Private user data in partially synced realms

cloud

#1

Trying to wrap my head around the partial sync… and failing.

Would you always recommend going for partial sync? Or are there any particular cases where the full synchronization is preferrable?

In my app users have their own data. There may be shared data, but the bulk of the users data is their own. They also always need access to the full dataset of their own data, but they may want to share parts of it to other users. With separate realm files it would be trivial to make sure that a user would have their own entire dataset, but it would have other downsides such as making it harder to share data and harder to do analysis across all users data.

Object level permissions would prevent other users to owerwrite your data, but how do I design a query that only gets the data of a particular user? Do I need to add a new user field to each class? Or is there another recommended way?


#2

I also had a bit of a time getting my head around the permissions but it’s actually pretty powerful when you get going.

Would you always recommend going for partial sync? Or are there any particular cases where the full synchronization is preferrable?

If you aren’t going to share the data selectively and the user is in essence sandboxed in their environment then a fully syncronized realm per user is fine and very easy to get running. If you had some data that was shared between everyone, perhaps options, that could be in it’s own realm too. The user can then open the two realms, his own and the shared one. You can also assign specific users to specific realms, with specific realm-wide permissions, but the user assigned has access to everything, always.

how do I design a query that only gets the data of a particular user? Do I need to add a new user field to each class? Or is there another recommended way?

You don’t need to, the objects that are returned will be objects that the current user has permissions to.

Retrieval is as easy as:

let objs = realm.objects('myobject')
// this is what filters the objs by the users permissions, without it they get nothing. 
objs.subscribe() 

Setting up the users

Let’s say you assign the following permissions to an object:

myobject.permissions = [
  {role: 'UserGroup1', canRead: true},
  {role: 'AdminGroup1', canRead: true, canUpdate: true}
]

If you assigned User1 and User2 to role ‘UserGroup1’ then both User1 & User2 will have canRead access to that object. If you created another user, User3 and assigned him to the ‘UserGroup1’ role he’d also now have read permissions on that object.

Perhaps you decided later that User1 is an admin, so you assigned him to role ‘AdminGroup1’. Now User1 would have read + update and user 2+3 would have only read. If you removed User1 from AdminGroup1 he would then loose his update permissions, you wouldn’t have to edit the object’s permissions directly.

All of these updates would result in the objs live object being updated in real time and any listeners you added being called. I use react native and it’s quite beautiful watching my listview’s contents update depending on the roles I assign to the current user.

Partial is much more work to setup but for my model it works just fine. My only gripe is I’d prefer to re-use permissions and assign the role to the object instead of the permissions. I can see the way they did it is much more flexible but it requires more work should you choose to change a role’s permissions in bulk.


#3

Many thanks for that, certainly cleared a few things up. After thinking this through, I am pretty confident I will go with the partial sync, as it would facilitate sharing etc. For some objects I will probably add an “owner” field though so I can use that to filter data.

Haven’t gotten around to permissions yet, but I’ll be sure to check back on this thread when I do. Thanks @sambwest!


#4

@sipe - quick note on your suggestion on filtering on owner id. That’s fine as long as the other users seeing the data is allowed, otherwise it’s a security issue as anyone could potentially manipulate the database to show them other peoples data. In react native, where anyone could potentially reverse engineer the app it’s a concern, for other platforms perhaps not so much(?), but be careful :slight_smile:


#5

Yes, of course I would have to make sure that the permissions are correct anyway :wink: In my case, it will be a combination. Only the owner of the data will have write-permissions, and the owner will be able to add read permissions to his/her friends, who then in turn will be able to query, but not modify :wink: