I have a custom Item
class. I have set my CLP permissions for this class to disable both general public access and general authenticated access, but it does allow user field pointer access:
My Item
object ACL is set to allow Read/Write access for my user zFruc41tmW
only. Public Read/Write ACL access is disabled for this object.
As I understand it, these CLP settings should allow an Item
object should be accessible only by the user who is set in the user pointer field for that specific Item
object:
My user is authenticated and I am passing their session token as a header together with the graphql query in my client:
query {
item(id: "gKTdECrXci") {
id
title
}
}
I’m finding this query doesn’t work and throws an error:
"message": "Permission denied for action get on class Item."
If I allow Public Read
access or Authenticated Read
access in my Item
class CLPs, it works, but I’d like to avoid opening my security that far. What am I missing or doing wrong here? Thanks.