Permissions issue with custom roles and uploading images in Sanity.io

13 replies

Last updated: Nov 10, 2021

Hi, I'm running into a permissions issue while using the custom roles feature (doc here ). Some help would be greatly appreciated, I'll leave more details within the thread.

AI Update

I'm here to help with your custom roles permissions issue! Custom roles in Sanity can be tricky, especially when dealing with GROQ filters and content resources.

Based on the custom roles documentation, here are some common issues and things to check:

Common Permission Issues:

Dataset Privacy Settings - If you're using custom roles to restrict content visibility, make sure your dataset is set to private. Public datasets allow all documents to be readable regardless of authentication, which bypasses role-based restrictions entirely.
Additive Nature of Roles - Roles in Sanity are additive, meaning if a user has multiple roles assigned, they get the combined permissions of all those roles. You can't "take away" permissions with another role. Check if the user has other roles that might be granting unexpected access.
GROQ Filter Syntax - When defining content resources with GROQ filters, syntax errors can cause permissions to not work as expected. Make sure your filters are valid GROQ queries.
Permission Level Hierarchy - The permission levels work like this:
- No access (complete restriction)
- Read (view-only)
- Update and Create (create, read, edit)
- Publish (full permissions including delete)
API Token vs User Roles - If you're testing with API tokens, remember they need to have the custom role explicitly assigned to them.

Troubleshooting Steps:

Check the role configuration at sanity.io/manage under your project
Verify the GROQ filter in your content resource matches the documents you expect
Confirm dataset privacy settings align with your security requirements
Review all roles assigned to the affected user/token

Feel free to share more details in the thread about what specific permission behavior you're seeing versus what you expect! Things like whether it's too restrictive, too permissive, or behaving inconsistently would help narrow down the issue. Also helpful would be knowing if you're using the web interface at sanity.io/manage or the Roles API for configuration.

I created a custom role that has the following grant and gave myself this role and the Viewer role.

"grants":{
   "sanity.document.filter.mode":[
      {
         "id":"...",
         "name":null,
         "title":"event documents",
         "description":"event documents",
         "isCustom":true,
         "config":{
            "filter":"_type == \"event\""
         },
         "grants":[
            {
               "name":"mode",
               "params":{
                  "mode":"create",
                  "history":true
               }
            }
         ]
      }
   ]
}

This allowed me to view and create event documents. But I found that when trying to create an event document, I am unable to upload an image using the Sanity GUI through the image field.

This is the POST request sanity GUI makes when I try to upload, and the error response that gets returned from the sanity api.

POST <https://xcsyo6gw.api.sanity.io/v1/assets/images/staging?tag=sanity.studio.asset.upload&filename=hamilton-animals-to-follow-on-instagram-1568303880.jpeg>

(this fails with 403 forbidden)

{
   "error":{
      "description":"the mutation(s) failed: Insufficient permissions; permission \"create\" required",
      "items":[
         {
            "error":{
               "description":"Insufficient permissions; permission \"create\" required",
               "permission":"create",
               "type":"insufficientPermissionsError"
            },
            "index":0
         }
      ],
      "type":"mutationError"
   }
}

Can you tell me what permission I'm missing in my custom role, and what grant I can add to my custom role to allow me to upload images/attachments? Thank you!

user M

, yes I am on an Enterprise plan!

user M

, yes I am on an Enterprise plan!

Got it! So roles should be accessible to you then! What does the schema for this image look like?

The image field's schema looks like this:

{
      title: 'Cover Photo',
      name: 'coverPhoto',
      type: 'image',
      options: {
        hotspot: true,
      },
    },

The image field's schema looks like this:

{
      title: 'Cover Photo',
      name: 'coverPhoto',
      type: 'image',
      options: {
        hotspot: true,
      },
    },

(just butting in to say that we will have management ui for roles very very soon, where all this will be a lot easier)

Ah I see, this makes a lot of sense! Thank you Geoff for the detailed explanation, I will give this a try! For granting permission for regular file uploads that are not images, would the type be 'sanity.fileAsset' instead of 'sanity.imageAsset'?

Yes, that’s correct. 👍

Awesome! Thanks again! 😄

Alice, I was looking into this for someone else and noticed my project already had

sanity-document-filter-images

and

sanity-document-filter-files

permission resources that filter on those respective types, which should cut out a step when creating your grant (i.e., not needing to create those first).

Hi Alice. The brand new Roles were just released (no upgrade required—you’ll see them at sanity.io/manage ). We would love if you could take it for a spin and let us know what you think. The docs have been updated as well to reflect the new functionality.

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for free Explore the demo

Permissions issue with custom roles and uploading images in Sanity.io

Sanity – Build the way you think, not the way your CMS thinks

Was this answer helpful?