Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission Field Preset with Dynamic Variable #13806

Closed
piotr-cz opened this issue Jun 9, 2022 · 3 comments · Fixed by #13830
Closed

Permission Field Preset with Dynamic Variable #13806

piotr-cz opened this issue Jun 9, 2022 · 3 comments · Fixed by #13830
Labels
🍰 Bug

Comments

@piotr-cz
Copy link
Contributor

piotr-cz commented Jun 9, 2022
edited
Loading

Describe the Bug

I'm not able to use Dynamic Variable as default field value with Custom Role > Collection > Read > Field Preset

Suspect commit: #10576 (comment)

According to Docs > Filter Rules > Dynamic Variables it should work:

Note: This feature is only available for permissions, validation, and presets. Regular filters and conditional fields currently only support the root ID.

Use case
I'm setting up Directus for multi-tenancy with single database where every user and content item has a field Organisation.
For new content Items I'd like to prefill Organisation's field value to Users' Organisation (and even hide if it's possible).

Extensive description is available here: #9682 (reply in thread)

To Reproduce

  1. Create new Data model (News) with field my_email as string
  2. Create new Role (Manager) with App Access: Enabled, Admin Access: Disabled
  3. Set Create Permission for News to Use Custom
  4. Set Field Presets to 
    {
  "my_email": "$CURRENT_USER.email"
}
  5. Create new User with Manager role and log in
  6. Go to Content > News > Create Item
  7. See Dynamic variable key used instead of value

Errors Shown

Value filled in as $CURRENT_USER.email instead

When field has type M2O (as described in Use case), an error pops up: [Forbidden] You don't have permission to access this. however I believe the root cause is in Dynamic Variables replacement issue.

What version of Directus are you using?

9.12.1

What version of Node.js are you using?

16.15.1

What database are you using?

MySQL 5.7.32

What browser are you using?

Chrome

How are you deploying Directus?

locally
@piotr-cz piotr-cz mentioned this issue Jun 9, 2022
Closed
@piotr-cz
Copy link
Contributor Author

piotr-cz commented Jun 9, 2022

Perhaps simpler reproduction is to

  1. Create collection with type DateTime: date_published
  2. Set Field Presets to 
    {
  "date_published": "$NOW"
}

Dynamic Variable is not expanded - field value is $NOW

@azrikahar
Copy link
Contributor

azrikahar commented Jun 10, 2022
edited
Loading

This turns out to be an App-only bug, but the API does work as usual since the referenced PR #10576 was only dealing with the App.

When field has type M2O (as described in Use case), an error pops up: [Forbidden] You don't have permission to access this. however I believe the root cause is in Dynamic Variables replacement issue.

I believe this may indeed be a permission issue, since Dynamic Variables are working API side. Here's an example:

chrome_FNRnbYEGdt.mp4

Notice that even though the App does indeed show the "unparsed" dynamic variable $CURRENT_USER.email, it is never sent to the API (since that's how default value in the App currently works), then the $CURRENT_USER.email is correctly parsed API side and show that the resulting item has the current user's email.

The same is happening for the DateTime reproduction 👍 so I'd recommend double checking your permissions settings (when it comes to relational fields) for this scenario if possible.

Extensive description is available here: #9682 (reply in thread)

For the issue described here, the App is now truly affecting this use case since you need the organisation ID for the URL to be formed properly! But you also pointed out the query formed is correct, so it is indeed working API side.

With that said, will get a PR up to fix this App side. Thanks again for the additional reproduction steps and elaborate descriptions.

@azrikahar azrikahar mentioned this issue Jun 10, 2022
Merged
8 tasks
@piotr-cz
Copy link
Contributor Author

piotr-cz commented Jun 10, 2022
edited
Loading

Thanks for looking into this and preparing a PR!

As I mentioned in #9682 (reply in thread), I believe the Forbidden error comes up as an effect of having raw Dynamic Variable in a M2O type field at the time when form/ Item detail is opened.

As you mentioned, the Dynamic Variable is indeed expanded/ replaced when form is being saved, however at the time the error popup is shown, value is not visible in the M2O field just after this request:

GET 403 /items/organisations/%24CURRENT_USER.organisation_id?fields[]=name&fields[]=id

Content-Type: application/json; charset=utf-8
{"errors":[{"message":"You don't have permission to access this.","extensions":{"code":"FORBIDDEN"}}]}

BTW: Error message comes from ForbiddenException and actually indicates rather parsing error then permission issue:

directus/api/src/utils/validate-keys.ts

Lines 23 to 25 in cd58611

} else if (primaryKeyFieldType === 'integer' && !Number.isInteger(Number(keys))) {
throw new ForbiddenException();
}

Anyway I believe Your pull request will fix this case.

@piotr-cz piotr-cz mentioned this issue Jul 7, 2022
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🍰 Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use parsePreset in App side directus/directus
3 participants
@piotr-cz @rijkvanzanten @azrikahar