About security for realm app user can do with rules

i have created custom functions and realm users can CRUD operations according to authorities according to my design in the application. But i reliezed something seems to be a security gap to me. Any realm user can access to all databases mongoclient operations without custom functions.

for example i want users can not access to databases with this functions, i want users can access only using my custom functions

const deneme = async () => {
const mongo = RealmApp.currentUser.mongoClient(“mongodb-atlas”)
const sales = mongo.db(“rapor724_v2”).collection(“sales”)
// const result = await sales.deleteMany({})
const result = await sales.insertMany(kimler)
console.log(“result”,result)
}

image1940×553 27.6 KB

I did some research later and see that In Mongo Realm Application system we can do this thing advance rules, like on fields, read, write authorities, etc…

But it can be better we can block all the service functions for a Realm App user while custom functions are opeb for them.

I did some research again
it could be possible that I want.
İf we choose “System (User)” authentication method for our functions, so, we don’t necessary create any database rules and open database to our RealmUsers, so, any Realm App User can reach any data by using service functions in frontend like below

const requestFunction = async () => {
const mongo = RealmApp.currentUser.mongoClient(“mongodb-atlas”)
const sales = mongo.db(“rapor724_v2”).collection(“sales”)
const result = await sales.find({})
console.log(“result”, result)
}
requestFunction()

image1787×1243 73.9 KB

all users can use only custom functions we created like below so we can manage their authority in our custom functions we can identify them at the sametime as a system user we can reach all the data in our database

const requestFunction2 = async () => {
const result = await RealmApp?.currentUser.callFunction(“getSales”);
console.log(“result”, result)
console.log(“deneme”)
}
requestFunction2()