Custom permissions not working after update from rc94 to rc96

[u12206050]

Preflight Checklist

• I have completed all Troubleshooting Steps.
• I'm on the latest version of Directus.
• There's no other issue that already describes my problem.

Describe the Bug

So after updating to rc96 and running migrations non admin users can not update items as the previously could.

It seems custom permissions are being parsed different now than before.

The following is a very common filter rule I use on a lot of my collections and it used to work on rc94.

{
	"group": {
		"users": {
			"user": {
				"_eq": "$CURRENT_USER"
			}
		}
	}
}

I even have a more advanced one that also used to work be it only on update but not on create:

{
	"group": {
		"users": {
			"user": {
				"_eq": "$CURRENT_USER"
			},			
			"role": {
				"_eq": "author"
			}
		}
	}
}

To Reproduce

Setup a groups collection that has a many to many relationship to directus_users called users
Note, I called the foreign column user
Optionally to test with a role and a string field called role to the pivot table

Setup a different collection such as registrations with a M2O relationship with groups

Add users to groups and attach a group to a registration.

Create a role with the permissions above on the registrations Update and View

Now login with a user that has that role and try viewing and updating a registration.

What version of Directus are you using?

9.0.0-rc.96

What version of Node.js are you using?

16.4.0

What database are you using?

mysql

What browser are you using?

chrome

What operating system are you using?

osx

How are you deploying Directus?

Locally

[rijkvanzanten]

This:

{
  "group": {
    "users": {
      "user": {
        "_eq": "$CURRENT_USER"
      },
      "role": {
        "_eq": "author"
      }
    }
  }
}

should be this:

{
  "_and": [
    {
      "group": {
        "users": {
          "user": {
            "_eq": "$CURRENT_USER"
          }
        }
      }
    },
    {
      "group": {
        "users": {
          "role": {
            "_eq": "author"
          }
        }
      }
    }
  ]
}

the first example should be correct

[u12206050]

Thanks, tried this, but for some reason I am now getting duplicate results. In the collection view

[u12206050]

Correction, I am getting duplicate results on a different filter:

{
	"_or": [
		{
			"group": {
				"is_global": {
					"_eq": true
				}
			}
		},
		{
			"group": {
				"users": {
					"user": {
						"_eq": "$CURRENT_USER"
					}
				}
			}
		}
	]
}

Both of these statements are true, thats probably why there are duplicates?

[u12206050]

It seems the _and condition as you use it doesn't match the $CURRENT_USER with the role = admin it just checks that ANY user is the $CURRENT_USER and that ANY user's role is admin

{
	"group": {
		"users": {
			"_and": [
				{
					"user": {
						"_eq": "$CURRENT_USER"
					}
				},
				{
					"role": {
						"_eq": "author"
					}
				}
			]
		}
	}
}

BUT THIS DOES NOT WORK.

[Prochy20]

Hey. I have almost the same behavior:

1. When I set in app I want to allow edit only for user who's ID is equal to $CURRENT_USER i get this in my DB:

{"_and": [{"user_created": {"id": {"_eq": null}}}]}

2. When I replace null in DB for $CURRENT_USER it still does not work (user is not allowed to edit)

This is what I set to DB
{"_and": [{"user_created": {"id": {"_eq": "$CURRENT_USER"}}}]}

I am using v9.0.0-rc.98

[Skywrath-Mage]

1. When I set in app I want to allow edit only for user who's ID is equal to $CURRENT_USER i get this in my DB:

I think is not supported, because it's a dynamic value.
#2993

[valdeirpsr]

Hey. I have almost the same behavior:

1. When I set in app I want to allow edit only for user who's ID is equal to $CURRENT_USER i get this in my DB:

{"_and": [{"user_created": {"id": {"_eq": null}}}]}

1. When I replace null in DB for $CURRENT_USER it still does not work (user is not allowed to edit)

This is what I set to DB {"_and": [{"user_created": {"id": {"_eq": "$CURRENT_USER"}}}]}

I am using v9.0.0-rc.98

This happens in the application because the value "$CURRENT_USER" does not follow the pattern defined in line

directus/app/src/interfaces/_system/system-filter/input-component.vue

Lines 114 to 115 in 9f163ce

	case 'uuid':
	return '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}';

[devjabeer]

there should be option for adding filter either through filter interface or through writing filter code. or Filter interface should have option for dynamic fields like current_user and current_role. I am not able to filter items based on current user because filter interface is not allowing current_user dynamic field.

[rijkvanzanten]

@mdjabeer4u click the field label and use "Raw Value". Works for fields all over the app 👍🏻

[devjabeer]

@mdjabeer4u click the field label and use "Raw Value". Works for fields all over the app 👍🏻

did not realize that's a button. thanks.

[joselcvarela]

Hello @u12206050
I am not able to reproduce this anymore. Maybe this is already fixed.

Also @valdeirpsr,
That seems to be fixed now:

directus/app/src/interfaces/_system/system-filter/input-component.vue

Lines 114 to 115 in c298942

	case 'uuid':
	return '\\$CURRENT_USER|\\$CURRENT_ROLE|[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}';

I am going to close it for now, but if you think this is still an issue we can reopen.