Get started
We are having lots of fun on Discord. Come and join us!
Star on GitHub 45.1K Get started
Back

Relationship Permissions are ignored when creating with relationship id

  • 0
  • Databases
  • Flutter
  • Self Hosted
View on Discord
anmot.
9 Dec, 2023, 00:22

I've two collections - A and B. Created a many to one relationship attribute in A.

Collection A Permissions: create:user/verified

Collection B Permissions: none

✅ Case 1: Creating document in both A and B together Expected: 401, Actual: 401 - as user does not have create permission on collection B.

TypeScript
{
  "a_field1": "val",
  "b_collection_ref": {
    "b_field1": "val"
  }
}

❌ Case 2: Creating document in A alone. Document in B already exists, hence, use exisiting doc id. Expected: 401, Actual: 200. User does not have read permission on collection B / document in B. Ideally this operation should result in 401 but it succeeds and creates a document in A with relationship B.

TypeScript
{
  "a_field1": "val",
  "b_collection_ref": "b_doc_id"
}
TL;DR
The user is experiencing an issue regarding relationship permissions in the Appwrite platform. When linking a parent and child document through references, Appwrite only checks if the user has permission on the parent document, which could lead to a security issue. The user expects that the user should only be able to link to a document if they have read permission on it. They have reported the issue and are asking for the next steps. The user provides an example of two collections (Posts and Groups), where any user can create a post in any group without having permission on that group. The user also shares two test cases with the expected and actual results. In
anmot.
9 Dec, 2023, 19:06

@Drake Can you please take a look?

Drake
9 Dec, 2023, 19:41

Please do not tag people as it can be disruptive

anmot.
9 Dec, 2023, 20:45

Sure. Is there a support alias?

D5
9 Dec, 2023, 21:17

Nope, people takes a look anyways when they can 😅

D5
9 Dec, 2023, 21:18

Isn't that expected? I don't understand the issue, sorry.

anmot.
9 Dec, 2023, 22:57

Thanks for looking into this. When creating / updating / reading both parent and child documents, user has to have permissions on both parent and child documents, but when linking the parent and child document through references, appwrite only checks if the user has permission on parent document. This could lead to security issue where user can link any child document without having necessary permissions on child document.

For example, let's say we have two collections Posts (parent) and Groups (child). User can create a document in posts and link it to any private group with out having permission on that private group document. In other words, any user can create a post in any group. So the question is why appwrite has to treat linking a child document through reference any different than the nested syntax?

Drake
9 Dec, 2023, 23:01

Hmm ya I would expect the user to only be able to link to a document if they can read it

anmot.
9 Dec, 2023, 23:09

Yes, ideally user should have read permission on child document. What are the next steps on this? Shall I create an issue?

D5
9 Dec, 2023, 23:22

Oh, I understand now. Huge thanks for the detailed explanation! <:appwriteheart:782571497393750036>

anmot.
9 Dec, 2023, 23:32

Thanks for your support. Submitted an issue. https://github.com/appwrite/appwrite/issues/7263

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more