[OBSOLETE] Schema Scripts Not Preventing Actions

I’m submitting a…

[ ] Regression (a behavior that topped working in a new release)
[ X] Bug report
[ ] Performance issue
[ ] Documentation issue or request

Current behavior

Adding scripts to schemas doesn’t actually reject requests made by other users.

Expected behavior

When I add a reject() or the other disallow functions it should block the users accordingly in the UI

Minimal reproduction of the problem

I am using the latest docker-compose version and I have added reject() under all the hooks for query, create, update, etc (screenshot below). And I can still do all CRUD actions on my other account which is an Editor account.

Pulling squidex_mongo (mongo:latest)...
latest: Pulling from library/mongo
Digest: sha256:e40c5b535cb2f1f39dba4687abfd0ecbec89520aba1945484ea00cf8688d4595
Status: Image is up to date for mongo:latest
Pulling squidex_squidex (squidex/squidex:dev)...
dev: Pulling from squidex/squidex
Digest: sha256:2e8f0209f02a3dbf034cafd7c0fb58902b9f209cbd92780345a14918db50ff2f
Status: Image is up to date for squidex/squidex:dev
Pulling squidex_proxy (jwilder/nginx-proxy:latest)...
latest: Pulling from jwilder/nginx-proxy
Digest: sha256:e869d7aea7c5d4bae95c42267d22c913c46afd2dd8113ebe2a24423926ba1fff
Status: Image is up to date for jwilder/nginx-proxy:latest
Pulling squidex_encrypt (jrcs/letsencrypt-nginx-proxy-companion:latest)...
latest: Pulling from jrcs/letsencrypt-nginx-proxy-companion
Digest: sha256:5b4132a2edd3bf7103e3214d7450e0a87ef22dca53fed9a38c1568c6220b3eda
Status: Image is up to date for jrcs/letsencrypt-nginx-proxy-companion:latest


  • [X ] Self hosted with version docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version


  • [X ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge


It is not a bug more a missing hint in the docs. Scripting for queries are not executed in the admin UI. Because you can do all kind of stuff and also prevent the admin UI to work properly.

But saving and so on works for me.

Okay, so basically any user contributing to the project has access to the content? My use case is that I want to have translators only translate but not be able to update the master / fallback languages. I could build some standalone UI to do it but if they ever found the backend they would be able to modify all the content. Is that correct?

Yes, but you can still protect the user from changing it, but of course they can see everything.

Wait, so there is a way to prevent them from changing it in the UI?

For me it Create, Update, Delete and Change works