Further tweaks on MongoDB permissions

[rkistner]

Feedback from Masha Kozhyna [email protected]:

1. You updated the documentation about permissions, but it is still misleading. The rights necessary for the sync and automatic post-image configuration are readWrite@<your_database>._powersync_checkpoints, read@<your_database> and dbAdmin@<your_database>, all together.

Updated this one.

I would like to address again also the question of permissions management. Granting the dbAdmin@ allows PowerSycn to automatically enable changeStreamPreAndPostImages, but poses risks because it doesn't adhere to the principle of least privilege, potentially exposing the system to unnecessary vulnerabilities. So maybe we can provide instead some custom role with only the specific privileges needed for operations: find, insert, remove, update, changeStream, collMod, dbStats, listCollections.

I don't think dbStats is required, but I made sure the rest are documented. These are the same for self-hosted setups, so I updated that section to note these also apply to Custom Roles on Atlas.