Realm Sync permissions appear correct, but throw error on iOS client and server logs

Rudi_Strahl · October 20, 2020, 6:08am

I’m working on a prototype that partitions data into userId={user.id} and PUBLIC. According to the docs, this a supported strategy. There’s no specific example provided for writing such a sync permission, so I attempted to infer one (see below). Unfortunately when calling asyncOpen() on the user’s partition, I’m getting an error on the client and in the server logs:

Code:

var configuration = user.configuration(partitionValue: "userId=\(user.identity!)")
Realm.asyncOpen(configuration: configuration) { [weak self] (userRealm, error) in
  ...
}

Sync rule:

{
  "%%partition": "userId=%%user.id"
}

Client error:

Failed to open realm: Error Domain=io.realm.unknown Code=89 "Operation canceled" UserInfo={Category=realm.basic_system, NSLocalizedDescription=Operation canceled, Error Code=89}

Server logs:

Error:

user does not have permission to sync on partition (ProtocolErrorCode=206)
Partition:

userId=5ee811450178b19c376debac

SDK:
Realm Cocoa v10.0.0-beta.2
Platform Version:
Version 14.0 (Build 18A372)

The partition key in the data is _partition: "userId=5ee811450178b19c376debac", so I’m a bit confused as to what I’ve misconfigured. Any help would be greatly appreciated, thanks!

-Rudi

Rudi_Strahl · October 22, 2020, 1:47am

I held off on updating to 10.0.0, but noticed the following in the release notes:

Remove everything related to sync permissions, including both the path-based permission system and the object-level privileges for query-based sync. Permissions are now configured via MongoDB Atlas.

Just so I’m 100% certain I’m interpreting this correctly; does this mean the permission mechanism presented in the third step of configuring Realm Sync is superfluous now?

(I’ve removed all permissions and re-created my sync, which resolves my original issue and continue prototyping, but I want to understand the dev experience/expectations for permissions going forward. Thanks to whomever can help clarify!)

Ian_Ward · October 22, 2020, 2:09am

@Rudi_Strahl I’m not sure expressions will work with concatenating a string and an expression like that - if you wanted to do that I believe you’d have to use a function for that -
https://docs.mongodb.com/realm/sync/permissions/#function-rules

However, In reading your architecture, it sounds like you only have two realms, a per-user realm and a public realm, in that case you could just do -

{
“%%partition”: “%%user.id”
}

For the user realm.

By the way, we published a guide on migrating to the new sync from the legacy version, it may be of help to you:

Rudi_Strahl · October 22, 2020, 4:34am

@Ian_Ward Ah okay - I’ll gladly simplify and use your approach. I do only have two realms currently; if I’m looking to lock down the public partition as read-only, which expression would be correct:

{ "$or": [
    { "%%partition": "PUBLIC" },
    { "%%partition": "%%user.id" }
  ]
}

or

{ "%%partition": [ "%%user.id", "PUBLIC"] }

(Also, thanks for the pointer over to the migration guide; just started digging into it after the update to 10.0.0 - very helpful!)

Ian_Ward · October 22, 2020, 5:25pm

@Rudi_Strahl I presume you want all users to have read-only access to PUBLIC but write access to only their user’s realm?

In which case for the Sync permissions it would be:

Read:
{"%%partition": “PUBLIC” }

Write:
{ “%%partition”: “%%user.id” }

system · November 1, 2020, 2:58am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.