I’ve been racking my brain against this for some time now and I’m not sure what the best, most secure, easiest-to-develop path forward is. I would appreciate any pointers.
Here’s the situation:
- There is an authenticated user (A), and an unauthenticated user
- User A is able to open a realm with a partition value = to their user_id, sync, they have read & write access to their data.
- User A should be able to “share” a document in their partition, making it publicly-accessible, even to unauthenticated users
- User A can continue modifying the shared document. Sharing the document doesn’t affect their experience
- At some point, the unauthenticated user can access the data within the shared document.
Realm Sync works really well for steps 1 & 2.
However, I can’t figure out how to share a document (i.e. make it publicly accessible).
If I modify the partition value of the shared document (making it “PUBLIC” and allowing users to sync every single shared document), it would no longer sync to user A in their partition.
For step 5, I am currently using Anonymous Authentication to get an accessToken that I can use to create a GraphQL request and get the shared Document that way. This is working.
However, this only works because I have permissive read Sync Permissions, which I would like to tighten before public release of this feature.
I was hoping to define a function that provides access to this shared document only if it has been explicitly shared by user A (object.is_shared == true). However, I can’t define Document-level permissions (nor collection-level permissions).
I’m getting the impression that what I’m trying to do is unsupported by MongoDB Realm?
p.s. For clarity’s sake, the implication here is that with Sync enabled, which is required for me, I can’t define any other kind of Rule, so my only option for now is to make everything readable by everybody, unless I’m mistaken.