Permission Levels
Each collection has independent read/write rules configured from your site settings:
| Level | Read | Write | Use case |
|---|---|---|---|
| Public | Yes | No | Blog posts, catalog |
| Authenticated | Yes | Yes | User profiles, comments |
| Admin | Yes | Yes | Settings, analytics |
Setting Permissions
Go to your site → Access Control → Dataset Permissions to configure each collection.
Guarding writes in Lua
Always validate on the server, even if permissions are set:
app:post("/api/comments", function(ctx)
if not env.is_user then
return ctx:error("Login required", 401)
end
local v = validator(req.post, {
post_id = "required|number",
content = "required|string|min:2|max:2000"
})
if v:fails() then
return ctx:error(v:first(), 422)
end
api.dataset.create("comments", {
post_id = v:valid().post_id,
content = v:valid().content,
created_at = os.date()
})
return ctx:status(201):json({ status = "created" })
end)Role-based deletion
app:delete("/api/posts/:id", function(ctx)
if not env.is_user then
return ctx:error("Login required", 401)
end
local post = api.dataset.get(tonumber(ctx.params.id))
if not post then
return ctx:error("Not found", 404)
end
-- Only author or admin can delete
local me = api.users.me()
if post.data.author_id ~= me.id and not env.is_admin then
return ctx:error("Forbidden", 403)
end
api.dataset.delete(post.id)
return { status = "deleted" }
end)Tip: Dataset permissions are configured per-collection in Access Control settings. Lua-side checks add defense in depth.