palixir · coratgerl · May 10, 2026 · May 10, 2026
diff --git a/packages/wabe-documentation/docs/documentation/security/index.md b/packages/wabe-documentation/docs/documentation/security/index.md
@@ -138,6 +138,21 @@ await run();
 
 If your use is more specific, you can create your own `hook` to set the acl on the class.
 
+### Important ACL default behavior
+
+By default, objects with `acl: null` are considered shared:
+
+- authenticated users can access them when CLP allows the operation;
+- anonymous users can access them only when CLP allows anonymous access and ACL remains `null`.
+
+If your expected model is owner-only access, you should always set ACL at creation time (for example with `permissions.acl` and `hookObject.addACL("users", ...)`), and clear role ACLs when needed.
+
+To migrate an existing class safely:
+
+1. Add a create hook (`permissions.acl`) that sets per-user ACL on every new object.
+2. Backfill existing rows where `acl` is `null`.
+3. Keep CLP as a class gate, and rely on ACL for per-object isolation.
+
 Here is an example of a `hook` that can be created to set acl on the class `Company` before creation.
 
 ```ts

diff --git a/packages/wabe/src/database/DatabaseController.ts b/packages/wabe/src/database/DatabaseController.ts
@@ -1,6 +1,7 @@
 import { selectFieldsWithoutPrivateFields } from 'src/utils/helper'
 import type { WabeTypes } from '../..'
 import { initializeHook, OperationType } from '../hooks'
+import { _checkCLP } from '../hooks/permissions'
 import type { SchemaInterface } from '../schema'
 import type { WabeContext } from '../server/interface'
 import { isUnsafeObjectKey } from '../utils/objectKeys'
@@ -91,6 +92,27 @@ export class DatabaseController<T extends WabeTypes> {
 		return realClass?.fields[fieldName] as { type: string; class?: string } | undefined
 	}
 
+	/**
+	 * _skipHooks is used by internal flows to avoid recursive hooks.
+	 * We still enforce CLP for update operations to avoid bypassing class permissions.
+	 */
+	_assertCLPOnSkipHooksUpdate({
+		className,
+		context,
+	}: {
+		className: keyof T['types']
+		context: WabeContext<T>
+	}) {
+		_checkCLP(
+			{
+				className: String(className),
+				context,
+				getUser: () => context.user,
+			},
+			OperationType.BeforeUpdate,
+		)
+	}
+
 	_normalizeMutationPayload({
 		className,
 		context,
@@ -1316,6 +1338,7 @@ export class DatabaseController<T extends WabeTypes> {
 		_skipHooks,
 	}: UpdateObjectOptions<T, K, U, W>): Promise<OutputType<T, K, W>> {
 		if (_skipHooks) {
+			this._assertCLPOnSkipHooksUpdate({ className, context })
 			const whereWithACLCondition = this._buildWhereWithACL({}, context, 'write')
 			const normalizedData = this._normalizeMutationPayload({
 				className,
@@ -1404,6 +1427,8 @@ export class DatabaseController<T extends WabeTypes> {
 			payload: data,
 		})
 
+		if (_skipHooks) this._assertCLPOnSkipHooksUpdate({ className, context })
+
 		const hook = !_skipHooks
 			? initializeHook({
 					className,
@@ -1547,7 +1572,7 @@ export class DatabaseController<T extends WabeTypes> {
 		if (select && Object.keys(select).length > 0)
 			objectsBeforeDelete = await this.getObjects({
 				className,
-				where,
+				where: whereWithACLCondition,
 				select,
 				context,
 				first,

diff --git a/packages/wabe/src/file/hookReadFile.test.ts b/packages/wabe/src/file/hookReadFile.test.ts
@@ -0,0 +1,57 @@
+import { describe, expect, it, mock } from 'bun:test'
+import { defaultAfterReadFile } from './hookReadFile'
+
+describe('hookReadFile', () => {
+	it('should persist refreshed file URLs with an internal root context', async () => {
+		const updateObject = mock(async () => ({ id: 'object-id' }))
+		const readFile = mock(async (fileName: string) => `https://bucket.example/${fileName}`)
