[BUG] Claude is ignoring `allow` permissions in global `settings.json`
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report
- [x] I am using the latest version of Claude Code
What's Wrong?
The Bash permission pattern Bash(ls *) in settings.json is not matching the command ls -la ~/.claude/, requiring user approval despite the pattern being in the allow list.
When Claude attempts to execute ls -la ~/.claude/, the user is prompted for permission even though Bash(ls *) is explicitly configured in the permissions.allow array.
What Should Happen?
The command ls -la ~/.claude/ should be automatically allowed without requiring user approval, as it should match the pattern Bash(ls *) which is intended to allow any ls command with any arguments.
Error Messages/Logs
No error messages - the command simply requires manual approval instead of being auto-approved by the permission pattern.
Steps to Reproduce
- Add
Bash(ls *)to the permissions.allow array in~/.claude/settings.json:
``json``
{
"permissions": {
"allow": [
"Bash(ls *)"
]
}
}
- Start a Claude Code session
- Request Claude to execute
ls -la ~/.claude/ - Observe that Claude prompts for permission approval
Expected: Command executes without permission prompt
Actual: User is prompted to approve the command
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Claude Code Version
Latest (as of 2026-01-14)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
Current settings.json configuration:
{
"permissions": {
"allow": [
"Bash(grep *)",
"Bash(ls *)",
"Bash(pwd *)",
"Bash(mkdir *)",
...
]
}
}
Settings file location: ~/.claude/settings.json (symlinked to ~/app/dotfiles/claude/settings.json)
System info:
- OS Version: Darwin 24.4.0
- Platform: darwin
Hypotheses about the issue:
- Tilde expansion timing: The pattern may be evaluated before shell tilde (
~) expansion occurs, causing the literal string~/.claude/not to match the expected pattern - Wildcard matching edge case: The wildcard
*inBash(ls *)may not properly handle certain combinations of flags and path arguments - Pattern precedence or parsing: There may be an issue with how the command string is parsed before pattern matching
Questions for clarification:
- Is
Bash(ls *)expected to matchls -la ~/.claude/? - What is the correct pattern syntax to allow all ls commands regardless of flags and paths?
- Should multiple patterns be required (e.g., both
Bash(ls)andBash(ls *), orBash(ls:*))? - Is there a known limitation with special characters (tilde, dots) in path arguments affecting pattern matching?
Related patterns that also exist in the allow list and work correctly:
Bash(grep *)- appears to workBash(pwd *)- appears to workBash(git status *)- appears to work
27 Comments
I am having a similar issue. I would like Claude to run read and node project commands without asking for permission each time, but it is still asking for permission it has been granted. There's nothing in my hooks that would prevent this.
The project level .claude/settings.local.json is being respected, but should be allowed by the global settings.json permissions already.
claude --version
2.1.7 (Claude Code)
Here are my global settings.json permissions (no, it was not trying to read the denied files). I have not tested them all, this is just to show my configuration:
Now it's ignoring it for
mkdir.In my global
~/.claude/settings.json:I asked Claude to create a project-specific
.claude/settings.jsonin the repo, and got:Would be great to get someone from Anthropic to explain why it's just not working
Issues with permissions are pretty critical.
Would love a fix for this :)
I'm seeing this too, Claude 2.1.12 (npm).
Suspiciously, in the permission prompt choice 2:
/tmphas becometmp/. This is what/tmpmeans in the settings permission "notation" (whereas actual/tmpwould be://tmp). I asked Claude:List files in /tmp.But being prompted:
I'm having the same issues when trying to allow running the
miniservebinary:Added to both the project and global config, but Claude always asks for permission.
This is utterly maddening. I want every single Claude session I start to have the same basic set of rules, so I don't have to start from scratch every time. If only they had some kind of artificial intelligence that could read literally every single GitHub issue and start writing a fix for it, given that supposedly they do 90% of their internal development using the tool itself...
It's also a massive productivity killer because I think I am leaving it alone to work, and then three seconds after I get up, it asks something stupid like, "Am I allowed to use ls on a directory?" Even though I already have approved it globally.
If and when the AI apocalypse happens, I'm going to point to this issue.
Huh, the issue I opened was marked as a duplicate, but I have the opposite problem. Claude was doing things without my approval and without my permission.
Still broken.
Another data point for this issue.
Setup:
~/.claude/settings.json(global) contains:```json
{
"permissions": {
"allow": [
"Bash(ls:*)",
]
}
}
ls ~/src/.claude/still prompts for permission.Environment:
I am experiencing an issue with allow permission for
gh issue comment.Setup 1:
~/.claude/settings.json(global) contains:Bash(gh issue comment*)Permission prompt does appear when executing:
Setup 2:
~/.claude/settings.json(global) contains:Permission prompt doesn't appear when executing:
Write(/tmp/gh-comment-body.md)Bash(gh issue comment $NUMBER --repo $REPO --body-file /tmp/gh-comment-body.md 2>&1)Environment:
still broken, even simple read commands that have been added to settings, are being prompted upon every command
➕ 1
Still broken, it's unworkable to have to accept any read operation
Still an issue, no matter if I work in CLI, desktop app or VS Code extension same problem.
Same problem: https://github.com/anthropics/claude-code/issues/34999
Broken for me too and makes using CC a nightmare, or I am forced to bypass all permissions to keep my sanity.
Still broken.
Had similar issues with allow rules being ignored. I built a tool that combines hooks (PreToolUse + PermissionRequest) with allow rules as a belt-and-suspenders approach — if one layer misses, the other catches it.
npx claude-trust-me-bro enableto try it. https://github.com/joaovcoliveira/claude-trust-me-bro (I'm the author)For others who come along - I've added a hook call to check aws commands and pre-authorize any I recognize as non-destructive. Useful for others I hope:
Still an issue on 2.1.84
I also still see this with 2.1.114 on win11
Still an issue in 2.1.119 on linux
This is still an issue with
2.1.126. I'm trying to allow Claude to runcargo checkvia distrobox like this:"Bash(distrobox enter fedora -- cargo check *)",I also tried to allow Claude to read example code from specific absolute path, but it every time asks for permission anyways. Thinks like this do not work
"Read(/home/xyz/test/lightyear/*)",The same happens whether I use global or project configuration.
But every time Claude Code would ask permission. Permissions not working makes it impossible to let Claude Code do any independent work at all basically :(