Role with custom access and relations

[artecoop]

Describe the Bug

I've first discovered in Directus Cloud, but I can reproduce it on a local installation.

I'm accessing to all resources via authenticated user via API, but the same problem appears using the Directus dashboard.

I've created a role, which have a smaller set of permissions, and applied as follow

To clarify the schema, Contract is the main table, and it can have 0 to N Press items and 0 to N Processing items.
A Press item must have 1 Paper item, must have 1 Run Type item and can have 0 or 1 Varnish item.
A Processing item must have 1 Process definition item.

I've tried to narrow the number of fields a user in this role can access on the contract field. But in order to actually update the contract, I need to give it full edit access to all the related tables (as you see in the screenshot above), otherwise Directus returns FORBIDDEN.

As a test, I've reduced the number of updatable fields on Press for this role. If I directly access a Press Item and I try to edit permitted fields, I incur in no problems.
But if I open a Contract item, here open a related press and modify it (always editing fields the user can access), save the Press item i've just edited and then save the Contract, I got the error. If I save the Press and discard the Contract, the whole edit is discarded.

The user in this role can actually read, as you see, but I can't give him update write access to ALL fields.

To Reproduce

I've explained in the description.
The error is a bit scarce

Errors Shown

This is the result from an API call

{"errors":[{"message":"You don't have permission to access this.","extensions":{"code":"FORBIDDEN"}}]}

What version of Directus are you using?

9.11.1

What version of Node.js are you using?

16.15.0 locally

What database are you using?

Directus Cloud Community

What browser are you using?

Firefox, Chrome

How are you deploying Directus?

Directus Cloud, locally

[azrikahar]

By "0 to N", did you create an One-to-Many (O2M) field? (assuming it's not M2M since I can't see junction tables from the screenshot). In addition, when you reduce the number of updatable fields for Press, what specific fields did you disable/enable, perhaps a screenshot? If you reproduced this locally on SQLite, it'd also be even more helpful if you can share it 👍

In a local test, I was able to reproduce this issue if the foreign key was not updatable. But after granting permission to that field, it does work:

chrome_piQddqH0yb.mp4

---

Side note: Initially thought this is somehow related to #13364, but if this issue is with O2M, then it probably isn't related.

[artecoop]

@azrikahar THANK YOU, with your help I was able to fix this problem.

First yes, the relation is O2M.

With your suggestion, I've added the permission to the foreign key in Press and Processing table, but to no avail. But watching again (and again 😂) your video, I saw you give permission on the ID field: that was the final solution.

Why tho? Isn't the read permission sufficient for this purpose?

[artecoop]

I had problems updating those fields via the REST API, so I resorted to watch what payload is used to make the same request via my Directus App dashboard. While a user with full write access to update can simply pass the Press array with edited fields and untouched ones, narrowed user must use this JSON to update the folder (extracted from directus request):

{
	"press": {
		"create": [],
		"update": [{
			"id": 28,
			"consumed_sheets": 1,
			"working_hours": 1
		}],
		"delete": []
	}
}

where consumed_sheets and working_hours are valid and editable fields.

Is this the correct way to do things?

[azrikahar]

Why tho? Isn't the read permission sufficient for this purpose?

I can see how that would make sense and intuitive as well, but from my understanding, the permissions are based on actions (create, read, update etc) thus when the permission was "evaluated" during update, the update permission (and the selected fields, not from "read" fields) are used.

While a user with full write access to update can simply pass the Press array with edited fields and untouched ones, narrowed user must use this JSON to update the folder (extracted from directus request)

Either syntax should work! I've tested it locally and it does work regardless of which one I've used. Can you share the request you were using via the REST API?

• When I use the detailed syntax (with create, update, delete):

  

• When I use the array syntax:

  

EDIT: closing for now since I believe this has been resolved, but feel free to continue replying with the answer for our discussion above.

[artecoop]

If I use
PATCH https://XXXX.directus.app/items/contracts/9
with payload

{
    "press": 
    [
        {
            "id": 28,
            "working_hours": 1,
            "consumed_sheets": 1
	}
    ]
}

the server returns

{
	"errors": [{
		"message": "You don't have permission to access this.",
		"extensions": {
			"code": "FORBIDDEN"
		}
	}]
}

using the update sintax:

{
	"press": {
		"update": [{
			"id": 28,
			"working_hours": 1,
			"consumed_sheets": 1
		}]
	}
}

works like a charm

[azrikahar]

That does seem rather odd. Would you be able create a minimal reproduction locally with SQLite and share the db file with admin credentials here?

[artecoop]

It seems odd to me too, also because I cant reproduce it locally. If you have connection with the directus.cloud team I can give you the project id and see on the actual production installation

[azrikahar]

hmm then that may end up being Cloud-specific. That said, feel free to send the details to me at azri@directus.io 👍