Back
Ghost permissions after uploading a file
Hello. I'd like to bring up some behavior of Appwrite that I can't explain. My configuration is as follows:
TypeScript
- Bucket: Uploads, permissions: only Users.create, file security: off```
I have a function that is triggered by `buckets.*.files.*.create.` Here is a dump of the request from the server:
```{"bodyRaw":"{\"$id\":\"65db4520453e21a2cbb6\",\"bucketId\":\"64b131922f6e02d64f37\",\"$createdAt\":\"2024-02-25T14:56:32.534+00:00\",\"$updatedAt\":\"2024-02-25T14:56:32.534+00:00\",\"$permissions\":[\"read(\\\"user:65db382d6cd458a3207e\\\")\",\"update(\\\"user:65db382d6cd458a3207e\\\")\",\"delete(\\\"user:65db382d6cd458a3207e\\\")\"],```
As you see there's a permission array that says that the user can read, update and delete the file they uploaded. My question is: How did these permissions get there? π€ The team in which the user is in does not have permissions to update or delete documents within the Uploads bucket, only to create files.
Also, these read, update and delete permissions the user have aren't visible anywhere from within the Appwrite console. It's a mystery to me how these permissions get there. π€
TL;DR
Developers experiencing ghost permissions issue after uploading a file. Permissions are added by default by the SDK, overriding team permissions set in the configuration. Solution: Check SDK settings for automatic permission inclusion.
It is added by default by the SDK
