Cross post from Github as we don’t think this issue is specific to the RealmJS SDK and it has become a show-stopper.
Using Realm Web SDK Version: 1.2.0.
We have Realm Sync permissions set as follows;
Read
{
"%%true": {
"%function": {
"name": "onAllowRead",
"arguments": [
"%%user",
"%%partition"
]
}
}
}
Write
{
"%%true": {
"%function": {
"name": "onAllowWrite",
"arguments": [
"%%user",
"%%partition"
]
}
}
}
This allows control over partition access per user.
When calling a Realm user function which internally calls collection::aggregate (and nothing else), the Realm Sync Write permission method onAllowWrite is being invoked, however, it’s not being invoked on every collection. We would like to know how to avoid what should be a read-only query requiring write privilege.
The secondary issue with these Realm Sync permissions is if they return false to deny access, the Realm user function which caused their invocation does not terminate immediately, and times out after 90 seconds. If however, rather than returning false we instead throw an exception, the Realm user function terminates immediately. Why does returning false not terminate in the same manner as throwing an exception?
The third issue we’re now finding is even when the onAllowWrite method returns true after making an async query, the method that caused the invocation is still timing out. The onAllowWrite method is akin to the following pseudo code;
exports = async function(user, partition)
{
if (condition_without_db_query)
{
return true;
}
else
{
const coll = context.services.get('mongodb-atlas').db('some_db').collection('some_coll');
const result = await coll.findOne({ some: condition });
if (result.something > 0)
{
return (result.other === 'yay');
}
return false;
}
};
When this method returns true after testing condition_without_db_query everything works without issue. If true is returned when (result.other === 'yay') is tested, the user function that invoked it times out after 90 seconds.
For clarity, here’s the call stack order;
Web app calls Realm user function
Realm user function callscollection::aggregate
onAllowWriteis invoked, returningtrueafter anasyncquery
collection::aggregatetimes out
Realm user function returns error
EDIT
With further testing, we’ve narrowed down the reason why only some collection::aggregate queries are requiring write privilege. It’s only occurring with queries containing a $lookup in the pipeline.
Could a Realm team member please explain why a collection::aggregate query containing a $lookup in the pipeline invokes Realm Sync’s write permission ?