Uploaded image for project: 'Realm JavaScript SDK'
  1. Realm JavaScript SDK
  2. RJS-1197

Realm Sync permissions issue

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None

      Using Realm Web SDK Version: 1.2.0.

      We have Realm Sync permissions set as follows;

      Read

      {
  "%%true": {
    "%function": {
      "name": "onAllowRead",
      "arguments": [
        "%%user",
        "%%partition"
      ]
    }
  }
}

      Write

      {
  "%%true": {
    "%function": {
      "name": "onAllowWrite",
      "arguments": [
        "%%user",
        "%%partition"
      ]
    }
  }
}

      This allows control over partition access per user.

      When calling a Realm user function which internally calls collection::aggregate (and nothing else), the Realm Sync Write permission method onAllowWrite is being invoked, however, it's not being invoked on every call. We would like to know how to avoid what should be a read-only query requiring write privilege.

      The secondary issue with these Realm Sync permissions is if they return false to deny access, the Realm user function which caused their invocation does not terminate immediately, and times out after 90 seconds. If however, rather than returning false we instead throw an exception, the Realm user function terminates immediately. Why does returning false not terminate in the same manner as throwing an exception?

      EDIT
      The third issue we're now finding is even when the onAllowWrite method returns true after making an async query, the method that caused the invocation is still timing out. The onAllowWrite method is akin to the following pseudo code;

      exports = async function(user, partition)
{
  if (condition_without_db_query)
  {
    return true;
  }
  else
  {
    const coll = context.services.get('mongodb-atlas').db('some_db').collection('some_coll');
    
    const result = await coll.findOne({ some: condition });
    if (result.something > 0)
    {
      return (result.other === 'yay');
    }
    
    return false;
  }
};

      When this method returns true after testing condition_without_db_query everything works without issue. If true is returned when (result.other === 'yay') is tested, the user function that invoked it times out after 90 seconds.

      For clarity, here's the call stack order;
      > Web app calls Realm user function
      > Realm user function calls collection::aggregate
      > onAllowWrite is invoked, returning true after an async query
      > collection::aggregate times out
      > Realm user function returns error

      EDIT
      With further testing, we've narrowed down the reason why only some collection::aggregate queries are requiring write privilege. It's only occurring with queries containing a $lookup in the pipeline.

            Assignee:
            mikeo@mongodb.com Michael O'Brien
            Reporter:
            unitosyncbot Unito Sync Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: