New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't retrieve OAS spec for public user #6084
Comments
This comment has been minimized.
This comment has been minimized.
From what I've gathered, this error originates from the following method call: directus/api/src/services/collections.ts Lines 207 to 210 in bb86de9
with then breaks here: directus/api/src/services/items.ts Line 269 in bb86de9
as this throws a ForbiddenException if you don't have all permissions. |
Hrm - being able to generate the OAS would seem to be best suited for an unauthenticated call? |
It's supposed to work for either 👍🏻 Just like the graphql one 🙂 The output should be based on the permissions of your current user, regardless of if it's public or not |
nice - in this instance, as an unauthenticated caller, it will fail then by design? |
So if I understand correctly, the output should change based on your current permissions, right? In that case, the |
Nope! Should still work. I see "unauthenticated" as the "public user" 🙂 |
Nevermind, I am in the wrong here, this is exactly what is currently done here. Strange that it doesn't work though.. |
I believe it's the fact that the specs service is initialized with the accountability info: directus/api/src/controllers/server.ts Lines 27 to 30 in bb86de9
Which makes a call to methods of these fail: directus/api/src/services/specifications.ts Lines 43 to 45 in bb86de9
We should take a peak at the graphql one and lift the logic from that (extract it into a shared util) |
I believe both the GraphQL one and the OAS use the same accountability info. The difference seems to be that the GraphQL information is based on the schema, whereas the OAS information is generated with queries. The immediate cause of the failure for me seems to be how When const collectionsRequested = getCollectionsFromAST(ast);
// [ { collection: 'directus_collections', field: null } ] However, it then tries filter the users permissions based on this information: directus/api/src/services/authorization.ts Lines 43 to 51 in bb86de9
However, the If we give access to these three tables, the user is able to access the OAS data, but I believe they're then able to see everything. |
The pubic role needs access to |
I think the primary concern here is that it's inconsistent, as a similar endpoint for GraphQL does work. |
@Nitwel That's the problem 🙂 Like @MoltenCoffee mentioned, the oas endpoint should work the same as the graphql endpoint |
Shouldn't this be at least part of the documentation? |
@rijkvanzanten but it doesn't. still, now. server/specs/graphql works, server/specs/oas — doesn't |
Yup! That's why this is an open issue 👍🏻 It should work the same, but currently doesn't |
Dear @rijkvanzanten , and Directus Team, first of all, i would like to thank you for this awesome platform. It was a real joy for me to try Directus and work my way through the docs and how everything works. I recently stumbled upon this issue, and i think this should be handled in a proper way. I would like to have my development workflow as follows:
When fiddling around, i noticed a few things that feel somehow strange when working with the latter.
Consider my scenario described above. Would it be possible to make the In order to call a specific route (i.e., create a new user, update an article item, delete a role, ...) the user still has to have a proper role with the correct permission. The fact that someone may have the information that a specific endpoint exists does not allow to call respective endpoint. What do you think about this proposal? |
Linear: ENG-295 |
i am sorry, but i cannot login and get the details from linear. can you share this here please? |
It's just a private mirror of the public issue I use for private notes and reminders 🙂 |
as @Nitwel mentioned above, the current user accessing the
This will, however, only show the basic routes, like everything related to In order to make them available, the user accessing the endpoint furthermore needs permissions for these custom collections, i.e.,
Finally, granting I think, the OAS document should be accessible withouth restrictions (i.e., based on the users permission accessing the document) - the same should apply for the graphql schema file. Just wanted to make the issue with the additional permissions for resources clear. |
Attempting to generate OAS at /server/specs/oas
Error returns with Access Denied.
GET to /server/specs/graphql work however (same Authorization Token)
Thought it might just be swallowing a deeper error so checked the raw logs and it does indeed show a 403
The text was updated successfully, but these errors were encountered: