[MODEL]
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude accessed files outside the working directory
What You Asked Claude to Do
I configured file access restrictions in ~/.claude/settings.local.json to deny access to all directories outside of ~/ClaudeCode:
"deny": [
"Read(/Users/r#####/Desktop/)",
"Write(/Users/r#####/Desktop/)",
"Edit(/Users/r#####/Desktop/)",
"Glob(/Users/r#####/Desktop/)",
// ... (similar rules for Documents, Downloads, Dropbox, etc.)
]
I then asked Claude to test the restrictions by attempting to read a file from the Desktop directory.
What Claude Actually Did
Despite having explicit deny rules in ~/.claude/settings.local.json, Claude was able to successfully read /Users/r#####/Desktop/.DS_Store.
Expected Behavior
Expected behavior: The Read tool should have been blocked by the deny permission rule.
Actual behavior: The file was read successfully, displaying its full contents.
This confirms the known issue documented in #4768 and #2162 that deny permissions are not properly enforced in Claude Code CLI as of version 2.0.22 (October
2025).
Configuration details:
- Claude Code CLI version: 2.0.22
- OS: macOS (Darwin 24.6.0)
- Config file: ~/.claude/settings.local.json
- Deny rules properly formatted and saved
- Rules appear in settings but are not enforced
---
Additional context you might want to add:
The deny rules are visible in the config file, settings appear to be loaded (no errors), but file access restrictions are completely bypassed. This is a
critical security issue as users cannot enforce workspace boundaries as intended by the permissions system.
Files Affected
Read (unexpectedly):
- /Users/r#####/Desktop/.DS_Store
This file was successfully read by Claude Code despite explicit deny rules in ~/.claude/settings.local.json blocking Read access to
/Users/#####/Desktop/** and all other restricted files
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Add deny rules to ~/.claude/settings.local.json:
"deny": [
"Read(/Users/r#####/Desktop/)",
"Write(/Users/r#####/Desktop/)",
"Edit(/Users/r#####/Desktop/)",
"Glob(/Users/r#####/Desktop/)"
]
Claude Model
Sonnet
Relevant Conversation
User: "Please read the file at /Users/r#####/Desktop/.DS_Store to test if the deny rules are working"
Claude: [Successfully read and displayed the Desktop/.DS_Store file contents]
Expected: The Read tool should have been blocked with a permission denied error
Actual: File was read successfully despite explicit deny rules for Desktop/** in settings.local.json
Impact
High - Significant unwanted changes
Claude Code Version
2.0.22 (Claude Code)
Platform
Anthropic API
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