Roles and Permissions

shwackd · May 14, 2021, 6:30pm

System Information

**Strapi Version3.6.2:
**Operating SystemWindows 10:
**Databasesqlite:
**Node Version14.16.1:
**NPM Version6.14.12:
Yarn Version:

Hello everyone, I am following along with the authentication and authorization tutorial at User Roles and Permissions in Strapi for the Admin Panel and I am seeing different results. For example, I create two users with the role of Author. I upload a .png with Author 1, and Author 2 can see the media in the Media Library, edit its details, and also delete it. When I check the settings for what an author can do, they should only be able to update or delete something if they are the creator. I have created a brand new test Strapi project and the results are the same. Can somebody please help me?

KaioViana · June 30, 2021, 7:46pm

help!

maxmastalerz · January 6, 2022, 6:06am

I had an issue like this and fixed it by upgrading to 3.6.5 or higher. Looks to be related to:

github.com/strapi/strapi

Fix RBAC upload permissions

strapi:master ← strapi:fix/rbac-broken-upload-checks

opened 09:41AM - 15 Jun 21 UTC

Convly

+5 -4

### What does it do? Fix an issue where setting permissions with conditions o…n the assets for the upload plugin can break the permissions checks. In a [previous PR](https://github.com/strapi/strapi/pull/10370/files#diff-ce5847e2721e68f1c2682b5812248461031c101c4bf74ed7abcbd6a8cd5b47d1R194), the auto-populate for the fetch has been removed, which caused the `created_by` attribute to be raw instead of populated, hence causing an issue when fetching the associated role. As a fix, we simply use the raw identifier (from the `created_by` field) instead of trying to access the `id` property inside. Another idea would've been to fetch directly the whole user based on the `created_by` id, but it would mean fetching also unwanted properties for the user, such as password & co. ### Why is it needed? Upload plugin's assets permissions are not working as they should. ### How to test it? See: https://github.com/strapi/strapi/issues/10452 ("_Steps to reproduce this issue_") ### Related issue(s)/PR(s) introduced by #10370 fix #10452

ptas · February 14, 2023, 2:23pm

I’m experiencing the same thing in 4.6.0. When I enable “Access the Media Library” AND “Update (crop, details, replace) + delete” to users that “is creator” - the Author can only see their own uploaded media. That is correct.

However, when I enable full access to “Access the Media Library”, but keep “Update + delete” as “is creator”, all authors can see and update/delete every media entry. I thought it would let the author see everything in the Media Library, but only let them update/delete their own uploads…

Any ideas on how to achieve this?