Contradiction in docs about custom_data?

Am I reading it right that you shouldn’t store information about permissions in a user’s custom_data?

You cannot store permissions information (such as “which document IDs may this user access?”) in the user object. Changes would not be re-evaluated until the next user session, and updates would cause a client reset.

That’s from the end of this section: https://www.mongodb.com/docs/atlas/app-services/rules/sync-compatibility/#sync-compatible-expansions

But in the Tiered Privileges example, it seems to me that’s exactly what’s being done.

Snippet:

     "document_filter": {
       "read": {
         "team": "%%user.custom_data.team"
       },
       "write": {
         "team": "%%user.custom_data.team"
       }
     },

Am I missing something?

My plan to implement collaboration in my app was to store an array of team IDs in custom_data, and filter data based on that

To make sure it’s fresh, I was going to make a subscription to the user object and manually call refreshCustomDataWithCompletion when there are relevant changes.

Thank you,
Jon

Hi Jonathan,

You cannot store permissions information (such as “which document IDs may this user access?”) in the user object. Changes would not be re-evaluated until the next user session, and updates would cause a client reset.

I agree this part could be worded more clearly. What it’s trying to say is that the custom user data is cached and will cause a client reset when it changes. You can technically use custom data this way but if the permission depends on custom data that dynamically updates it will not take effect until the next session. Every time it changes there will be a client reset.

If the user’s team is static and doesn’t change often then it should be fine to use.

Regards
Manny

Thank you Manny, that really clears things up!

I’d gladly implement this another better way but I just can’t think of one. I’m trying to implement permissions where a user can be in many teams (kind of like Slack workspaces, etc.) and only has access to the associated data if they’re on the team.

The only place you can call a function in a permissions rule is in the apply_when section, which I’ve read is only evaluated at the start of the session.

But it seems, based on your answer, that the custom_data approach might be similar in the end? Either way you have to start a new session and go through a client reset.

Does calling refreshCustomDataWithCompletion start a new session that could trigger the client reset? I’ll be able to test that myself shortly.

Thanks,
-Jon

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.