Back

Can update documents without permissions

  • 0
  • Self Hosted
  • Databases
  • REST API
Faye
18 Jun, 2024, 14:40

Hello.

It looks like I am able to update documents without proper permissions. Using the latest 1.5.7 version.

Would love some help with this.

TL;DR
Developers discovered a potential issue where updating documents with the same data returns the whole doc, but changing the data results in an auth error. After discussing possible causes, they identified that with the `READ` permissions set to `ANY`, `GET` doesn't work but `PATCH` does. The issue was reported with the 1.5.7 version.
Faye
18 Jun, 2024, 14:40

So far GET does not work, but PATCH does

darShan
18 Jun, 2024, 14:53

you mean, with the READ permissions to ANY, GET doesn't work but PATCH does?

Faye
18 Jun, 2024, 14:53

so if i do role any -> read, the read works, if i remove it, the read no longer works.

however, if I do any -> update, i can update, but if i remove it, i can still update

darShan
18 Jun, 2024, 14:56

cannot reproduce πŸ€”. I do get an auth error.

darShan
18 Jun, 2024, 14:57

you have any keys added to the headers? could be possible in that case... πŸ‘€?

darShan
18 Jun, 2024, 14:58

I see whats happening...

darShan
18 Jun, 2024, 14:59

If you update with the SAME data, currently present in the Document, then it does update and returns the whole doc. If you change the data a bit, it returns with an auth error.

@Steven what do you think?

Reply

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more