#[SOLVED] Collection vs Document Permissions

I'm trying to get an understanding of the permissions system and can't seem to wrap my head around it.

Based on the documentation its states that "permissions set at the collection level will override all document level permissions", this makes sense. However, what if I don't set any permissions at the collection level and only want to set permissions per document? When I try to add an item to a collection I get a permission denied even after I try to set the permissions in the post request like so:

const payload = {user_id:user.$id, body:postBody}
        
const permissions = [
         Permission.read(Role.user(user.$id)), Permission.write(Role.user(user.$id)),
     ]

        const response = await databases.createDocument(DATABASE_ID, POSTS_COLLECTION_ID, ID.unique(), payload, permissions);     

Do I have the right idea here? What am I Missing?

Seems like there is no point in setting permissions at the document level if it's gonna get denied anyways

I have tried this with document security enabled and I get the same issue.

and what operation your performing

Trying to create a document that I later have read and write access to

have you given create access

??

have you given create access

and create access can only be granted at the collection level

the permission on document or collection mostly matters when it comes to the other permissions. for example, if you grant read("any") at the collection level, everyone can read every docment. if you grant read("any") at the document level only, everyone can read only that document.

Ok this makes more sense. I'm getting the desired results now and will keep testing. I didnt realize that read access can only be granted at the collection level, that's what confused me.

I didnt realize that read access can only be granted at the collection level

You mean create?

Thank you both for the reply!

Sorry, *create haha

dont confused its too easy once you use too.

If you all can help answer one more question I'd appreciat the help. So I gave all users Create access at the collection level and am able to set write and read permissions at the document level, however, I am also trying to give all admins (under the super_admin team) permission to read and delete a document on creation and am getting a user_unauthorized error when trying to add these two permissions. Here are the two extra items I added to the permissions array:

const permissions = [
  Permission.read(Role.user(user.$id)),
  Permission.write(Role.user(user.$id)),
            
  Permission.delete(Role.team("super_admin")),
  Permission.read(Role.team("super_admin"))
]

I tried this by adding the team ID as well and get the same issue

Collection vs Document Permissions

A user cannot assign a role they don't have.

Should this super_admin team be able to read and delete all documents in this collection?

Yes, super admin should be able to delete. I want to create a document as an owner of that document but also want to give a super_admin the ability to read and delete that document, in the same way a twitter admin can take down a post if it violates terms.

In this case the user should have full read and write permissions, therfore should have the ability to also grant these permissions if needed, right?

then you should add the super_admin at the collection level

Yea, that's makes sense actually. What through me off was this part in the docs where it's shows an example teams being givin permissons at the document level: https://appwrite.io/docs/permissions#example-1

ya, you can do that too. the user must be in those teams, though

Ok ok makes sense! Thank you Steven!