You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
User has permission to Create, View & Edit (own items only) for collection A.
User has permission to Create & View junction collection of A & B.
User has permission to View for collection B (for selected fields).
In the Form view for A, in the M2M field, user selects a value from B and click on Save (in the select view).
After that, if the user now clicks on the selected record, the entire, editable record for B pops up! User can also perform editing on any of the fields in B, even the fields that are not allowed to the user. Clicking on the Save icon brings the user back to the form for A. But, clicking again on Save gives an error:
{
"message": "You don't have permission to access this.",
"extensions": {
"code": "FORBIDDEN"
}
}
So, at least the user isn't able to actually save modifications to the item in B.
My issue here is that the user shouldn't have been able to see modifiable, edit form for B, in the first place!
I tried navigating to the Edit form for the item in B via the direct link, and there the form is not editable for the user, as expected.
But the popup form for B, from A, is editable.
To Reproduce
.
Hosting Strategy
Self-Hosted (Docker Image)
The text was updated successfully, but these errors were encountered:
I can't think of an immediate workaround and this should also not be blocking any deployment as this is only app side and the api validates the requests properly, meaning it's only visual.
Checklist
Describe the Bug
Collections: A & B (having M2M relationship).
User has permission to Create, View & Edit (own items only) for collection A.
User has permission to Create & View junction collection of A & B.
User has permission to View for collection B (for selected fields).
In the Form view for A, in the M2M field, user selects a value from B and click on Save (in the select view).
After that, if the user now clicks on the selected record, the entire, editable record for B pops up! User can also perform editing on any of the fields in B, even the fields that are not allowed to the user. Clicking on the Save icon brings the user back to the form for A. But, clicking again on Save gives an error:
So, at least the user isn't able to actually save modifications to the item in B.
My issue here is that the user shouldn't have been able to see modifiable, edit form for B, in the first place!
I tried navigating to the Edit form for the item in B via the direct link, and there the form is not editable for the user, as expected.
But the popup form for B, from A, is editable.
To Reproduce
.
Hosting Strategy
Self-Hosted (Docker Image)
The text was updated successfully, but these errors were encountered: