Permission rule for owner user, Apollo GraphQL

Hello,

I am trying to get a straightforward user check working when inserting a comment over Apollo GraphQL.

The request should only be allowed if the user field matches the currently authenticated user.

mutation($user: ObjectId!, $comment: String!)  {
      insertOneComment(data: {
          comment: $comment
          user: $user
      }) {
          _id
      }
}

In Realm rules, under owner I have tried lots of variations, including hardcoding the user ID to validate. Unfortunately, I can’t get the rule to work.

{
  "user": "%%user.id"
}

Hardcoded test

{
  "user": "<SOME_USER_OBJECT_ID>"
}

I read on another thread that this could be due to the client passing the user as an ObjectId and not a String. However, if I try a String this doesn’t work as GraphQL is expecting an ObjectId.

Any help would be greatly appreciated.

Welcome to the community Niall -

Can you link your app URL so I can take a closer look at your schema/rules?

If user is a field with an ObjectId type in your schema and you’re not using custom user data, this should work unless there are other rules preventing this or a typo in the schema/user. I believe the reason hardcoding the object Id isn’t working either is because it is being treated as a string, and thus not passing the rule.

Hey Niall - similar to the post you read said, %%user.id is actually a string. Therefore, you’re comparing an objectId to a string and it’s not passing the rule.

To get around this you can use a function (although we are introducing expressions such as %%oidToString and %%stringToOid very soon)

rule:

    {
      "%%true": {
        "%function": {
          "name": "equalStrings",
          "arguments": [
            "%%user.id",
            "%%root.user"
          ]
        }
      }
    }

function (equalStrings, System Function):

exports = function(arg1, arg2){
  return String(arg1) == (String(arg2));
};

Thank you Sumedha, this is excellent.

Where do I add the equalsString function in the format that you provided? I presume it can’t sit within the Rule as it’s expecting a JSON expression.

Does it need to be placed in the custom functions section? I have tried that and it’s having trouble with the formatting provided.

It needs to be added in the “Functions” section (accessed via the side nav). The name of the function has to be the same as what is referred to in your rules (mine was called equalStrings) and be a System function, the logic has to return whether the two strings (or objectIds) are equal.

image

What formatting trouble were you running into?

It’s working now, thanks for your help :+1: