Description
👟 Reproduction steps
Hello,
I have collections A and B. Both have document security enabled.
A has a one-to-many relationship attribute with B.
X is a document in A, the user has update rights.
Z is a document in B, the user has update rights.
Z is inside of X.
When updating a field of X, the user gets a 401. Here are the logs of the appwrite container:
[Error] Method: PATCH
[Error] URL: /v1/databases/:databaseId/collections/:collectionId/documents/:documentId
[Error] Type: Appwrite\Extend\Exception
[Error] Message: The current user is not authorized to perform the requested action.
[Error] File: /usr/src/code/app/controllers/api/databases.php
[Error] Line: 3295
The error is thrown in this block code:
appwrite/app/controllers/api/databases.php
Line 3295 in 9fafd39
This block is check for !$documentSecurity, and both collection has documentSecurity enabled, so it might be an error done while computing this variable.
Here is a Discord post discussing the issue: https://ptb.discord.com/channels/564160730845151244/1125081645322604554
👍 Expected behavior
The user should be able to update its document.
👎 Actual Behavior
The user cannot update the document where he has the rights to.
🎲 Appwrite version
Version 1.3.x
💻 Operating system
Linux
🧱 Your Environment
Self-deployed 1.3.7.
👀 Have you spent some time to check if this issue has been raised before?
- I checked and didn't find similar issue
🏢 Have you read the Code of Conduct?
- I have read the Code of Conduct