Button click can do actions user does not have permissions to do... I think

A button that sets a relation, where the user does not have any access to that relating database. The user is able to click and set that relation, since they have edit access to the source entity. Not sure if this is a bug, but its a bit weird as they then added an entity that shows as “Private entity”.

Without the button click the user would not be able to add that relation because they do not see it exists in the dropdown.

Can you provide some details of what the button is doing and what access the button presser has.
In theory, a button executes with the privileges of the user who pressed it, so they shouldn’t be able to do something with a button that they couldn’t do otherwise.

Yeah.

I give a guest edit access to Project, but no access to relationship: Status.

On the project there is a button for “Mark project as done” Changing the status of the project to done (an entity the guest has no access to).

When the guest clicks, it sets the project to done because they have editing privileges. But it’s updating it with an entity they don’t have access to.

This goes hand in hand with the issue that they can unlink entities they don’t have any access to. I think it makes more sense to be able to edit (add or remove) relationships if there is edit access on both ends. By editing it here, you’re also editing linked entity (since relationships are two way), but you shouldn’t have access to any editing there. But maybe this is by design.

Let me know if this makes sense!

Video:

I don’t get it. Fibery doesn’t manage access to relationships. Do you mean that Status is a db to which they don’t have any access?

Also, how does the button action look?

I mean that they do not have access to the related database, yes, sorry.

The button action: