Realtime events are being received by users who don’t have read permissions on a newly created document.
Here’s the setup:
- A document is created in the profiles collection via a Function.
- The document is assigned read permissions only for userA and userB.
Permission.read(Role.user('userA')),
Permission.read(Role.user('userB')),
But the issue is:
userC (who has no permissions) receives the documents.create event through the Realtime subscription.
Is this expected behavior for Appwrite Realtime? Shouldn't permission filters be enforced for realtime events as well?
@Steven @D5
TL;DR
Realtime events are triggering for users without read permissions in Appwrite. Developers created a document with read permissions for userA and userB, but userC is still receiving events. They are questioning if this behavior is expected and if permission filters should be enforced for realtime events.
