🐛 Bug Report: Nested update, permission issue

[Heargo]

👟 Reproduction steps

SETUP
I have a collection Player that is related to the collection playerAttributes and playerAttributes is related to the collection Attributes:
Player -> playerAttributes -> Attributes.

The user A create multiples documents in Attributes. He has all permission on these documents.
The user B create a player and has all permission for the player and playerAttributes documents created.
However, the playerAttributes documents are linked to already created documents in Attributes and the user B only has read permission for the Attributes collection.

👍 Expected behavior

The user B should be able to update the player name as he has update permissions on the Player collection.

👎 Actual Behavior

When the user B want to update the player name he get the following error :

{"message":"The current user is not authorized to perform the requested action.","code":401,"type":"user_unauthorized","version":"1.3.1"}

This is because he doesn't have update permissions in the Attributes collection.

🎲 Appwrite version

Version 1.3.x

💻 Operating system

Linux

🧱 Your Environment

I used appwrite web SDK

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[stnguyen90]

@Heargo thanks for creating this issue! 🙏🏼 I think this is happening because we're checking permissions using everything in the document:

appwrite/app/controllers/api/databases.php

Line 3290 in 62bdc77

$data = \array_merge($document->getArrayCopy(), $data);

Rather than just wan'ts passed in. I'm thinking we can solve this issue if I move that to after the the permission check.

[fanatic75]

This has been solved in 1.4
@Heargo if you find it still a problem, you can re-open. Closing this for now.