Skip to main content

Permissions Setup

Understanding Permissions

Appwrite uses role-based permissions:
RoleDescription
AnyAnyone (including unauthenticated users)
UsersAny authenticated user
GuestsUnauthenticated users only
User:IDSpecific user by ID

Collection Permissions

Public Content (Read-Only)

For collections that visitors can view but only admins can edit: Collections: blogs, projects, products, blog_categories, project_categories, shop_categories, header_section, about_me, menubar_settings
PermissionRole
ReadAny
CreateUsers
UpdateUsers
DeleteUsers

Private Content

For collections with sensitive data: Collections: orders, shortlink_analytics
PermissionRole
ReadUsers
CreateUsers
UpdateUsers
DeleteUsers

Admin-Only Content

Collections: shortlinks, shortlink_domains, custom_fonts
PermissionRole
ReadAny
CreateUsers
UpdateUsers
DeleteUsers

Setting Permissions in Console

1

Open Collection

Go to Databasesportfolio_db → Select collection
2

Go to Settings

Click the Settings tab
3

Configure Permissions

Under Permissions, click Add Role and set:
  • Select role (Any, Users, etc.)
  • Check permissions (Read, Create, Update, Delete)
4

Save

Click Update to save changes

Storage Bucket Permissions

Public Buckets (Images)

For image buckets that need public viewing:
PermissionRole
ReadAny
CreateUsers
UpdateUsers
DeleteUsers

Private Buckets

For order-files bucket:
PermissionRole
ReadUsers
CreateUsers
UpdateUsers
DeleteUsers

Document-Level Security

For orders, you may want document-level security so users can only see their own orders:
  1. Enable Document Security in collection settings
  2. When creating an order, set permissions:
await databases.createDocument(
  'portfolio_db',
  'orders',
  ID.unique(),
  orderData,
  [
    Permission.read(Role.user(userId)),
    Permission.update(Role.user(userId))
  ]
);

Platform Configuration

Don’t forget to add your domains to SettingsPlatforms:
PlatformHostname
Weblocalhost
Webyour-domain.vercel.app
Webyourdomain.com
Without platform configuration, your frontend cannot communicate with Appwrite (CORS errors).