$searchBeta is not a function if there are Permission Rules

First of all let me say that $searchBeta is really good.

I’ve been using it in a function querying a test collection with great results.

exports = function(arg){
  
  var collection = context.services.get("mongodb-atlas").db("test").collection("test");
  var doc = collection.aggregate([
    {
      $searchBeta: 
      { 
        "text": 
        {
          "query": arg, 
          "path": ["title","location"],
          "fuzzy": { "maxEdits": 1, "maxExpansions": 10}
        } 
      } 
    },
  ]);
  
  return doc;
};

My problems began when I tried added Permission Rules to the collection, initially just to separate anonymous users from those with some metadata fields.

All of a sudden my function above now only works for the System User. For all others it throws an error:

Location16436 Unrecognized pipeline stage name: '$searchBeta'

After much tinkering with the permissions, I found that the bug happens both when

  1. Setting any role with an Apply When condition OR
  2. Setting field-level permissions

In other words: $searchBeta only runs with a vanilla permission role: no Apply When rule and either read or r/w all fields.

This is a minimal example to reproduce the bug:

These rules work

{
  "roles": [
    {
      "name": "non-owner",
      "apply_when": {},
      "insert": false,
      "delete": false,
      "read": true,
      "write": false,
      "fields": {},
      "additional_fields": {}
    }
  ],
  "filters": [],
  "schema": {}
}

These don’t work

{
  "roles": [
    {
      "name": "non-owner",
      "apply_when": {},
      "insert": false,
      "delete": false,
      "write": false,
      "fields": {
        "title": {}
      },
      "additional_fields": {
        "read": true
      }
    }
  ],
  "filters": [],
  "schema": {}
}

Hi Dalmo – As you note, $searchBeta is only available in System functions currently. There are a few aggregation stages like this which are covered in our Aggregation API reference. Our current best practices are to use $searchBeta in a system function and make necessary access checks within the logic of the function.

2 Likes

Thanks! I missed that table… So actually the bug is in the fact that it does work when there are no rules set? Because I was able to run it as users.

On a side note I just had an UI bug error: css failed to load (or something like that) and it was telling me to contact you @Drew_DiPalma directly! It went away after refreshing the page. :slight_smile:

Hi Dalmo – It is actually a bit nuanced, when there are full R/W permissions open on a collection we treat the request the same as a System request so it was the addition of rules that changed the behavior. As a note we are also looking to improve the interplay of Search/Rules in the future.

As for the CSS issue we’ll keep an eye out for that bug and feel free to drop me a message if you run into anything unexpected in the UX.

1 Like

Alright, but in the case I described, the default rule was readonly, not full R/W. It makes no difference in this case really, but just for the record.