I noticed today, that my custom roles don’t return the abort() and dbg() messages (Which was quite irritating at first while debugging a problem in my app):
Only after using the admin role I was seeing the real error:
What permission is needed, so the custom role receives the error message during request? If such functions need explicit permissions to return their values to the client, it would be great if the necessary permission would be mentioned in the docs:
Hi @Mike,
Thanks for posting. I’m sorry you ran into this. There are indeed some undocumented limitations here. I’ll work on updating the docs to cover this, but here’s a summary:
The log and error messages your see in the Dashboard Shell are pulled from the summary response field of the Core HTTP API Query endpoint.
Log messages: When calling a UDF that uses dbg() or log() , summary log messages are returned if your secret has the admin or server role. Log messages are not returned from UDFs for secrets with the server-readonly or user-defined roles. This applies even if the UDF is annotated with @role(admin) or @role(server).
Abort Messages: When calling a UDF that uses abort(), the summary’s query stack trace includes both query and UDF lines if your secret has the admin or server role. For secrets with the server-readonly or user-defined roles, the stack trace only includes query lines (not UDF lines). This applies even if the UDF is annotated with @role(admin) or @role(server).
The intent here is to prevent leaking information inside UDFs to unprivileged users.
The related docs are now updated:
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
