Block Realm user listing all app users

Eden_Webb · August 19, 2021, 11:44am

Hi All,

I wonder if you could help with a security problem I have. It appears my logged in users would have access to list all Realm users in the app. I am using email/password Auth and I call this.app.allUsers() from my client which returns all the app users.
I don’t want basic users to be able to do this. Does anyone have a solution or is this a limitation of the Realm SDK?
I feel like anyone can sign up, look at the js source to get the app id and do this call. This is a security concern unless I has missed something.

I am using the web sdk.

Your help/thoughts would be appreciated

Sumedha_Mehta1 · August 25, 2021, 2:26pm

This should only be calling logged in users who never logged out from that app. Are you noticing other behavior?

Eden_Webb · August 27, 2021, 8:14pm

Thank @Sumedha_Mehta1
That makes more sense. We have to sign out and remove the user and the function won’t list them.

Rishi_uttam · October 21, 2021, 6:29am

I think this issue should be addressed @Sumedha_Mehta1
I am sure there are some basic rules that can be set.
your answer will help us all.