Updating a group permission, updates wrong group permission

[ricricucit]

Version Info

• Directus version and branch: development
• PHP version: 7.0.15
• MySQL version: 5.6.35
• Web server: Apache
• OS name and version: OSX

Expected Behavior

Changing permission to a specific group, should change the permissions to that particular group.

Actual Behavior

Changing permission to a specific group, changes the permissions to the group that is modifying the permission (in this case, admin). See screenshots and step to reproduce its.

Steps to Reproduce

1. Create a Group (eg. "Editor", like in the screenshot)
2. Using an Administrator user hide/show, for example "Directus Preferences" for the "Editor Group"
3. You'll see that even tho you are in the Administrator, the menu on the left side hides/shows the "Directus Preferences" table, which should be hiding/showing for another users' group (Editor)

Logs or Screenshots

In the screenshots a member of the Administrator group is modifying the permissions for the Editor group for "Directus Preferences"...but on the left side, you can see that the Directus Preferences disappear/appear for himself (Administrator)...and not for the target group (Editor).

If I keep "playing around" with this options, DB data gets corrupted and see stuff like this:

UPDATE:
I just noticed that it's simply a weird behaviour (maybe a feature?) that –temporarily– shows the tables items with "view all" capabilities in the menu. When refreshed, they disappear (which I'm guessing it's the correct way of representing the UI).

Q: Playing with this I noticed the nav_listed field in the DB; is that actually used to list or not list things like tables, bookmarks and system menus' items?
I'm asking because, trying, I could not hide the "Messages" menu item by simply setting that to 0 (for the right users_group).

[benhaynes]

Het @ricricucit – part of this is a bug, yes. To answer your question, there is a nav_listed toggle that allows you to keep view enabled (eg: inside relational interfaces) but removes the table from the left nav. You can also use the group's nav_blacklist to accomplish something similar.

@wellingguzman – When adjusting group permissions, it should only immediately update the GUI (eg: hide the table in the nav) if you are editing YOUR group (always the admin group as of now, since only they can edit permissions).

The error is that if I (admin) update another group (managers) table to VIEW = FALSE ... it updates the nav to hide it for ME too... which it shouldn't since I'm not updating my group.

[benhaynes]

@ricricucit – thanks for the update. We're talking about the nav_listed versus permissions over on this ticket too: #1625

I would like to have the permissions control everything, but in some instances it's good to have a global option (so you don't have to change something for every group). I'd love to get your thoughts on all this!

[wellingguzman]

Is this issue marked wontfix for 6.3? @ricricucit is this still happening to you in 6.4?

[benhaynes]

@wellingguzman Can you give this an hour of research and testing to see if it's an issue or resolved? If we can't replicate, let's close since it's been a few months with no response.

[wellingguzman]

Okay, I checked on 6.4, it actually toggle the visibility of any table on any group to the admin group (which is the only group allowed to edit permissions).

I removed the syncing part, which will avoid this problem. It didn't actually change the permission on the group's privilege on the database.

It won't be fixed on 6.3. (probably who knows)

Closed by 696bbdf