform the action.” This is the predicate I’m using via the dashboard, which works when applied to a User’s role, but not when applied to a UDF’s role:
Lambda( "documentRef", Equals( Select(["data", "tenantRef"], Get(CurrentIdentity())), Select(["data", "tenantRef"], Get(Var("documentRef"))) ) )
CurrentIdentity() not do what I think it does in the context of a UDF? Is there something else I’m missing? Is there any way to inspect the value or execution of these predicates?