Restrict user's access to other users' documents without middleware

I would like to create a MongoDB database to support an iOS app I am creating. I imagine I will have a Posts collection to contain all users’ posts. Users will have the option to share their posts with other users, and users can only view posts that are shared with them.

Would this restriction of viewable posts be possible without having a middleware application that sits between the client and database that only retrieves the posts that the client is allowed to see? That is, would it be possible to allow users to directly access the MongoDB database, while still restricting what posts they can see within the Posts collection?

From what I’ve read this doesn’t seem possible without creating a separate View for each user that aggregates together the posts they can see, since there’s no way to define in a MongoDB Role that grants a user access to a resource dynamically based on a field in another document within the database.

But if it is possible, I’d love to know, since I would prefer to not add complexity to my tech stack with a middleware application.

I’d also like to add that I’m a bit perplexed with MongoDB’s roles system overall, as it seems like it is not adequate for most situations.

For example, if I wanted to do something as simple as only allow a user to edit their own profile document within a Profiles collection while making all other profiles read-only for them, this doesn’t appear possible to do, since users can only be granted read or write permission across an entire collection, not individual documents.

Is there something I am just misunderstanding?

Hi Elias

MongoDB users are primarily targeted to reflect “system users” (eg. the identity of the driver instance in an application connecting to the DB, or the identity of a DBA ops person). rather than application “end users”. For those latter types of use cases, MongoDB Realm is specifically designed to target this:

With that said I have seen the need to drive Views based on the specific “system user” connecting and there is currently an enhancement request open for this which you can upvote:

Some related useful info if you’ve not yet seen it:



1 Like

Hi Paul,

Thanks for that clarification–I didn’t realize I was looking at the wrong documentation when it comes to end user roles. I’ve now taken a quick glance at the roles system of MongoDB Realm and that seems much closer to the type of thing I was looking for.

Thanks for your help!



This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.