+
+		const hookObject = {
+			className: 'Test',
+			context: {
+				isRoot: false,
+				user: { id: 'user-id' },
+				wabe: {
+					config: {
+						schema: {
+							classes: [
+								{
+									name: 'Test',
+									fields: {
+										file: { type: 'File' },
+									},
+								},
+							],
+						},
+						file: { urlCacheInSeconds: 0 },
+					},
+					controllers: {
+						file: { readFile },
+						database: { updateObject },
+					},
+				},
+			},
+			object: {
+				id: 'object-id',
+				file: {
+					name: 'avatar.png',
+				},
+			},
+		}
+
+		await defaultAfterReadFile(hookObject as any)
+
+		expect(readFile).toHaveBeenCalledTimes(1)
+		expect(updateObject).toHaveBeenCalledTimes(1)
+
+		// @ts-expect-error - mock.calls is not typed
+		const updateInput = updateObject.mock.calls[0]?.[0] as any
+		expect(updateInput.className).toBe('Test')
+		expect(updateInput.id).toBe('object-id')
+		expect(updateInput._skipHooks).toBe(true)
+		expect(updateInput.context.isRoot).toBe(true)
+		expect(updateInput.context.user?.id).toBe('user-id')
+		expect(updateInput.data.file.url).toBe('https://bucket.example/avatar.png')
+		expect(new Date(updateInput.data.file.urlGeneratedAt)).toBeDate()
+	})
+})
diff --git a/packages/wabe/src/file/hookReadFile.ts b/packages/wabe/src/file/hookReadFile.ts
@@ -1,4 +1,5 @@
 import type { HookObject } from '../hooks/HookObject'
+import { contextWithRoot } from '../utils/export'
 import type { WabeFile } from './interface'
 
 const isWabeFile = (value: unknown): value is WabeFile =>
@@ -59,7 +60,9 @@ const getFile = async (hookObject: HookObject<any, any>) => {
 
 				return hookObject.context.wabe.controllers.database.updateObject({
 					className: hookObject.className,
-					context: hookObject.context,
+					// Refreshing signed URLs is a technical side effect of reads.
+					// Use an internal context so we don't depend on end-user mutation rights.
+					context: contextWithRoot(hookObject.context),
 					id: hookObject.object.id,
 					data: {
 						[fieldName]: updatedFile,

diff --git a/packages/wabe/src/graphql/pointerAndRelationFunction.ts b/packages/wabe/src/graphql/pointerAndRelationFunction.ts
@@ -155,7 +155,7 @@ export const add = async ({
 	})
 	const idsToAdd = add.map(getPointerId).filter(notEmpty)
 
-	if (typeOfExecution === 'create') {
+	if (idsToAdd.length > 0) {
 		const linkedObjects = await Promise.all(
 			idsToAdd.map((id) =>
 				context.wabe.controllers.database.getObject({
@@ -166,8 +166,11 @@ export const add = async ({
 				}),
 			),
 		)
+
 		if (linkedObjects.some((object) => !object)) throw new Error('Object not found')
+	}
 
+	if (typeOfExecution === 'create') {
 		return idsToAdd.map((id) =>
 			toPointerObject({
 				className: targetClass,

diff --git a/packages/wabe/src/hooks/permissions.ts b/packages/wabe/src/hooks/permissions.ts
@@ -3,6 +3,8 @@ import type { WabeContext } from '../server/interface'
 import type { HookObject } from './HookObject'
 import { OperationType } from './index'
 
+type PermissionSubject = Pick<HookObject<any, any>, 'className' | 'context' | 'getUser'>
+
 const convertOperationTypeToPermission = (operationType: OperationType) => {
 	const template: Record<OperationType, PermissionsOperations> = {
 		[OperationType.BeforeCreate]: 'create',
@@ -36,7 +38,7 @@ export const _getPermissionPropertiesOfAClass = ({
 	return permission
 }
 
-export const _checkCLP = (object: HookObject<any, any>, operationType: OperationType) => {
+export const _checkCLP = (object: PermissionSubject, operationType: OperationType) => {
 	if (object.context.isRoot) return
 
 	const permissionOperation = convertOperationTypeToPermission(operationType)