// With admin user create a test database, two test collection, a custom role, and a user with this custom role
use mydb;
// Create test data
if (!db.getCollectionNames().includes("app_test")) {
    db.createCollection("app_test");
    db.app_test.insertMany([{ name: "item1" }, { name: "item2" }]);
}
if (!db.getCollectionNames().includes("test")) {
    db.createCollection("test");
    db.test.insertMany([{ name: "other1" }, { name: "other2" }]);
}

// Create a custom role
db.createRole(
    {
        role: "customReadWriteRole",
        privileges: [
            {
                resource: { db: "mydb", collection: "" }, actions: [
                    "createCollection",
                    //"dropCollection", --> dropCollection not allowed by default
                    "find",
                    "insert", //--> insert not allowed by default
                    "listCollections",
                    "remove",
                    //"renameCollectionSameDB", --> renameCollectionSameDB not allowed by default
                    "update", //--> update not allowed by default
                ]
            },
        ],
        roles: []
    },
    { w: "majority", wtimeout: 5000 }
);

// Create a user with custom role
db.createUser({
    user: "limitedUser",
    pwd: "password",
    roles: [{ role: "customReadWriteRole", db: "mydb" }]
});

// Login with limited user
mongosh -u limitedUser -p password --authenticationDatabase mydb

// Use my test database
use mydb;

// Try to drop or rename a collection, I want to see an error (and I got an error, so it is okay)
db.getCollection("app_test").renameCollection("app_test_2");
db.getCollection("app_test").renameCollection("app_test_2", { dropTarget: true });
db.getCollection("app_test").drop();

// I try an aggregate, I want to see an error because I do not have the right to drop or rename a collection
// But I do not see an error, I can replace the original app_test collection with the result of the aggregate
db.getCollection("test").aggregate([ { $out: "app_test" } ]);