How to set multiple hierarchy permission to document

Zubair_Rajput · June 28, 2023, 2:12pm

I am building an app and I have a collection Order and I want to set permission,
it’s a multi hierarchy app which have Admin and Registered User and Anonymous user

Now I want to set roles like this,

Admin can do all crud operation,
User can read, Insert their own document but can’t delete or update.
Anonymous user can’t do any operation on Order document.

What I have achieved till is

Admin can read all and insert document.
Registered user can read but still not enable to insert.
Anonymous user can’t do any crud operation.

Although I have tried and partly successful to set permission but still not enable to set permission for User,

I am sharing what I have done

{
  "roles": [
    {
      "name": "Admin",
      "apply_when": {
        "%%user.custom_data.custom_data.role": "admin"
      },
      "document_filters": {
        "write": true,
        "read": true
      },
      "read": true,
      "write": true,
      "insert": true,
      "delete": true,
      "search": true
    },
    {
      "name": "user-read-write",
      "apply_when": {
        "%%user.identities.provider_type": "custom-token"
      },
      "document_filters": {
        "read": {
          "customer_id": "%%user.id"
        }
      },
      "read": true,
      "write": true,
      "insert":{
            "%%user.identities.provider_type": "custom-token"
        },
      "delete": false,
      "search": true
    }
  ]
}

Using this permission admin is enable to read and create document
User is also read their own document but user is unable to insert document

How to set user permission so the registered user can insert their own document?

Tyler_Kaye · June 28, 2023, 2:19pm

Hi, I suspect your issue might be that the document_filters.write is missing. Try updating it to this:

{
      "name": "user-read-write",
      "apply_when": {
        "%%user.identities.provider_type": "custom-token"
      },
      "document_filters": {
        "read": {
          "customer_id": "%%user.id"
        },
        "write": true, // Note this is the change
      },
      "read": true,
      "write": true,
      "insert":{
            "%%user.identities.provider_type": "custom-token"
        },
      "delete": false,
      "search": true
    }

Not specifying a permissions defaults to effectively setting it to “false”.

Best,
Tyler

Zubair_Rajput · June 28, 2023, 2:40pm

Hi Tyler thanks for the quick response I have tried that and after add write to true in filter,
User is enable to read as I already mention but not enable to insert
You can see the screenshot of the postman client. Please help out on this.

Tyler_Kaye · June 28, 2023, 2:44pm

Hi, 2 things come to mind looking more at this:

Having your insert permission as "%%user.identities.provider_type": "custom-token" is effectively always true given the apply_when is the same. This means that implicitly if this role is selected then insert is always true.
Write access implies read access. So I suspect you might also want to set “write” to be the same as “read” in the document_filters section.

Lastly, can you share with me the document you are trying to insert and possibly a link to the log in the UI?

Thanks,
Tyler

Zubair_Rajput · June 28, 2023, 2:51pm

This is the document to be inserted by the Registered User or Admin, anonymous user can’t do any operation on order collection. I have tried and changes so many things in permission object
but nothing work and I am reading fundamentals of permission from last three days, spending days and nights.

{
    "customerId": "649bc2a58679469c1fed2bf4",
    "createdBy": "649bc2a58679469c1fed2bf4",
    "firstName": "zubair",
    "lastName": "khan",
    "customerEmail": "z@gmail.com",
    "customerWhatsappNo": "+9198999999999",
    "orderAmount": 123376,
    "status": "pending",
    "message": "this is a message",
    "orderDate": "2023-04-09",
    "lastUpdatedOn": "2023-04-09",
    "order_items": [
            {
                "_id": "6466279bec6576a00b5274a0",
                "order_qty": 3
            },
            {
                "_id": "6466279bec6576a00b5274a1",
                "order_qty": 4
            }
    ]   
}

I hope you understand the problem

Zubair_Rajput · June 28, 2023, 3:00pm

After doing this change registered user can insert but now they can read other user’s document too

Tyler_Kaye · June 28, 2023, 3:26pm

Hi, sorry you are not having a great experience. It would be nice if we provided better details about why permissions are rejecting a change, but that is technically speaking not something permissioning systems should do from a security perspective.

I notice that your rule references customer_id but your document has customerId. My hunch is that you need to modify your rule to reference customerId.

