Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edit form is displayed to user with no create/edit permission #17753

Closed
3 tasks done
arladmin opened this issue Mar 9, 2023 · 3 comments · Fixed by #16373
Closed
3 tasks done

Edit form is displayed to user with no create/edit permission #17753

arladmin opened this issue Mar 9, 2023 · 3 comments · Fixed by #16373
Assignees
@Nitwel
Labels
🍰 Bug

Comments

@arladmin
Copy link

arladmin commented Mar 9, 2023
edited

Checklist

Describe the Bug

Collections: A & B (having M2M relationship).

User has permission to Create, View & Edit (own items only) for collection A.
User has permission to Create & View junction collection of A & B.
User has permission to View for collection B (for selected fields).

image

In the Form view for A, in the M2M field, user selects a value from B and click on Save (in the select view).
After that, if the user now clicks on the selected record, the entire, editable record for B pops up! User can also perform editing on any of the fields in B, even the fields that are not allowed to the user. Clicking on the Save icon brings the user back to the form for A. But, clicking again on Save gives an error:

{
  "message": "You don't have permission to access this.",
  "extensions": {
    "code": "FORBIDDEN"
  }
}

So, at least the user isn't able to actually save modifications to the item in B.

My issue here is that the user shouldn't have been able to see modifiable, edit form for B, in the first place!

I tried navigating to the Edit form for the item in B via the direct link, and there the form is not editable for the user, as expected.
But the popup form for B, from A, is editable.

To Reproduce

.

Hosting Strategy

Self-Hosted (Docker Image)
@Nitwel Nitwel self-assigned this Mar 14, 2023
@Nitwel Nitwel mentioned this issue Mar 14, 2023
Merged
@arladmin
Copy link
Author

@Nitwel
Hi.

Is there any immediate workaround for this issue, until a permanent solution gets deployed?

This seems to be a major bug (permissions not being respected) which is blocking deployment of the project to production.

@Nitwel
Copy link
Member

Nitwel commented Mar 21, 2023

I can't think of an immediate workaround and this should also not be blocking any deployment as this is only app side and the api validates the requests properly, meaning it's only visual.

@arladmin
Copy link
Author

@Nitwel
We are using the Directus Studio as our Frontend itself, where all the users work.
Hence, this issue's impact has exacerbated so much.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Nitwel Nitwel

Labels
🍰 Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve Permissions in relational Interfaces directus/directus
2 participants
@Nitwel @arladmin