access-control-enforced-at-read-not-write
IN premise
Access control (`_is_visible`) is enforced at read/query boundaries (`show_node`, `explain_node`, `trace_assumptions`) via `PermissionError`, but write operations (`add_node`, `retract_node`, `assert_node`) do not check visibility.
Summary
The system checks whether a user is allowed to see a piece of information only when they try to read it, not when they create or modify it. This means someone could potentially add, retract, or reassert nodes they shouldn't have access to, since write operations skip visibility checks entirely.
Dependents
These beliefs depend on this one:
- access-control-is-transitive-subset-gated — Access control enforces transitive subset-based authorization: visibility requires the caller's tags to be a superset of the node's tags, derived nodes inherit the sorted union of all ancestor tags transitively, and enforcement occurs at read boundaries only — write operations are unrestricted.
Details
| Source | entries/2026/04/29/reasons_lib-api.md |