Data Access Role Rule writing field value is not working

Scoz_Auro · September 1, 2023, 10:54am

In Client(unity), I write document to realm and got permission error because of wrong role.
This is my rule


{
    "collection": "player",
    "database": "herofishing",
    "roles": [
        {
            "name": "PlayerSelf",
            "apply_when": {
                "_id": "%%user.id"
            },
            "document_filters": {
                "write": false,
                "read": true
            },
            "fields": {
                "deviceUID": {
                    "write": true,
                    "read": true
                },
                "onlineState": {
                    "write": true,
                    "read": true
                }
            },
            "additional_fields": {
                "write": false,
                "read": true
            },
            "insert": false,
            "delete": false,
            "search": true
        },
        {
            "name": "OtherPlayer",
            "apply_when": {
                "%%user.custom_data.role": "OtherPlayer10"
            },
            "document_filters": {
                "write": false,
                "read": true
            },
            "read": true,
            "write": false,
            "insert": false,
            "delete": false,
            "search": true
        },
        {
            "name": "Unknown",
            "apply_when": {},
            "document_filters": {
                "write": false,
                "read": false
            },
            "read": false,
            "write": false,
            "insert": false,
            "delete": false,
            "search": false
        }
    ]
}

Jonathan_Lee · September 1, 2023, 3:28pm

Hello,

Based on the screenshot, it seems like you are wondering the reason that the first role wasn’t being applied to that user’s write.

An important thing to note here is that roles are applied at the beginning of a sync session, before any documents have been seen. Hence, it is necessary that a role’s apply_when expression cannot reference fields in a document in order to be used in Flexible Sync. Please see the docs (Permissions with Device Sync, Sync Compatible Expressions) for more information.

It looks like your first role is referencing a document field (_id); thus, this role will fail to match during role evaluation. Consequently, due to the nature of role order evaluation, the next applicable role will match and determine the set of permissions to be applied during the session. From the logs, this appears to be “OtherPlayer10” in this case. Since, that role has a value of "document_filters.write" set to false, then writes will be disallowed during this session.

Let me know if you have any other questions,
Jonathan

Scoz_Auro · September 2, 2023, 7:08am

Thank you for your reply. Just make sure. Is it correct to say that there is no way to allow players to modify their own documents directly from the client using Flexible Sync?

system · September 7, 2023, 7:08am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.