Fix guide · high · appwrite_collection_public_read
Appwrite collection readable without authentication
An Appwrite collection's documents endpoint returned 200 with documents when called without a session. The collection's read permission is set to any (or unset).
Why it matters
Appwrite's permission model is rich but permissive by default during prototyping. Devs often run --read=any to make development frictionless and forget to lock it down before launch. Once the collection is public-readable, every document in it is enumerable by anyone with the project ID — which is in your client bundle.
How to fix it
- Restrict the collection's read permission. Console → Databases → your-collection → Settings → Permissions:
- Replace
anywithusersfor "any logged-in user", OR - Use
team:<id>for team-scoped data, OR - Remove collection-level read entirely and rely on per-document permissions.
- For per-document permissions, set them at create time:
```ts import { Permission, Role } from 'node-appwrite';
await databases.createDocument('default', 'messages', ID.unique(), data, [ Permission.read(Role.user(user.$id)), Permission.update(Role.user(user.$id)), Permission.delete(Role.user(user.$id)), ]); ```
- Back-fill permissions on existing documents with a migration script — the collection-level lockdown only affects new behaviour; existing docs retain their original permissions.
Full guide: /blog/appwrite-security.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection