I want to report unexpected behavior regarding permissions in Strapi (version 4.25.11).

In our instance, we noticed that users with the default “author” role have the ability to view and delete folders in the media library, even if those folders were created by other users.

This includes:

Even more surprisingly, deletion is set to “is creator” for assets, which should theoretically restrict an author to deleting their own content only. Despite this, an author can delete entire folders, even if they didn't create them or they contain files belonging to other users.

Thanks in advance for your feedback and help.