A restricted user can see other users

[darioguarascio]

Preflight Checklist

• I have completed all Troubleshooting Steps.
• I'm on the latest version of Directus.
• There's no other issue that already describes my problem.

Describe the Bug

Creating a new, very restricted role with the intention of only being able to modify entries in one collection, I found out that, even if not visible, by accessing/admin/users it is possible to see all users.

Even if I apply a rule to the directus_users collection, it seems to be ignored

To Reproduce

Creating a new role / new user

Errors Shown

No response

What version of Directus are you using?

9.5.0

What version of Node.js are you using?

16.13.2

What database are you using?

postgres:13

What browser are you using?

Chrome

What operating system are you using?

Linux 5.10.0-8-amd64

How are you deploying Directus?

Docker

[azrikahar]

Unfortunately I can't seem to reproduce it on my end, as seen in this clip here:

q42B6BJ8h0.mp4

Would you mind providing a clearer minimal and working reproduction steps? Screen captures would also be very helpful.

Just to be sure, it may also be worth clearing any cache your instance may have: https://docs.directus.io/configuration/config-options/#cache. Note that permission cache are not affected even if you were to set CACHE_ENABLED=false. You can also make a POST request /utils/cache/clear with admin credential to clear the cache, more info here: https://docs.directus.io/reference/system/utilities/#clear-the-internal-cache

[darioguarascio]

@azrikahar i tried again, and it works just as showed.
It might have been a cache related problem, the strange thing is that I do not have any cache system in place. I obviously tried serveral times before reporting.
Thank you anyway for the effort!