Create permissions disallowing reads on User type


#1

Before:

permissions:

  • operation: “*”

I can now query all Users publicly, this is expected.

After:

permissions:

  • operation: User.create
    authenticated: true

I cannot create Users unless authenticated (expected behavior), but can no longer query Users publicly – why is this?

Still learning the framework, but I expected the permissions configuration to apply only to the specific action in “operation”.


#2

Because as soon as you remove the “*” permission, you need to explicitly specify every permission. You have only specified User.create, so that’s the only operation that is allowed no. You need to add: - operation: User.read.


#3

Thanks @agartha! - after some experimentation I came to this conclusion as well.