Dot character in document identifier leads to null value in dereferenced array

[Michael-1]

I believe I have found a bug with referencing documents that contain the dot character (.) in their identifier.

Let’s say a have document campaign that includes the following field specification.

{
  name: 'organisations',
  title: 'Organisations',
  type: 'array',
  of: [{type: 'reference', to: [{type: 'organisation'}]}],
}

I then query this with

*[ _id == "example-campaign"] {
  organisations[] -> {
    _id,
    name
  }
}[0]

and get null entries for all organisations that have a dot character in their _id.

However, if I pass an authorisation token with the request, then the bug is not reproducible. I then also get those organisations that contain a dot in their identifier. (All involved documents are published, so I wouldn’t expect a different behaviour.)

[Michael-1]

I’ve meanwhile come a cross the following statement in Sanity’s documentation of identifiers:

The default, fixed access control rules give unauthenticated users read access to documents under the root path only, which means that it is not possible to make documents under a sub-path (i.e. containing a . in the ID) publicly available.

So, this seems to be by design.