Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Realm Sync permissions issue #3742

Closed
versoworks opened this issue May 17, 2021 · 1 comment
Closed

Realm Sync permissions issue #3742

versoworks opened this issue May 17, 2021 · 1 comment
Assignees
@mpobrien
Labels
O-Community

Comments

@versoworks
Copy link

versoworks commented May 17, 2021
edited by sync-by-unito bot

Using Realm Web SDK Version: 1.2.0.

We have Realm Sync permissions set as follows;

Read

{
  "%%true": {
    "%function": {
      "name": "onAllowRead",
      "arguments": [
        "%%user",
        "%%partition"
      ]
    }
  }
}

Write

{
  "%%true": {
    "%function": {
      "name": "onAllowWrite",
      "arguments": [
        "%%user",
        "%%partition"
      ]
    }
  }
}

This allows control over partition access per user.

When calling a Realm user function which internally calls collection::aggregate (and nothing else), the Realm Sync Write permission method onAllowWrite is being invoked, however, it's not being invoked on every call. We would like to know how to avoid what should be a read-only query requiring write privilege.

The secondary issue with these Realm Sync permissions is if they return false to deny access, the Realm user function which caused their invocation does not terminate immediately, and times out after 90 seconds. If however, rather than returning false we instead throw an exception, the Realm user function terminates immediately. Why does returning false not terminate in the same manner as throwing an exception?

EDIT
The third issue we're now finding is even when the onAllowWrite method returns true after making an async query, the method that caused the invocation is still timing out. The onAllowWrite method is akin to the following pseudo code;

exports = async function(user, partition)
{
  if (condition_without_db_query)
  {
    return true;
  }
  else
  {
    const coll = context.services.get('mongodb-atlas').db('some_db').collection('some_coll');
    
    const result = await coll.findOne({ some: condition });
    if (result.something > 0)
    {
      return (result.other === 'yay');
    }
    
    return false;
  }
};

When this method returns true after testing condition_without_db_query everything works without issue. If true is returned when (result.other === 'yay') is tested, the user function that invoked it times out after 90 seconds.

For clarity, here's the call stack order;

Web app calls Realm user function
Realm user function calls collection::aggregate
onAllowWrite is invoked, returning true after an async query
collection::aggregate times out
Realm user function returns error

EDIT
With further testing, we've narrowed down the reason why only some collection::aggregate queries are requiring write privilege. It's only occurring with queries containing a $lookup in the pipeline.
@versoworks
Copy link
Author

This issue has been resolved with the assistance of mongodb support.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mpobrien mpobrien

Labels
O-Community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpobrien @versoworks