I am in the process of building a basic no-code solution to build RESTful APIS that support CRUD operations on a MongoDB collection. Right now it is just a Proof of Concept project that I use internally with no external users.
I saw this question on Stack Overflow the other day and I though that it could allow me to convert this little project into a SaaS concept.
Allowing users to create their own collections in MongoDB could be potentially insecure, but I couldn't think of any catastrophic consequence... Maybe the fact that malicious users can purposely create a collection that is horrible in performance? Or maybe the user could inject some references to other collections...?
Does having a separated Mongo database help to mitigate those attacks? Or could you give me more reasons why this is a bad idea?
Thank you very much!
A few problems I can think of
A different approach would be you create the collection for them and let them put the data into a
mixed
field. Still you will face theindexing
problem at some extend.