Rules
Auth records reference a group of roles. Roles, in term, reference a group of rules.
We'll look at the predicates in rules one-by-one in order to understand whether they'll be triggered by a given transaction. Just because a rule belongs to the auth record that is issuing a transaction does not mean that that rule will be triggered.
The first two predicates are straightforward:
_rule/id: Unique identifier for this rule._rule/doc: Docstring for this ruleThis next predicate is required:
_rule/collection: The name of the collection this rule applies to.If this predicate's object is
chat, and a given transaction does not have anything to do with thechatcollection, then this rule does not apply._rule/collectionDefault: True or false. Is this rule the default for a given collection?If this is set to
true, then the smart functions attached to this rule are triggered for any transaction that includes thechatcollection, regardless of what predicates are being edited.If a more specific rule exists (i.e. a rule for
chat/personspecifically), then the more specific rule applies._rule/predicates: A list of predicates this rule applies to.If you've already specified
_rule/collectionDefaultas true, then you shouldn't list any predicates here. However, if collection default is false, we might list predicates like:["chat/person", "chat/message"]. This would mean that any transactions that involve thechat/personpredicate or thechat/messagepredicate would trigger the smart functions attached to this rule._rule/fns: Reference to functionsIf this rule applies for a given transaction, the smart functions referenced in this predicate would run. If any of the smart functions return
false, then the transaction is rejected._rule/ops: What operations this rule applies to. Possible tags:query,transact,token,logs,all.For the use case we've discussed in this lesson,
transactis the relevant operation._rule/errorMessage: If a rule prevents a transactions from executing, a custom error mesage can be returned to the user.
For the example, we're going to pretend that we have an auth with certain roles and rules. The below syntax is just a shorthand way of explaining the auth structure- it is not valid Fluree syntax!
Auth Record:
| Predicate | Object |
|---|---|
| id | myAuth |
| roles | role1 |
Role:
| Predicate | Object |
|---|---|
| id | role1 |
| rules | rule1, rule2 |
Rule:
| Predicate | Object |
|---|---|
| id | rule1 |
| collection | person |
| collectionDefault | true |
| ruleFns | [ false, true, true, false ] |
| ops | transact |
Rule:
| Predicate | Object |
|---|---|
| id | rule2 |
| collection | person |
| predicates | handle |
| ruleFns | [ true, true, true ] |
| ops | transact |