Unable to create records with other users permissions
are we able to create records in collections with permissions of different user than the caller of this request? (with document security on) I have backend function in appwrite that manages this scenario, but I am getting 401 no matter how I configure the scopes in either function or collection
@Meldiron regarding this https://discord.com/channels/564160730845151244/564160731327758347/1432338675781337139
i am using x-appwrite-key from headers endpoint is: https://fra.cloud.appwrite.io/v1 project id is correct 100%
can you share your code with me? Ill see if I can spot any potential issue. (minimal, if possible)
Also, here is our starter function example, which uses server SDK to list users: https://github.com/appwrite/templates/blob/main/node/starter/src/main.js
x-appwrite-key starts with dynamic_..., so its good, when i decode it wiht base64 i can see scopes
that should make it work
hmm what else 🤔 Can you please print entire error, including body? I can then trace it to specific line of code in Appwrite
operation i am trying to do is a simple: createDocument call on databases
when using JWT based client in the function I was able to add only the permissions of the caller
when using x-appwrite-key based client in the function I was getting 401 always, no matter if I specified permissions or not
the error:
[ERROR] [Appwrite Error] user_unauthorized in createDocument:6839be33000b946e38df: The current user is not authorized to perform the requested action. (Code: 401) - Hint: User may not have permission to access this resource {"error":null}
[ERROR] Stack trace: AppwriteException: The current user is not authorized to perform the requested action.
at _Client.call (file:///usr/local/server/src/function/node_modules/node-appwrite/dist/client.mjs:278:13)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async Databases.createDocument (file:///usr/local/server/src/function/node_modules/node-appwrite/dist/services/databases.mjs:1668:12)
at async retryOperation.maxRetries (file:///usr/local/server/src/function/s {"error":null}
[ERROR] [rejectDeal] ❌ Rejection failed: The current user is not authorized to perform the requested action. {"error":null}
[ERROR] Error response {"error":{}}
insightful ✨ I know there is different error message for when you are authorized wrong, and when you are not authorized.
Makes me think it really knows dynamic key and project. 2 more ideas:
- As silly as it sounds, can you please check if function settings it has scopes for documents.write?
- As silly as i sounds, can you try and deploy your function again?
i added all possible scopes on the function, I also tried adding Any for all operations on the collection
after redeploying nothing changes, but check the response from the execution:
{
"$id": "68ff6230419fee5e6221",
"$createdAt": "2025-10-27T12:14:48.052+00:00",
"$updatedAt": "2025-10-27T12:14:48.052+00:00",
"$permissions": [
"read(\"user:676ebcc50015b1257d4d\")"
],
"functionId": "68fca905000adc9ea283",
"deploymentId": "68ff620731fa17f48cc2",
"trigger": "http",
"status": "failed",
"requestMethod": "POST",
"requestPath": "\/",
"requestHeaders": [
{
"name": "x-appwrite-client-ip",
"value": "SOME_IP"
}
],
"responseStatusCode": 500,
"responseBody": "{\"success\":false,\"error\":\"Failed to reject deal: The current user is not authorized to perform the requested action.\",\"type\":\"general_unknown\",\"correlationId\":\"req-mh93ohmk-ti4ncl\",\"processingTime\":762}",
"responseHeaders": [
{
"name": "content-type",
"value": "application\/json; charset=utf-8"
},
{
"name": "content-length",
"value": "202"
},
{
"name": "date",
"value": "Mon, 27 Oct 2025 12:14:48 GMT"
},
{
"name": "connection",
"value": "keep-alive"
},
{
"name": "keep-alive",
"value": "timeout=5"
},
{
"name": "x-appwrite-execution-id",
"value": "68ff6230419fee5e6221"
}
],
"logs": "",
"errors": "",
"duration": 2.9682960510254
}
i am not sure if document security on changes something here?
I dont think so, API key with documents.write should be able to createDocument no matter what.
How large is the source code for this function? Could you share it with me?
If you prefer not to, there is one more thing you can try. In Functions, go to create new function, and use Node's quick start.
This function should create execution and in execution logs say how many users your project has. If that works, you could update this starter to try and do some DB operations. Chances are here we can get a working solution, and then compare it with your function implementation
its quite large, with many files, so I will give your suggestion a try, if the issue persists I will let you know so maybe we can search in the actual source code
also cc @Jake about id vs whole object behaviour, he is expert when it comes to relationships
@Jake FYI, it seems Server SDK createDocument results in 401 error when creating document in collection with relationship
Any simplified example you can provide to help try and reproduce? Tests cover this for all of client/server + object/ID so there must be something specific causing the issue
The issue was i had whole relationship object passed in the payload when creating the record instead of just $id of the related record in attribute
And it was causing 401
Nothing related to perms in the end
so like
{"$id": "ID", ...some attributes}
was passed as one of the relationship attributes on document creation payload
instead of just $id
if something is not clear enough lmk
Both ways should work, there should be no permissions enforced if using an API key
I see, then I am not sure maybe my payload with full object as relationship attribute was invalid and passing $id three resolved this
But as I said i was getting 401 with invalid payload, not because of wrong permissions. I was using x-appwrite-key with correct scopes in function execution
