Delegates

A document may delegate access on its behalf to other documents by adding the other documents' refs to its delegates list. Any tokens belonging to a member of delegates are granted access as though they were tokens belonging to the delegating document.

For example, if a user (with id 1) has read access to the "spells" collection, but another user (with id 2) does not, the first user may grant access via delegation to the second user with the following query:

client.Query(
  Update(
    Ref(Collection("users"), 1),
    Obj("delegates", Arr(Ref(Collection("users"), 2)))));
curl https://db.fauna.com/ \
    -d '{
          "update": { "ref": { "collection": "users" }, "id": 1 },
          "params": {
            "object": {
              "delegates": [ { "ref": { "collection": "users" }, "id": 2 } ]
            }
          }
        }'
result, _ := client.Query(
    f.Update(
        f.RefCollection(f.Collection("users"), "1"),
        f.Obj{"delegates": f.Arr{f.RefCollection(f.Collection("users"), "2")}},
    ),
)

fmt.Println(result)
map[ref:{1 0xc420118d80 <nil>} ts:1527631398281881 delegates:[{2 0xc420119000 <nil>}]]
client.query(
  Update(
    Ref(Collection(Value("users")), Value(1)),
    Obj("delegates", Arr(Ref(Collection(Value("users")), Value(2))))));
client.query(
  q.Update(
    q.Ref(q.Collection('users'), 1),
    { delegates: [q.Ref(q.Collection('users'), 2)] },
  )
)
.then((ret) => console.log(ret))
{ ref: Ref(id=1, collection=Ref(id=users, collection=Ref(id=collections))),
  ts: 1527631398281881,
  delegates: [ Ref(id=2, collection=Ref(id=users, collection=Ref(id=collections))) ] }
client.query(
  q.update(
    Ref(q.collection("users"), 1),
    {"delegates": [Ref(q.collection("users"), 2)]}
  ))
$client.query do
  update ref(collection_('users'), 1),
         delegates: [ref(collection_('users'), 2)]
end
client.query(
  Update(
    Ref(Collection("users"), 1),
    Obj("delegates" -> Arr(Ref(Collection("users"), 2)))))
client.query(
    Update(
        ref: Ref(collection: Collection("users"), id: 1),
        to: Obj(
            "delegates" => Arr(Ref(collection: Collection("users"), id: 2))
        )
    )
)

Now, when the second user attempts to read from the "spells" collection, they are granted the same level of access as the first user.

Delegates are not transitive — in the example above, the second user may not delegate the first user’s permissions to another user.

Next steps

Is this article helpful? 

Tell Fauna how the article can be improved:
 Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!