Hi All,
I wonder if you could help with a security problem I have. It appears my logged in users would have access to list all Realm users in the app. I am using email/password Auth and I call this.app.allUsers() from my client which returns all the app users.
I don’t want basic users to be able to do this. Does anyone have a solution or is this a limitation of the Realm SDK?
I feel like anyone can sign up, look at the js source to get the app id and do this call. This is a security concern unless I has missed something.
I am using the web sdk.
Your help/thoughts would be appreciated