Avoid having to give user update permissions to create a record with a smart relation

Feature(s) impacted

Smart relations

Observed behavior

Creating a new record with a smart relationship makes a POST call to the record and then a PUT call to the relationship collection. This means that the user making creating the record has to have create and update permissions in order to do this otherwise you get a Forbidden error thrown.

There are use cases where we don’t want to give a role update permissions but still be able to create records which. Conceptually, it doesn’t really make sense to give a role update permissions in order to create records.

Expected behavior

I want to to be able to create a record with a smart relation without needing update permissions.

Context

  • Project name: Emma
  • Team name: Emma
  • Environment name: Any
  • Agent technology: nodejs,
  • Agent (forest package) name & version: @forestadmin/agent: 1.51.0
  • Database type: MySQL

Hello @Aman_Ahlwat

This is the expected behaviour, creating a record does only require the Create permission however if your newly created record is associated with another collection that holds the relationship key, the Update permission would be required to reflect the new relation.

If granting the Update permission is something you really wish to avoid, you can make use of either:

  • override hooks to handle the creation with the association or ignore unnecessary update call
  • action to create the record with the relationship or simply linking the relationship after creating the record via the create form

In any case, I will forward your feedback to the team as a feature request.

Best regards,