Create permissions disallowing reads on User type




  • operation: “*”

I can now query all Users publicly, this is expected.



  • operation: User.create
    authenticated: true

I cannot create Users unless authenticated (expected behavior), but can no longer query Users publicly – why is this?

Still learning the framework, but I expected the permissions configuration to apply only to the specific action in “operation”.


Because as soon as you remove the “*” permission, you need to explicitly specify every permission. You have only specified User.create, so that’s the only operation that is allowed no. You need to add: - operation:


Thanks @agartha! - after some experimentation I came to this conclusion as well.