Define role with regex in flexible sync

I’m in the process of migrating from partition-based sync to flexible sync, but I’m having trouble configuring permission roles.

I had a fairly straightforward canReadPartition rule where I set 'partition' to 'user={user.id}' in partition based sync. And to support flexible sync, I added the following role to my collection.

{
      "name": "readOwnWriteOwn",
      "apply_when": {},
      "document_filters": {
        "write": {
          "partition": {
            "pattern": "%%user.id",
            "options": ""
          }
        },
        "read": {
          "partition": {
            "pattern": "%%user.id",
            "options": ""
          }
        }
}

I chose to use regex matching following the suggestion here: Permission issues migrating partition-based sync to flexible sync - #9 by Jonathan_Lee

There aren’t any errors but I’m also not getting any data back, can anyone give me some pointers what I did wrong?

Hi @Siwei_Kang ,

It looks like the role in the excerpt here:

does not have the $regex operator referenced.

If I understand correctly, if you want to follow the example from the other forum post, I think you might want something like this for the document filters instead:

"document_filters": {
    "read":  { $and: [ { "partition": { "$regex": "%%user.id" } }, { "partition": { "$regex": "^user=[0-9a-fA-F]{24}$" } } ] },
    "write":  { $and: [ { "partition": { "$regex": "%%user.id" } }, { "partition": { "$regex": "^user=[0-9a-fA-F]{24}$" } } ] },
}

Breaking this down:

  1. The { "partition": { "$regex": "%%user.id" } } part of the expression enforces that the expanded value of %%user.id appears in the value corresponding to the key “partition”.
  2. The { "partition": { "$regex": "^user=[0-9a-fA-F]{24}$" } } is checking that the value of “partition” is exactly “user=<user-ObjectID>”. The [0-9a-fA-F]{24} is a regex pattern for matching ObjectID strings, which is what %%user.id will end up expanding to.

If both (1) and (2) hold true, then that means that the value of "partition" is equivalent to the string "user=<expanded-value-of-%%user.id>", which if I understand correctly is what the canReadPartition function was checking.

Let me know if that works,
Jonathan

I wrote them with $regex operator, but it got ‘autocorrected’ it to “pattern” for some reason after it is saved. I will try again with both conditions. Thanks!