The problem:
I was surprised to find that I could delete a document even though I have a security role that should prevent it. I have a collection called ‘targets’ and a role that specifies that only activated ‘users’ can delete a document but when I call the ‘deleteTarget’ mutation with the Server Key it deletes the specified document. I am using the Identity() function in the ‘delete’ action predicate and I am accustomed to the Identity() complaining that a Server Key has no identity so I am confused by this behavior.
Normally I would call ‘deleteTarget’ with the secret of the authenticated user but I wanted to test the case where someone got hold of my Server Key.
Here is the role that I created:
CreateRole({
name: "collectionrole_targets",
privileges: [
{
resource: Collection("targets"),
actions: {
read: Query(
Lambda(
"ref",
true
)
),
write: Query(
Lambda(
"ref",
true
)
),
create: Query(
Lambda(
"ref",
true
)
),
delete: Query(
Lambda(
"ref",
All(
Let(
{
user: Get(Ref(Collection("users"), Select(["id"], Identity())))
},
[
Select(["data", "activated"], Var("user"))
]
)
)
)
),
history_read: false,
history_write: false,
unrestricted_read: false
}
}
],
membership: [
{
resource: Collection("users")
}
]
})
Any suggestions are greatly appreciated!