Cross post from Github as we don’t think this issue is specific to the RealmJS SDK and it has become a show-stopper.
Using Realm Web SDK Version: 1.2.0.
We have Realm Sync permissions set as follows;
Read
{
"%%true": {
"%function": {
"name": "onAllowRead",
"arguments": [
"%%user",
"%%partition"
]
}
}
}
Write
{
"%%true": {
"%function": {
"name": "onAllowWrite",
"arguments": [
"%%user",
"%%partition"
]
}
}
}
This allows control over partition access per user.
When calling a Realm user function which internally calls collection::aggregate
(and nothing else), the Realm Sync Write permission method onAllowWrite
is being invoked, however, it’s not being invoked on every collection. We would like to know how to avoid what should be a read-only query requiring write privilege.
The secondary issue with these Realm Sync permissions is if they return false
to deny access, the Realm user function which caused their invocation does not terminate immediately, and times out after 90 seconds. If however, rather than returning false
we instead throw an exception, the Realm user function terminates immediately. Why does returning false
not terminate in the same manner as throwing an exception?
The third issue we’re now finding is even when the onAllowWrite
method returns true
after making an async
query, the method that caused the invocation is still timing out. The onAllowWrite
method is akin to the following pseudo code;
exports = async function(user, partition)
{
if (condition_without_db_query)
{
return true;
}
else
{
const coll = context.services.get('mongodb-atlas').db('some_db').collection('some_coll');
const result = await coll.findOne({ some: condition });
if (result.something > 0)
{
return (result.other === 'yay');
}
return false;
}
};
When this method returns true
after testing condition_without_db_query
everything works without issue. If true
is returned when (result.other === 'yay')
is tested, the user function that invoked it times out after 90 seconds.
For clarity, here’s the call stack order;
Web app calls Realm user function
Realm user function callscollection::aggregate
onAllowWrite
is invoked, returningtrue
after anasync
query
collection::aggregate
times out
Realm user function returns error
EDIT
With further testing, we’ve narrowed down the reason why only some collection::aggregate
queries are requiring write privilege. It’s only occurring with queries containing a $lookup
in the pipeline.
Could a Realm team member please explain why a collection::aggregate
query containing a $lookup
in the pipeline invokes Realm Sync’s write permission ?