#Ghost permissions after uploading a file

Hello. I'd like to bring up some behavior of Appwrite that I can't explain. My configuration is as follows:

- Bucket: Uploads, permissions: only Users.create, file security: off```

I have a function that is triggered by `buckets.*.files.*.create.` Here is a dump of the request from the server:

```{"bodyRaw":"{\"$id\":\"65db4520453e21a2cbb6\",\"bucketId\":\"64b131922f6e02d64f37\",\"$createdAt\":\"2024-02-25T14:56:32.534+00:00\",\"$updatedAt\":\"2024-02-25T14:56:32.534+00:00\",\"$permissions\":[\"read(\\\"user:65db382d6cd458a3207e\\\")\",\"update(\\\"user:65db382d6cd458a3207e\\\")\",\"delete(\\\"user:65db382d6cd458a3207e\\\")\"],```

As you see there's a permission array that says that the user can read, update and delete the file they uploaded. My question is: How did these permissions get there? 🤔 The team in which the user is in does not have permissions to update or delete documents within the Uploads bucket, only to create files.

Also, these read, update and delete permissions the user have aren't visible anywhere from within the Appwrite console. It's a mystery to me how these permissions get there. 🤔

It is added by default by the SDK

Thanks. 😊 I find that a bit concerning. Why would it add these permissions on its own? Any idea why they aren't visible from the GUI?

I mean, the behavior I expect is that the file inherits the permissions from the bucket it was uploaded to.

I wonder if these permissions in the request dump are actually effective, I yet have to test that.

They become visible once you enable File Security in the bucket settings then check the permission of individual files in the bucket

Here's what the docs have to say about default permissions
https://appwrite.io/docs/advanced/platform/permissions#default-values

From the docs I think it'll be effective but as you said I haven't also tested that out. I think your best approach to absolutely make sure the user (uploader/creator) isn't granted full CRUD permissions is to probably modify the permissions after upload with a function (maybe not the best solution but that's what I can think of now)

Thanks for this. I'm going to test this right now and I'll report back.

Yes, I can confirm that this is correct. 👍🏻 These permissions are visible when I enable file security.

It turned out that these permissions are ineffective when file security is off. When I try to delete that file I get "AppwriteException: user_unauthorized, The current user is not authorized to perform the requested action. (401)". That is good.

I don't get why Appwrite adds these permissions by default for uploads though. 🤔 I don't think it does that when a document is created.

Either way, I'm happy that these permissions do not do any harm when file security is turned off. 😊 I still might remove them by using a function, just to be sure.

Well well you learn something everyday. Now that I think a bit more and reflect on previous experiments I've done with permissions, of course it wouldn't work with Document or File Security off!

It does, but you'd have to enable Document security to see those permissions but you'd see them when retrieved with server SDKs