-
Notifications
You must be signed in to change notification settings - Fork 840
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing a list of permissions to the DocumentClient constructor doesn't work, but passing a single resource token does #472
Comments
I changed my code to use Why doesn't |
Hello? Is anyone following this repo? |
@thomaslevesque what are the expectation of query with a partition key limiter? Do you expect the query to filter based on partition key if so could you please try adding it as explicit filter in the query. |
Yes, I expect it to filter the query based on the partition key (which works, if I pass a single resource token to the In short:
|
@thomaslevesque am assuming that you are unblocked on the query part with an explicit token. On list of permissions issue: Are there any overlapping permissions (Same Resource with read/write permissions) which can cause conflict? |
Well, in my current scenario I only need one token, so I'm not blocked, but it might change in the future.
No, the list contains a single permission. |
Seems like it has to do with how the library selects the token to use. When you're using the user-friendly names for db/collection you'll run into problems, but when using the db/collection IDs you'll be fine. |
@YouNeedTea are you saying I should use the collection's @kirankumarkolli, how does |
@thomaslevesque I don't have any internal knowledge, but by examining the behaviour of DocumentClient, I believe it looks for a permission with a 'ResourceLink' property that is a prefix of the resource you're trying to access. A successful workaround for me was to insert two permissions into the database - once with ResourceLink set to the opaque self-link, and once with ResourceLink set to the friendly link. |
@YouNeedTea I see what you mean, and it makes sense, but:
|
I've faced same issue during implementation of the permission-based access to data stored in CosmosDB. |
As far as I can tell, adding the partition key to the filter doesn't make any difference. But you should definitely set From my experience, using URIs created by I tried all combinations, and only one works:
I can understand why 2 and 3 would fail, but 1 should definitely work. Especially since there's no way to get the collection's (in fact, there's a way, but it's ugly: read the |
I've run into something very similar to this, but a bit simpler. In my situation I've granted the user read access to the collection selflink, and when i try to read a particular document from that collection (not the feed) I get the error that no token was provided. So, unless someone else has a better idea, seems manually granting the permission across both human readable and hashed resourceurls is the safest bet. Unless someone sees something wrong with this approach? |
Seems like the approach is: If you are going to use UriFactory in your queries/document operations, then the Permission needs to be created with a If you are going to use ResourceIds in your queries/document operations, then the Permission needs to be created with a |
I have a database with a collection that is partitioned, and each user can only access one partition. I create the users and permissions like this:
If I create a
DocumentClient
for a user by passing the list of permissions like this:Then querying the collection fails with this error:
But I know that it's not true; the list of permissions I passed to the
DocumentClient
constructor has exactly one permission, whoseResourceLink
isdbs/MyDatabase/colls/MyCollection
.On the other hand, if I create the
DocumentClient
by passing a single resource token, it works fine:It looks like a bug, but this sample does the same thing and works fine. As far as I can tell, the only difference between my code and the sample is that I use
CreateDocumentQuery
(with thePartitionKey
set in theFeedOptions
) whereas the sample usesReadDocumentFeedAsync
.The text was updated successfully, but these errors were encountered: