Do we need to give permission to the post only or post and file?

If a user creates a post, and that post has an image and description, which instance needs permission? Do we need to give permission to the post only or post and file?

If you have a type like:

type Post {
 image: File
}

In this case, if you give permission to the Post then they see the information about the image as well.

Unfortunately, they still cannot download the image. Permission is only implicitly granted if accessed via the Post - You must create a permission for the File as well to allow them to download it.

When you upload a file, the platform detects the type. If it is an image, then it will automatically create an Image row for you so this table is fine the way you have it

Note that the second permission is only required because the API to download files does not use the Post but instead directly, instead it uses the File to check if permission exists for it. If you want to get the data about the file, however, then the user can see this if they query it through the Post.