Sharing document with a group

TheHiddenDuck · June 2, 2023, 8:36pm

Hello.

I’m very new to Realm, so sorry if this is trivial. I’m trying to achieve the following with the flexible sync: have a user share the document with the group of users, e.g. a teacher shares assignments with all students in the class. I’m trying to figure out security rules for that.

I see something similar can be achieved using this approach, but I don’t want to maintain a list of collaborators for each document (e.g. what if there is a new user added?).

Is it possible instead of having a list of collaborators in the document have a list of groups and then somehow check it in the security rules if the user trying to sync this document is in one of those groups??

Tyler_Kaye · June 2, 2023, 8:45pm

Hi. It sounds to me like you might want to use the Restricted News Feed or the Tiered Permissions model defined here: https://www.mongodb.com/docs/atlas/app-services/sync/app-builder/device-sync-permissions-guide/#restricted-news-feed

The TLDR is that you can use Custom User Data to define a mapping between users and a document that you own in your database that can be used during permission evaluation. This would let you define fields like “isAdmin” or “groups” in a document in your own cluster and have that data be used within the permissions evaluation functions using something like this:

[
  {
    "name": "teacher",
    "apply_when": {
         { "%%user.custom_data.isTeacher":  %%true }
    },
    "document_filters": {
      "read": true,
      "write": true,
    },
    "read": true,
    "write": true
  },
 {
    "name": "student",
    "apply_when": {
         { "%%user.custom_data.isStudent":  %%true }
    },
    "document_filters": {
      "read":  { "section":  {$in: "%%user.custom_data.sections" } },
      "write": true,
    },
    "read": true,
    "write": true
  }
]

The syntax might be a little off in the above, but I hope it explains how you might be able to leverage custom user data for your application.

Best,
Tyler

TheHiddenDuck · June 2, 2023, 9:09pm

Hello, thank you for your quick response. I will give it a try.

Do I understand correctly that with this approach whenever a user joins/leaves a group, I need to add that group id to an array in users’ custom data, and then I can use that in my rules?

Tyler_Kaye · June 2, 2023, 9:12pm

Yes, that is correct. Though that seems like what you were asking for (correct me if I am wrong). The advantage here is that is is data you get to control.

TheHiddenDuck · June 2, 2023, 9:23pm

Yes, that was what I was asking for overall. It’s just a bit unusual for me in terms of it reversing the relationships. I was thinking something like a group having a list of students, but I can see how that can be complicated in security rules to first lookup all groups the document lists, then list all user ids from those groups. I will give it a try. Thank you for help

Tyler_Kaye · June 5, 2023, 1:21pm

Hi, yes that is fair; however, like you mentioned having it the other way would be more difficult for a generalized and performance approach. One thing that you can do is still have your manual interactions be using the conceptual model you want and then use Database Triggers to replicate changes to the user document. IE, if you have a groups collection that you want to modify to add a user to a list for a specific group, you can then have a database trigger setup to listen for that change and replicate it to the user data collection.

Best,
Tyler