insert: true requires field-level write permissions

[mikarollenmillernovacode]

Description

In MongoDB Realm, setting insert: true on a role was sufficient to allow document inserts, regardless of field-level write permissions. In Flowerbase, inserts are rejected unless the role also has write permissions — either at the top level or on each individual field.

Steps to Reproduce

Define a role with insert: true but field-level permissions that only specify read: true:

  {
    "name": "ExampleRole",
    "apply_when": { "%%user.custom_data.type": "someType" },
    "fields": {
      "name": { "read": true },
      "value": { "read": true }
    },
    "insert": true,
    "delete": false,
    "search": true,
    "additional_fields": {}
  }

Attempt to insert a document as a user matching this role.

Expected Behavior

Insert succeeds — insert: true grants permission to create documents, field-level read/write controls which fields can be read or updated on existing documents.

This matches MongoDB Realm's behavior where insert was an independent permission.

Actual Behavior

Insert fails with "Insert not permitted".

[stackhousesrl]

Thanks for the report. We checked this behavior, and in practice insert in MongoDB Realm is not fully independent from write permissions: inserting a document also requires write: true on the document or on the fields being inserted.

So Flowerbase’s current behavior — rejecting the insert with "Insert not permitted" when a role has insert: true but no write permissions — is consistent with Realm.

In other words:

insert: true allows the insert operation itself

but the insert still requires write access to the fields that are actually being written

For that reason, we do not consider this a bug, but rather an alignment with Realm’s permission model.

[mikarollenmillernovacode]

Indeed that's what their flowchart states. Interesting that it worked differently nevertheless. I find it weird that a top-level insert permission depends on a top or field-level write permission which then also allow updates which may not be wanted, but I can understand that you want to stick with their officially documented flow.

[danielbebbernovacode]

While I can understand sticking to the flowcharts, there are many use-cases where a user should be able to insert a document without being able to write every field. E.g. a customer that should be able to create a new order, but should not be able to write most of the fields afterwards.
There are just many use cases for that behavior imho.