Skip to content
Start project
Back

[SOLVED] Who is responsible on the permissions?

  • 1
  • Resolved
  • Users
  • Databases
  • Web
View on Discord
ThisIsStep2
23 Nov, 2023, 18:12

i write in nodejs, I create a document, and this specific document should be available only to the current user. so i add permissions:

TypeScript
                clubsCollectionId,ID.unique(), {
                    ...club,
                    owner: this.currentUser?.$id // This is for me - to check permissions myself!
                },[
                    Permission.read(Role.user(<string>this.currentUser?.$id)),
                    Permission.update(Role.user(<string>this.currentUser?.$id)),
                    Permission.delete(Role.user(<string>this.currentUser?.$id)),
                ])```

However, when i want to get the documents, i aim to have ONLY thouse i have access to:

const ans:ApiResponse = await databases.listDocuments( conf.appwriteDatabaseId, clubsCollectionId, // [ // Query.equal("owner", [<string>this.currentUser?.$id]) // This is my check // ] ); return ans

TypeScript
Now, should I do manually this check ? or Appwrite sould check the permission before returning the answer ?
Am i using the permissions wrong?
TL;DR
The user is experiencing issues with document permissions in their Appwrite application. They want to restrict access to documents so that only the user who created them can read them. The suggested solution is to disable read permissions for any user except the owner of the document. Additionally, make sure that all users have the ability to create documents and that the "Any" role has read permissions if everyone should be able to read the documents. The user implemented these permissions in their Node.js code but is still experiencing issues where all users can change all document information. They question if they are using the permissions incorrectly and ask if Appwrite should be responsible for checking
ideclon
23 Nov, 2023, 21:52

You won’t be able to get Documents you don’t have permissions on

ideclon
23 Nov, 2023, 21:53

Are you getting back Documents you would expect to not have Read permissions on?

ThisIsStep2
24 Nov, 2023, 08:13

yes. currently, all users, get all document πŸ˜•

ThisIsStep2
24 Nov, 2023, 08:23

And somehow all users can change all infos.. Although i try to use permissions :

ThisIsStep2
24 Nov, 2023, 08:24

and the document security is on for this collection

fafa
24 Nov, 2023, 08:41

Hey.

It sounds like you have a global permission on in the collection. Is that correct?

fafa
24 Nov, 2023, 08:41

This section:

ThisIsStep2
24 Nov, 2023, 09:07

Yes, You're right!!! Thank you! That solves the issue !!! Thank you!

To get this straight - If no-permission set on the collection level. Who could create records there ?? What should be the right way to have it secured?

fafa
24 Nov, 2023, 09:59

make sure "users" can CREATE a document, if you want everyone to read it make sure "Any" has READ on

fafa
24 Nov, 2023, 09:59

if you want only the same user to read it's own documents, disable read for any

Suiii
24 Nov, 2023, 10:54

πŸ‘πŸ‘πŸ‘

ThisIsStep2
24 Nov, 2023, 12:22

Thank you ! How do i mark this as solved ?

fafa
24 Nov, 2023, 17:10

Rename the title in the beginning with [Solved]

Haimantika
24 Nov, 2023, 19:05

[SOLVED] Who is responsible on the permissions?

Haimantika
24 Nov, 2023, 19:05

I got you πŸ˜„

Suiii
29 Nov, 2023, 09:22

<:appwriteraisehand:946072255279034388>

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more