About security for realm app user can do with rules

Mahmut_Kaya · 2024-05-31T02:23:42.077Z

i have created custom functions and realm users can CRUD operations according to authorities according to my design in the application. But i reliezed something seems to be a security gap to me. Any realm user can access to all databases mongoclient operations without custom functions.

for example i want users can not access to databases with this functions, i want users can access only using my custom functions

const deneme = async () => {
const mongo = RealmApp.currentUser.mongoClient(“mongodb-atlas”)
const sales = mongo.db(“rapor724_v2”).collection(“sales”)
// const result = await sales.deleteMany({})
const result = await sales.insertMany(kimler)
console.log(“result”,result)
}

image1940×553 27.6 KB

Mahmut_Kaya · 2024-05-31T08:47:20.281Z

I did some research later and see that In Mongo Realm Application system we can do this thing advance rules, like on fields, read, write authorities, etc…

But it can be better we can block all the service functions for a Realm App user while custom functions are opeb for them.

Mahmut_Kaya · 2024-05-31T21:37:38.212Z

I did some research again
it could be possible that I want.
İf we choose “System (User)” authentication method for our functions, so, we don’t necessary create any database rules and open database to our RealmUsers, so, any Realm App User can reach any data by using service functions in frontend like below

const requestFunction = async () => {
const mongo = RealmApp.currentUser.mongoClient(“mongodb-atlas”)
const sales = mongo.db(“rapor724_v2”).collection(“sales”)
const result = await sales.find({})
console.log(“result”, result)
}
requestFunction()

image1787×1243 73.9 KB

all users can use only custom functions we created like below so we can manage their authority in our custom functions we can identify them at the sametime as a system user we can reach all the data in our database

const requestFunction2 = async () => {
const result = await RealmApp?.currentUser.callFunction(“getSales”);
console.log(“result”, result)
console.log(“deneme”)
}
requestFunction2()

Topic	Replies	Views	Activity
Unchecked errors when build with gradle MongoDB Atlas App Services & Realm java android	1	575	Aug 2024
How to Implement Anonymous Authentication and Call Atlas Functions in Go (No SDK Available) MongoDB Atlas App Services & Realm unity	0	353	Jun 2024
Realm web local storage issue when logout then login MongoDB Atlas App Services & Realm realm-web	0	294	Jul 2024
Keep login information persistent with 12.0.0-browser.2 MongoDB Atlas App Services & Realm realm-web	0	272	Jul 2024
(Swift) Allow offline start of Flexible Sync with Download Before Open enabled MongoDB Atlas App Services & Realm swift flexible-sync	0	205	Jul 2024

About security for realm app user can do with rules

About security for realm app user can do with rules

New & Unread Topics

Want to read more? Browse other topics in MongoDB Atlas App Services & Realm or view latest topics.