Over the years there have been numerous issues relating to the permissions in Alyx. Currently the database is extremely insecure in that user permissions are ill-defined. For example, basic users can freely delete objects via REST that cannot be edited via the admin interface, and users can see and delete other users' authentication tokens. When all permissions are added via the user admin page, some pages can still not be edited, leading to confusion for admins. Additionally, documentation in the usage guide (and more generally) is absent regarding the permissions system. Most users are unclear what the difference is between a responsible user, object user, public user, staff, and superuser.