From 0c425dbac3e06c9f8e67132d96ee8d4e83a289c1 Mon Sep 17 00:00:00 2001
From: Damodar Lohani <dlohani48@gmail.com>
Date: Sun, 28 Dec 2025 01:48:23 +0000
Subject: [PATCH] Fix: assign user permission to files/documents only if not a
 previleged user

---
 app/controllers/api/storage.php                               | 4 ++--
 .../Databases/Http/Databases/Collections/Documents/Create.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php
index e6f4394e25..ec4cc25ea3 100644
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@@ -461,7 +461,7 @@ App::post('/v1/storage/buckets/:bucketId/files')
         // Add permissions for current the user if none were provided.
         if (\is_null($permissions)) {
             $permissions = [];
-            if (!empty($user->getId())) {
+            if (!empty($user->getId()) && !$isPrivilegedUser) {
                 foreach ($allowedPermissions as $permission) {
                     $permissions[] = (new Permission($permission, 'user', $user->getId()))->toString();
                 }
@@ -470,7 +470,7 @@ App::post('/v1/storage/buckets/:bucketId/files')
 
         // Users can only manage their own roles, API keys and Admin users can manage any
         $roles = Authorization::getRoles();
-        if (!User::isApp($roles) && !User::isPrivileged($roles)) {
+        if (!$isAPIKey && !$isPrivilegedUser) {
             foreach (Database::PERMISSIONS as $type) {
                 foreach ($permissions as $permission) {
                     $permission = Permission::parse($permission);
diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
index 7c3a06ab30..6ec06f5c8a 100644
--- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
+++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
@@ -227,7 +227,7 @@ class Create extends Action
             // Add permissions for current the user if none were provided.
             if (\is_null($permissions)) {
                 $permissions = [];
-                if (!empty($user->getId())) {
+                if (!empty($user->getId()) && !$isPrivilegedUser) {
                     foreach ($allowedPermissions as $permission) {
                         $permissions[] = (new Permission($permission, 'user', $user->getId()))->toString();
                     }