Skip to main content

Restrict Who Can Edit What Continued

In the previous section, we added four basic rules that- when attached to an auth record- allow an auth record to view and edit votes and changes, as well as to view users and auths.

Now, we'll add one additional rule that will allow users to only be able to edit their own auth records.

Who Can Edit What?#

First, we'll add two simple rules that will allow our users to be able to transact and view votes and changes.

To create these editOwnUser rule, we'll need to specify the following predicates:

  • id: "editOwnUser"
  • collection: "_user"
  • collectionDefault: true
  • ops: ["transact"]
  • fns: We'll create a new smart function that we'll need to reference here (as a tempid inside of an array).

To create the _fn, editOwnUser you'll need to specify the following predicates:

  • _id: _fn$ followed by any tempid you would like
  • name: "editOwnUser"
  • code: The actual code of the smart function. See below.

The smart function code should check whether the

We'll need to use the following context-specific function:

  • (?query): A query which will get the _user associated with the auth record issuing the transaction (?auth_id). We'll give this part to you: (query (str \"{\\\"select\\\": [{\\\"_user/_auth\\\": [\\\"_id\\\"]}], \\\"from\\\": \" (?auth_id) \"}\")). This query smart function equates to issuing the query:
{  "select": [{ "_user/_auth": ["*"] }],  "from": "(?auth_id)"}
  • (?sid) : The subject of _id of the subject we are attempting to edit - here it will be the user subject id.

You'll also need some Universal Functions (see contains? and get-all to complete your _fn/code.

Create the editOwnUser Rule

Using the above instructions, create the editOwnUser rule and editOwnUser function.


We haven't yet discussed how the voting mechanism will work, but you should have a pretty good idea from the schema. Can you figure out why we don't want users to be able to add new auth records?