@mayjer we had a similar problem on tables like EthNFTOwnersPending, which has been fixed.
Still remaining: when I set the CPL on EventSync to no access, some scheduled event throws:
{"message":"Permission denied for action find on class EventSync.","code":119}
Thanks for reporting. Put it in the backlog.
@mayjer sorry got another CLP question/issue/remark:
I closed down Public access on the User and _EthAddress class for security, but it prevents new users from signing up. I have to set User to allow Public Read and Write for signup to work.
You can see here 4 tries of a new signup when Public Write was disabled, which created some Users without relevant accounts & address data:
If I let User set to Public Read&Write, the data is still safe form outsiders because of ACL?
Would be great to see some thread of video at some point on this security topic, I think I have it covered now but still very important!
Yah because of the ACL each row in the User table is locked to that specific user, which needs to be authenticated. Will fix the web3 auth so it works regardless, the same issue would likely apply to linking/unlinking as all of these operations currently use interactions from the SDK which will need to be refactored.
@mayjer oof I think I have another one:
Moralis.Cloud.beforeSave("EthSoldItems", async (request) => {
const query = new Moralis.Query("EthItemsForSale")
query.equalTo('uid', request.object.get('uid'))
const item = await query.first({useMasterKey:true})
if (item) {
// do cool stuff and then...
// remove from sales dbs
await item.destroy(null, {useMasterKey:true})
}
});
Results in error:
Error syncing realtime event for topic 0xe24570e3816dbfb499d860fae937bb9ef063d7970dfc540a0a0cfff7c06df03e
{"message":"Permission denied for action delete on class EthItemsForSale.","code":119}
With this table EthItemsForSale CLP set to Pubic Read only, rest all closed.
any news on these CLP issues?
is it in the new release?
I consider it quite critical to my security…
I will ping the team again and see the progress, we will fix this
We pushed a fix so that now all automatic events can override permissions - fix is out in 0.0.252
Can you try @matiyin
@ivan I’ve updated, see tables back to no Public access (most actually have no CLP set at all, since I mostly use cloud functions).
I’ve deleted all items in NFTOwners and waiting for them to populate.
There’s no way to manually trigger that job I guess?
If this works again, I will recheck all other CLP issues related to my own Jobs.
first one I can report with CLP not set to Public read/write, using Sync and Watch plugin:
2021-08-30T11:43:20.871Z - Failed running cloud function watchEthAddress for user undefined with:
Input: {"address":"0xfac18d92fa347b6d733300df893ab3db6d09301d","sync_historical":true}
Error: {"message":"Permission denied for action find on class WatchedEthAddress.","code":119}
I’d rather not have people mess with my tables… it’s very easy if you know the app id and server url.
Yes you should be able to set permissions, we are not debating that.
Thanks for the error sending to the team.
Except for the ‘dubious’ CLP access on Users and watchedEthAddress, all the rest is fixed now 
We pushed some updates, please check
not sure what you mean with dubious access, if you have any errors please paste here and we will check! 
Thanks @ivan I can confirm watchedEthAddress now works with CLP closed to public, v0.0.254.
Regarding Users, I was referring to my previous remark in this thread. I have to leave User and _EthAddress to Public Read/Write for new user signup to work. I understand this is ok because ACL is locked to the user on those tables. Mayer made some remark about looking into that, but that’s up to you. I think for now my db is protected 
sorry, still errors on class EventSync CLP non-public. I think the ‘action delete’ was triggered by me changing the contract hash in a watch & sync plugin and resaving the plugin.
If I have more detailed info I will let you know later.
2021-08-31T11:07:05.156Z - Error: Permission denied for action delete on class EventSync.
at Function.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1483:11)
at SchemaController.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1488:29)
at /moralis-server/lib/Controllers/DatabaseController.js:1129:65
at processTicksAndRejections (internal/process/task_queues.js:95:5)
2021-08-31T11:07:05.150Z - Failed running cloud function unregisterEthRemovedItems for user undefined with:
Input: {}
Error: {"message":"Permission denied for action delete on class EventSync.","code":119}
2021-08-31T11:06:57.847Z - Error: Permission denied for action delete on class EventSync.
at Function.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1483:11)
at SchemaController.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1488:29)
at /moralis-server/lib/Controllers/DatabaseController.js:1129:65
at processTicksAndRejections (internal/process/task_queues.js:95:5)
2021-08-31T11:06:57.841Z - Failed running cloud function unregisterEthRemovedItems for user undefined with:
Input: {}
Error: {"message":"Permission denied for action delete on class EventSync.","code":119}
2021-08-31T11:05:59.555Z - Error: Permission denied for action delete on class EventSync.
at Function.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1483:11)
at SchemaController.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1488:29)
at /moralis-server/lib/Controllers/DatabaseController.js:1129:65
at processTicksAndRejections (internal/process/task_queues.js:95:5)
2021-08-31T11:05:59.551Z - Failed running cloud function unregisterEthSoldItems for user undefined with:
Input: {}
Error: {"message":"Permission denied for action delete on class EventSync.","code":119}
2021-08-31T11:04:49.809Z - Error: Invalid function: "unregisterEthSoldItems"
at handleCloudFunction (/moralis-server/lib/Routers/FunctionsRouter.js:119:13)
at /moralis-server/lib/PromiseRouter.js:85:20
2021-08-31T11:04:43.245Z - Error: Permission denied for action delete on class EventSync.
at Function.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1483:11)
at SchemaController.validatePermission (/moralis-server/lib/Controllers/SchemaController.js:1488:29)
at /moralis-server/lib/Controllers/DatabaseController.js:1129:65
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
2021-08-31T11:04:43.242Z - Failed running cloud function unregisterEthItemsForSale for user undefined with:
Input: {}
Error: {"message":"Permission denied for action delete on class EventSync.","code":119}