MongoDB rules are a combination of a role, and the permissions assigned to that role. Roles define a set of users that will have the same read/write access to a document. Roles in Stitch can be defined with an apply-when rule.
This can be defined using the %% variable notation:
{
"createdBy": "%%user.id"
}
Each role can have one or more permissions that define which fields they can read and/or write in a document.
MongoDB Stitch also offers four templates that have predefined roles and permissions around the most common use cases:
- Users can only read and write their own data.
- Users can read all data, but only write their own data.
- Users can only read all data.
- Users can read and write their own data. Users that belong to a sharing list can read that data.
Authorization is applied before the rules. If a user is not authorized to access a collection, their rules will not be evaluated at all.