Debugging Permissions

Given that permissions are defined in their own file and internally applied to queries, it might be hard to figure out if or why a permission check is failing.

Read Permissions

You can use the analyze-query utility with the --apply-permissions flag to see the complete query Zero runs, including read permissions.

npx analyze-query
  --schema='./shared/schema.ts'
  --query='issue.related("comments")'
  --apply-permissions
  --auth-data='{"userId":"user-123"}'

If the result looks right, the problem may be that Zero is not receiving the AuthData that you think it is. You can retrieve a query hash from websocket or server logs, then ask Zero for the details on that specific query.

Run this command with the same environment you run zero-cache with. It will use your upstream or cvr configuration to look up the query hash in the cvr database.

npx analyze-query
  --schema='./shared/schema.ts'
  --hash='3rhuw19xt9vry'
  --apply-permissions
  --auth-data='{"userId":"user-123"}'

🤔Note

Write Permissions

Look for a WARN level log in the output from zero-cache like this:

Permission check failed for {"op":"update","tableName":"message",...}, action update, phase preMutation, authData: {...}, rowPolicies: [...], cellPolicies: []

Zero prints the row, auth data, and permission policies that was applied to any failed writes.

🤔Note

PreviousSlow Queries

NextReplication

Welcome

Using Zero

Integrations

Debugging

Meta

Debugging Permissions

Read Permissions

Write Permissions

On this page