Hi Brecht, thanks so much for taking the time to reply!
Sorry, I probably should have said something like “Fwitter is not a multi-tenant app” which I think better qualifies the distinction I’m trying to make. I want to restrict access to documents in a collection based on whether or not the user is in same tenant to which the document belongs.
That distinction between roles applied to UDFs vs. Users is really helpful. To make sure I’m understanding correctly, I can’t use
Identity() when defining the
memberships for a role that’s applied to a UDF, but it should work okay when defining the
actions the role can perform on a Collection? In case it helps make it clearer, here’s a key snippet from my main “loggedInUser” role:
//... other role stuff
Select(["data", "school"], Get(Var("ref")))
In my app, “Users” have a “Persons” ref, on which I store which “School” they belong to. I want a User only be able to read from the Persons collection if the person document they’re reading and the user share the same “school” ref.
Currently I’m applying this role to all members of the “users” collection via the
memberships property of the role, but if I’m understanding you correctly, I could apply this role to my UDFs and get the same effect, and then create a role for my “users” that only granted them permissions to call UDFs? I can see where that would be preferable as it’d very explicitly limit what anyone could do from the client!
Thanks for the detail on Indexes and Collections as well - that’s helpful. For now I’m just adding restrictions at the Collection level and allowing reads from Indexes and that’s working great.
I’m really enjoying working with Fauna. It’s taken a bit to get productive with it but the Fwitter example was extremely helpful (especially for helping me figure out how to define my whole app DB infrastructure with code that I can deploy on command!) and the blog posts you referenced have finally helped me to get to a place where I feel much more comfortable with FQL. Can’t wait for parts 4 and 5! Anyway, just wanted to say thanks!