I have the following models created when for example I uncheck the method find for path /api/categories under public role I still get the categories instead of restricting and return with 403 error.
@TreciaKS Actually sorry I forgot to mention that I modified the authenticate strategy this the modification made inside strapi-server.js for users-permissions plugin, I managed to find the issue causing that but I found a bug on the last return line where public permissions returned when setting authenticated to false I get a correct restriction depending on paths selected from admin UI but I lose functionality of populate with some relations or fields and when setting authenticated to true I get the populate to show all relations I sent in URL for populate but permission and restriction not working properly as selected in admin UI:
For anyone else experiencing this problem, it was confirmed to be a human error.
Here’s what happened:
We’re using the Config Sync plugin to synchronize changes between local, staging, and live instances.
The issue arose because the editor role permissions weren’t set correctly on my local environment.
When making non-permission-related changes and exporting files with Config Sync, the incorrect permissions from my local environment were inadvertently overwriting the correct permissions on the target instances.
Lessons Learned:
Double-check editor role permissions on local environments before syncing to avoid unintended overwrites.
This experience highlights the importance of meticulous configuration management, especially when working with synchronization tools.