Let me know if that works.

Zubair_Rajput · June 28, 2023, 3:40pm

Hello Tyler thanks for being in touch
I am modifying and doing changes and what I learned I am just experimenting it.
Please take a look on this now and I also change customerId to customer_id

{
  "roles": [
    {
      "name": "Admin",
      "apply_when": {
        "%%user.custom_data.custom_data.role": "admin"
      },
      "document_filters": {
        "write": true,
        "read": true
      },
      "read": true,
      "write": true,
      "insert": true,
      "delete": true,
      "search": true
    },
    {
      "name": "user-read-write",
      "apply_when": {
        "%%user.custom_data.custom_data.role": "customer"
      },
      "document_filters": {
        "read": {
          "customer_id": "%%user.id"
        },
        "write": {
            "%%user.custom_data.custom_data.role": "customer"
        }
      },
      "read": {
            "%%user.custom_data.custom_data.role": "customer"
        },
      "write": {
            "%%user.custom_data.custom_data.role": "customer"
        },
      "insert":{
            "%%user.custom_data.custom_data.role": "customer"
        },
      "delete": false,
      "search": true
    }
  ]
}

But getting the same result Register User can now insert but they can also read other Registered User documents which I don’t let them do.
I hope we will solve this puzzle

Zubair_Rajput · June 28, 2023, 4:06pm

Hi Tyler I found an interesting thing I am getting 4 order out of 5 which is correct in UI or User Panel
but in postman I am still getting 5 order.
I think it is User Management or token related problem, but I am sending the same access token in postman.
You can see in the screenshot of Registered User Panel, Admin Panel and Postman Client
can put some light on this why is this happening, what point I am getting now is User Management Related issue, I still don’t know will this work full proof or not

Tyler_Kaye · June 28, 2023, 4:41pm

Hi, can you try changing your role to this, I suspect this is more in line with what you are trying to do:

{
  "roles": [
    {
      "name": "Admin",
      "apply_when": {
        "%%user.custom_data.custom_data.role": "admin"
      },
      "document_filters": {
        "write": true,
        "read": true
      },
      "read": true,
      "write": true,
      "insert": true,
      "delete": true,
      "search": true
    },
    {
      "name": "user-read-write",
      "apply_when": {
        "%%user.custom_data.custom_data.role": "customer"
      },
      "document_filters": {
        "read": {
          "customer_id": "%%user.id"
        },
        "write": 
          "customer_id": "%%user.id"
        },
      },
      "read": true,
      "write": true,
      "insert": true,
      "delete": false,
      "search": true
    }
  ]
}

Note, that it is not possible with our rules system currently to allow inserts but not updates. Inserts are a higher-priority operation so you can allow writes and not inserts, but you cannot do the opposite.

Zubair_Rajput · June 28, 2023, 5:00pm

Yuppp it’s working, but how??
Could you please give me some resource or article for better fundamentals and understanding.
All operation working fine.

Anonymous User can’t read or write.
Registered User can insert and read their document only.
Admin can read all document and can insert document.

I think there would not be any problem with update on both Admin and Register

I want to understand the basis of this situation and I also read read flow permission flowcharts
in the documentation

Tyler_Kaye · June 28, 2023, 5:29pm

The flow charts defined here should ideally make it clearer (though it sounds like you have seen them): https://www.mongodb.com/docs/atlas/app-services/rules/roles/#write-permissions-flowchart

If you have any feedback for what can be clearer I would be happy to pass it along to the documentation team. Unfortunately in order to be as expressive as they are, rules can sometimes be a bit difficult to fully parse and understand.

Zubair_Rajput · June 28, 2023, 6:40pm

Thanks for the supports, it’s working fine now but
it stuck in the update query as Register User needs to update the document

In the current Permission Admin can update the document but again when Register User
try to update it return into error.
I think it should work with the given permission but not working.

{
    "error": "uncaught promise rejection: update not permitted",
    "error_code": "UncaughtPromiseRejection",
    "link": "https://realm.mongodb.com/groups/62e61c902459d97e2adf92d1/apps/644fd75ceff19ed45a851cfc/logs?co_id=649c710be40e79c34f34dc09"
}

Please again help me on this too. I think this will solve many problems of mine and other developers too.

system · July 3, 2023, 6:40pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.