Permission rule for owner user, Apollo GraphQL


I am trying to get a straightforward user check working when inserting a comment over Apollo GraphQL.

The request should only be allowed if the user field matches the currently authenticated user.

mutation($user: ObjectId!, $comment: String!)  {
      insertOneComment(data: {
          comment: $comment
          user: $user
      }) {

In Realm rules, under owner I have tried lots of variations, including hardcoding the user ID to validate. Unfortunately, I can’t get the rule to work.

  "user": ""

Hardcoded test

  "user": "<SOME_USER_OBJECT_ID>"

I read on another thread that this could be due to the client passing the user as an ObjectId and not a String. However, if I try a String this doesn’t work as GraphQL is expecting an ObjectId.

Any help would be greatly appreciated.

Welcome to the community Niall -

Can you link your app URL so I can take a closer look at your schema/rules?

If user is a field with an ObjectId type in your schema and you’re not using custom user data, this should work unless there are other rules preventing this or a typo in the schema/user. I believe the reason hardcoding the object Id isn’t working either is because it is being treated as a string, and thus not passing the rule.

Hey Niall - similar to the post you read said, is actually a string. Therefore, you’re comparing an objectId to a string and it’s not passing the rule.

To get around this you can use a function (although we are introducing expressions such as %%oidToString and %%stringToOid very soon)


      "%%true": {
        "%function": {
          "name": "equalStrings",
          "arguments": [

function (equalStrings, System Function):

exports = function(arg1, arg2){
  return String(arg1) == (String(arg2));

Thank you Sumedha, this is excellent.

Where do I add the equalsString function in the format that you provided? I presume it can’t sit within the Rule as it’s expecting a JSON expression.

Does it need to be placed in the custom functions section? I have tried that and it’s having trouble with the formatting provided.

It needs to be added in the “Functions” section (accessed via the side nav). The name of the function has to be the same as what is referred to in your rules (mine was called equalStrings) and be a System function, the logic has to return whether the two strings (or objectIds) are equal.


What formatting trouble were you running into?

It’s working now, thanks for your help :+1:

@Sumedha_Mehta1 I think I’m running into this issue as well. I’m unable to assign the user through graphql (even graphiql).

Do you know if this support has been added in yet? Or is this function still needed?


@Travis_N_A I’m not sure what you mean by “assign the user” here

Do you mean assign rules/roles via GraphQL?

I mean is this function necessary still to match a user up with their records using graphql. Do I still need this function to match up a user with their own records, or does it now properly handle user id strings when comparing? Specifically I’m sending:

query {
    query: {
      user_id: {
        _id: "5fb......"

Looking at your app, it seems like you copied and pasted from the snippet above, but you would have to replace %%root.user to %%root.user_id since that is what your field is called. (in the first example it was user).

Is this still necessary though? Earlier in the thread you mentioned “… we are introducing expressions such as %%oidToString and %%stringToOid very soon” as a replacement.

Yes, you should be able to find relevant expressions here -

That link shows a 404 “NoSuchKey”

That link is for an internal docs staging site, here’s the link for the live docs: