New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role with custom access and relations #13619
Comments
By "0 to N", did you create an One-to-Many (O2M) field? (assuming it's not M2M since I can't see junction tables from the screenshot). In addition, when you reduce the number of updatable fields for Press, what specific fields did you disable/enable, perhaps a screenshot? If you reproduced this locally on SQLite, it'd also be even more helpful if you can share it 👍 In a local test, I was able to reproduce this issue if the foreign key was not updatable. But after granting permission to that field, it does work: chrome_piQddqH0yb.mp4Side note: Initially thought this is somehow related to #13364, but if this issue is with O2M, then it probably isn't related. |
@azrikahar THANK YOU, with your help I was able to fix this problem. First yes, the relation is O2M. With your suggestion, I've added the permission to the foreign key in Press and Processing table, but to no avail. But watching again (and again 😂) your video, I saw you give permission on the ID field: that was the final solution. Why tho? Isn't the read permission sufficient for this purpose? |
I had problems updating those fields via the REST API, so I resorted to watch what payload is used to make the same request via my Directus App dashboard. While a user with full write access to update can simply pass the Press array with edited fields and untouched ones, narrowed user must use this JSON to update the folder (extracted from directus request):
where consumed_sheets and working_hours are valid and editable fields. Is this the correct way to do things? |
I can see how that would make sense and intuitive as well, but from my understanding, the permissions are based on actions (create, read, update etc) thus when the permission was "evaluated" during
Either syntax should work! I've tested it locally and it does work regardless of which one I've used. Can you share the request you were using via the REST API? EDIT: closing for now since I believe this has been resolved, but feel free to continue replying with the answer for our discussion above. |
If I use
the server returns
using the update sintax:
works like a charm |
That does seem rather odd. Would you be able create a minimal reproduction locally with SQLite and share the db file with admin credentials here? |
It seems odd to me too, also because I cant reproduce it locally. If you have connection with the directus.cloud team I can give you the project id and see on the actual production installation |
hmm then that may end up being Cloud-specific. That said, feel free to send the details to me at |
Describe the Bug
I've first discovered in Directus Cloud, but I can reproduce it on a local installation.
I'm accessing to all resources via authenticated user via API, but the same problem appears using the Directus dashboard.
I've created a role, which have a smaller set of permissions, and applied as follow
To clarify the schema, Contract is the main table, and it can have 0 to N Press items and 0 to N Processing items.
A Press item must have 1 Paper item, must have 1 Run Type item and can have 0 or 1 Varnish item.
A Processing item must have 1 Process definition item.
I've tried to narrow the number of fields a user in this role can access on the contract field. But in order to actually update the contract, I need to give it full edit access to all the related tables (as you see in the screenshot above), otherwise Directus returns FORBIDDEN.
As a test, I've reduced the number of updatable fields on Press for this role. If I directly access a Press Item and I try to edit permitted fields, I incur in no problems.
But if I open a Contract item, here open a related press and modify it (always editing fields the user can access), save the Press item i've just edited and then save the Contract, I got the error. If I save the Press and discard the Contract, the whole edit is discarded.
The user in this role can actually read, as you see, but I can't give him update write access to ALL fields.
To Reproduce
I've explained in the description.
The error is a bit scarce
Errors Shown
This is the result from an API call
{"errors":[{"message":"You don't have permission to access this.","extensions":{"code":"FORBIDDEN"}}]}
What version of Directus are you using?
9.11.1
What version of Node.js are you using?
16.15.0 locally
What database are you using?
Directus Cloud Community
What browser are you using?
Firefox, Chrome
How are you deploying Directus?
Directus Cloud, locally
The text was updated successfully, but these errors were encountered: