Permission system prompts for safe operations but silently runs destructive ones (migrate, ALTER TABLE)
Bug Description
Claude Code regularly asks for permission to perform non-destructive operations (reading files, writing files), but executes destructive commands like python3 manage.py migrate and raw SQL ALTER TABLE / DROP COLUMN without any permission prompt.
This is backwards — it prompts for safe operations but silently runs dangerous ones.
Root Cause
When a user has a broad allow rule like Bash(python3:*) in their settings.local.json, it allows all python3 commands — including destructive ones like migrate, raw SQL via manage.py shell, etc.
The permission system treats all commands matching a broad pattern equally, with no distinction between read-only and destructive operations.
Expected Behavior
Destructive/irreversible commands (e.g., database migrations, schema changes, DROP, ALTER) should require explicit user approval regardless of broad allow rules. At minimum, Claude should proactively ask the user before running such commands — the same way it is instructed to confirm before destructive git operations.
If Claude asks permission to read a file, it should absolutely ask permission before modifying a database schema.
Steps to Reproduce
- Add
Bash(python3:*)tosettings.local.jsonallow list - Ask Claude to work on a Django migration task
- Claude regularly prompts for permission to read/write files during the task
- But Claude runs
python3 manage.py migratewithout prompting — modifying the database schema - Claude also runs raw SQL via
manage.py shell(ALTER TABLE, DROP COLUMN) without prompting
Impact
In our case, this resulted in irreversible database schema changes (ArrayField columns converted to JSONField) that required multiple manual SQL fixes to restore.
Suggested Fix
- Add a built-in deny/warn list for known destructive command patterns (e.g.,
migrate,DROP,ALTER,DELETE,rm -rf) - Or: require Claude to always confirm before running commands that modify database schema, regardless of allow rules
- At minimum: if Claude prompts for non-destructive operations, it must also prompt for destructive ones
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