New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions creating items #11775
Comments
Test notesThe relational field If manually populated (just for testing), it has to be in the following format where the field key is somehow duplicated.
With the manually populated fields, the API now returns a Forbidden Error instead of the above validation error. |
I have a very similar issue. I created a role lets say "Admin", and I wanted to set the permissions to only allow that role (Admin) to create specific roles i.e "Account Holders" and "Guards". So the user with an admin account can only create users that belong to the roles "Account Holders" and "Guards" only and cannot create users in other roles like "Super Admin" and "Directors". So in the permissions I set the roles IDs the Admin can create. But I get the same error as above: { |
I have the exact same issue. |
I think this also happens if you update (edit) an existing item. The validation will throw an exception since the relational field is not populated. |
I just got this issue as well. It happens because the field validation rules use nested checks. The This also prevents nullable fields from setting them to For example see this field validator: If I just pass the ID of the customer there it complains about not being an object, because the field validation rule does not query anything, it expects the customer object to be there, along with the user object and its @rijkvanzanten The field validation does not currently query references when just the ID is passed, that's the gist of this issue. Another flaw that I noticed is that you cannot setup an |
Yup! There's a handful of discussions floating around on the same as well.. You're right. The validation check is a little "dumb", in that it won't auto-expand passed in relational values. If you configure the validation to check for Ideally the app will expand the value using the data from the API before passing it to the API, that way you can configure a single rule that checks for both. In the meantime, you can make this work as expected by using an
|
@rijkvanzanten I have to set this in the database right? Because the filter UI does not allow me to write anything by hand (it used to before the new very nice UI rework landed) |
You can use an or group in the UI as well, or click on the field label -> edit raw value to do it in JSON if you prefer that approach 🙂 (my little example above was just pseudocode to give an example) |
@rijkvanzanten Ah didn't know you can click on the label for the raw value. Thanks! 👍 It's just that it was not possible to check for |
Ahh yeah, #12040 🙂 |
The proposed solution only works for the case where the validation is done directly on the foreign key of the linked table but does not work for any actual relational fields. As describe in the initial issue report from @stefanovalentegva it is currently not possible to create validation rules based on field values of linked tables (e.g. M2O relations) to the best of my knowledge. Here is another simplified example of the case:
Validation rule on create/edit of entry in
This validation rule will always fail, both in the web interface and using the REST API.
Here is a little Postgres example DB to reproduce it: |
In that example, you tell the API to expect a value that is an object with a key called |
No, what I try to do is to create a new item in
and results in the following error:
|
I edited raw JSON to allow both validation rules suggested above. This is to create an item in the Meeting collection:
I also dropped the _and condition above and no changes in the results. Ran the following POST requests:
Response body:
Attempt 2:
Response:
And the empty object case discussed already:
Response:
|
I looked at the code, this features is not developed yet. Considering that anyone creating an app with permission requirements will need this feature, I'm currently working on a PR to add it. I keep you updated. |
@rijkvanzanten sorry for tagging, but is there a solution for creating new (nested) items? Right now we have collection "a" with a many to many relation to collection "b" (junction table: "a_b"). Table "a_b":
Permissions We would do this with the following rule on "a_b":
And then do a POST on "a"
Generating the following Error: That's because the rule tries to check the "role" of the related a_id which isn't fetched. Thanks! |
I don't think there's a good workaround currently besides making a custom hook that runs the validation logic to your exact spec. What you're running into is exactly what's described in this issue thread, which is something we're looking to properly support 🙂 |
Thanks for your response! We’ll then create a custom hook for validation. Can you say if it’s already planned for the next few versions or is this more a “we want to support this one day in the future” |
That's near impossible for me to accurately predict. What's being worked on next is a combination of community demand, sponsored work, (emergency) bugfixes that have to happen first, and other things. That being said, we are tracking this as an Issue (rather than a Discussion which are more the "This would be cool to support at some point" things), and it's something that affects/confuses more people, so it's definitely high on my personal priorities list |
totally understand that it’s impossible to give an eta or exact plans for oss projects |
Facing the same problem for field validation upon creation. Any solutions that work? |
Hey guys, any ideas when we could have this resolved? Or at least a temporary alternative? |
Alternative would be a custom hook. As for a resolution, this is a very large lift, but it is something we're currently actively working on. @qborisb and myself actually just spent over an hour discussing different implementation strategies for this 🙂 Long story short, the API will have to smartly expand the input IDs to the resolved related data to run the validation on the final "pre-insert" modified object, but that comes with a lot of tricky edge cases |
Linear: ENG-268 |
Preflight Checklist
Describe the Bug
Unable to set permissions check on create
To Reproduce
Suppose you've got 2 collections
Relation between the two collections is Many to One (Many price refers to One Product)
and Suppose you've got 2 roles:
SocksUsers should add price only for product with code === 'socks'
TrousersUser should add price only for product with code === 'trousers'.
Create Permission on Prices Table for SocksUsers is
Trying to add a new price within API
POST /items/prices
with body:
response is:
POST /items/prices
with body:
response is:
I would expect the user belonging to group SocksUsers to receive an error if product 1 (to which the price is related) has "code" other than "socks". Instead I receive error at any calls.
Errors Shown
No response
What version of Directus are you using?
9.5.2 / 9.5.1
What version of Node.js are you using?
16.14.0
What database are you using?
mysql
What browser are you using?
API Call
What operating system are you using?
macOS
How are you deploying Directus?
running locally
The text was updated successfully, but these errors were encountered: