Flexible Sync permissions issue with Atlas Search Aggregation

I’m running into a permissions issue when trying to use Atlas Search while Device Sync enabled. I am trying to run a $search aggregation however no documents are being returned. I’m running the aggregation from the web-sdk. All other aggregations work fine using these permissions, just not $search.

I believe this is due to $search using system permissions, stripping away the user details to build rules against.

According to the App Services documentation. $search is run with system level permissions. If I try to set a role based on a value in the user, the aggregation returns no documents as it seems it’s still using system permissions.

My sync permissions are as such:

 "Products": [
      {
        "name": "Belongs to company",
        "applyWhen": {},
        "read": {
          "company": "%%user.custom_data.company"
        },
        "write": {
          "company": "%%user.custom_data.company"
        }
      }
    ],

If I set “read” to true, the search aggregation works fine, but returns any document from any company.

I also cannot set this permission within “applyWhen” because the document is not available yet according to the documentation so you cannot us %%user to get the company field on the document.

Has anyone figured out how to get $search aggregation working with device permissions setup?

I am happy to go into more detail about the issue you are running into but the TLDR is that:

  1. We are working on migrating the sync permissions into the normal rules page. This will be done in 1-2 months and when that happens I think this will be supported.
  2. Right now, the best solution will be to create a new “app” so that you have one app for your sync clients and one app for all other clients. There is not much downside to having 2 separate apps and it will make your life a lot easier.

Let me know how this works,
Tyler

1 Like

@Tyler_Kaye appreciate the reply.

  1. I’m really excited to hear this. This will make things a lot easier! So this should allow $search to run under user permissions and not system?
  2. I’m open to this idea. A few tactical questions:
  • Can I use the same users from the sync app, to the non-sync app?
  • The second app, I would just link the same Atlas as the data source?

Appreciate it!

@Tyler_Kaye wanted to see if you wouldn’t mind taking a look at my questions in the thread above. Thank you!

Sorry about the delay. This got lost somehow.

  1. It wont let search run as user permissions, it will just allow you to specify “Search” within a role that sync is also using (currently if sync is enabled then we dont use anything in the “rules” page and just use what is in the sync permissions configuaration
  2. Unfortunately you cannot share the same users but you can share the same custom user data and authentication configurations. And yes, you can just link the same atlas cluster as the data source for the second app
1 Like

Am I understanding this correctly?
If you have “Flexible Sync” enabled with user-based read/write role permissions, “Atlas Search” will not function (not return any documents).
Is that right?

If you have flexible sync enabled, then those permissions in the sync page are used for all non-sync requests (functions included). Because sync permissions do not have a “search” field, it is functionally not possible to set search permissions for an App Services app while Sync is enabled (though we are in the process of changing this).

1 Like