Realm sync permissions vs collection rules

I have been a Realm Cloud developer for the last two years and am trying to migrate my code to the MongoDB Realm, which I understand is still in Beta. So I set up my cluster, my realm app, and defined my collections.

First I noticed that I cannot define my collection permissions in the UI. I see this message " Sync is in Beta: Permissions for this synced collection are set on the synced cluster". I managed to circumvent this by defining these permissions using realm-cli (export followed by import), but the permissions are not applied in any event.

I was however able to define Realm level permissions under the sync tab - using the templates provided. For the moment I can limit writes to private user level realms using the syntax:

{
  "%%partition": "%%user.id"
}

The shared realm is read only and is only written by backend server functions. That works for me at this time. My question is this. Is there something wrong with my setup, or are collection level permissions not supported at this time? If so, do you intend to support them at a future date?

Thanks

Richard Krueger

@Richard_Krueger Correct - sync permissions supersede the regular rules when sync is activated. We are working to change this in the future.

@Ian_Ward thanks for the quick reply. I will forgo trying to use collection based permissions at this time, and stick to sync based permissions. Is there any document that describes the meta-language used to specify sync based permission - I did not see it in the docs?

Yes you can see it here: https://docs.mongodb.com/realm/sync/rules/index.html

Ok, I just found it, it is actually here

https://docs.mongodb.com/realm/services/expression-variables/#expansions

Hi, I also encounter this problem,

How to set schema level permission using Sync Rule? for example: for certain collections, users can only insert a new document into it not updating it, while other collections are free to write.

Is it possible?

Thank you in advance.

@Decky_Fiyemonda we have been struggling with this on our side as well. My understanding is that MongoDB Realm only supports sync level permissions at this time which are set under the sync tab. I did manage to set rules at the Rules level for each collection but they don’t seem to be enforced at this time. @Ian_Ward has said that they are working on it. For the moment, I would just go with the assumption that rule enforcement at the collection level will be implemented in an upcoming release - it is important to remember that MongoDB Realm is still in Beta. The strategy we are taking is simple, private user realms that are only readable and writable by each user, with a partition key value set to the UID, and a set of read-only shared realms that are managed by the system user. This is currently supported by the partition sync rules today. My sense is that it is also the most secure and scalable strategy, although it does require some backend function work.

@Ian_Ward Is there an update on this feature? When can this be expected to be released?

Wow is this still not done yet? Even while in Beta this is just such a basic security feature it should have been already implemented before even releasing an Alpha.

This is next level carelessness. I set up a Database with steam codes for an online christmes calendar. After finishing it I (accidentally!!!) realized that I can just use ANY fantasy user data with email/password authentication and still retreive all collection data. What is the point even having authentication methods when every one in the internet can just access your collections?

Sorry but this and the fact that it is not stated in CAPSLOCK and a red warning box all over in the mongodb Realm dashboard is just very negligent.