Skip to content
This repository has been archived by the owner on Jan 6, 2023. It is now read-only.

Fix 717 #944

Merged
merged 2 commits into from
May 15, 2019
Merged

Fix 717 #944

merged 2 commits into from
May 15, 2019

Conversation

itsmerhp
Copy link
Contributor

@itsmerhp itsmerhp commented May 9, 2019

Applied changes in processFilter function to enforce read blacklist filter for below cases :

  • If collection has status field and a field has been blacklisted for specific statuses, then filter by that field would avoid records having blacklisted statuses.
  • If collection has status field and a field is blacklisted for all the statuses, then exception should be thrown on filter by that field.
  • If collection has not status field and a field is blacklisted, then exception should be thrown on filter by that field.

@binal-7span
Copy link
Contributor

binal-7span commented May 14, 2019

@itsmerhp

Just gone through PR and found that the behavior of collection which has status field and which doesn't have status field is different.

Let's have an example.
(1) The collection which contains status field and the title field is blacklisted; returns the blank array for filter it with the title.
(2) The collection which doesn't contain the status field and the title field is blacklisted; throw the exception for filter it with the title.

So let's make it common for both scenarios. Kindly replace the exception of

Unable to access title related data

with

Invalid field title

As the user will not get field which is blacklisted for Read permission in the listing API and if still, they try to implement filter on that field, then it's not meant to give them the exception for the permission. Instead of that, we should return the exception like Invalid field. As they may or may not know that the blacklisted field exists in the collection.

@binal-7span binal-7span merged commit 1e26735 into directus:master May 15, 2019
binal-7span pushed a commit that referenced this pull request Jun 17, 2019
* pgsql 10 initial support

* email_notification column must be set as a boolean

* Handle unique column collisions

* BUG delta in revisions can be null

* BUG transformed the remaining lastInsertValue into getLastGeneratedId()

* Pass new item flag to o2m new items

Closes https://github.com/directus/app/issues/1418

* Don't show popover for 0 items / no template

Closes https://github.com/directus/app/issues/1397

* Bug fix (#848)

* Merge conflict resolve

* Handle item not found exception in collection detail API

* Extended the list of safe tags (#849)

As described in issue #832

* Issue fix #819 (#851)

* Mark adding new item as new in m2m

* Bump version

* Revert composer changes

* Issue fix #843 (#852)

* BUG searches with LIKE on non-textual columns

* Remove the extensions from the API

* Issue fix #847 (#857)

* Issue fix #833 (#859)

* Initial commit for documentation (#844)

* Revert "Initial commit for documentation (#844)" (#868)

This reverts commit 6e85d59.

* BUG Bypass Zend-db choice not to allow nullable boolean fields

* BUG field length were not taken into account

* CHORE dupliacted line

* BUG o2m working + post-alter table event dispatching

* Return object in delete after hook instead of onli ID (#882)

* Add fix for big file sizes

Closes #750

* Add migrations for hash and single-file

* Show correct fields in roles.users

For some reason the database column for options was empty

Closes https://github.com/directus/app/issues/1471

* Delete ISSUE_TEMPLATE.md

* security notice

* Add check for mod_php before setting php_value for upload size

This will prevent errors on systems that don't allow overriding the php
values from within the .htaccess files. This will only check for php 7+
though, as the mod_php directive is version specific. This is okay for
now, as we officially only support PHP 7.1+

* Change field width from integer to string

This will allow the app to render the fields in the correct widths
starting with v7.2.

* Issue fix #854 (#896)

* Add migrations for setting field notes and widths

Lays out the settings a bit nicer and adds setting descriptions.

Fixes https://github.com/directus/app/issues/1379

* Fix sort order of fields on install

* Increase specificity of migrations so it doesn't target non-settings

* Move collection notes to the DB

I'm aware that this makes them english only for the time being.
Once we implement the using the translation column in the app, we
can make them properly translatable.

* Fix abstraction name

* Add migrations for misc fields

Sorting of files, making a couple interfaces required, etc

* Bump version

* Fix: Wrong MIME for extentions in uppercase (#895)

* FEAT more events that invalidate the cache (#892)

* Allowing string relations (#800)

* emoji support for comments and bookmark names

* Use JSON interface for system collections

* Fixing custom primary key primary key column name (#881)

Swapping this variable seems to resolve the issue.

* Bump version

* Issue #885 (#898)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* Issue#885 - Done

* #885 Removed Test cases

* Issue #886 (#899)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* Issue#885 - Done

* Issue#886 - Done

* #886 Reverted unwanted code

* Issue #884 (#901)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #884 Done

* #884 Removed Test cases

* Issue #884 - Change (#907)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #884 Done

* #884 Removed Test cases

* #884 change

* Fix#810 (#908)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #810 done

* #810 Reverting Test Cases

* Issue Fix #902 (#909)

* Issue fix #902

* Add migration for allow value nullable in settings table

* Set texttype for value field

* Doc issue fix #84 (#910)

* Issue fix #841 (#911)

* Increase expiry time of tokens from 5 to 20 minutes (#913)

It should still be pretty secure. This allows the app to go easier on
the refreshing, and it makes sure that you can upload large files
without having the token expire halfway through.

* Fix missing ref to 5 min exp

* Issue Fix #863 (#916)

* Issue fix #853 (#918)

* Issue Fix #920 (#922)

* Issue Fix #920

* Issue Fix #920

* Issue fix #879 (#924)

* [thumbnailer] Support for files in subdirectories (#856)

Many websites store images in a complex directory structure. This PR
makes it possible to use thumbnailer in such cases.

For instance :
`/thumbnail/_/100/100/crop/good/complex/path/to/some-image.jpg

* defaults cors.max-age to 600 (#921)

* Bump version

* Fix 943 (#947)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #943

* Fix 717 (#944)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #717

* Fix 576 (#926)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #576 - In progress

* #576 O2M and M20 nested filters

* #576 Fix O2M and M2O nested filters

* get proper string length (#933)

Not tested... I only based this PR on:

Ref: 0fce6a4#commitcomment-33408113

* fixed settings logo (#940)

* added collection/table to InvalidFieldException (#956)

* Fix 931 (#936)

* Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete

* #931

* #931

* Issue fix #917 (#960)

* reuse item service instead of using a new instance (#959)

* Issue fix 762 (#961)

* Plain text mail issu resolve (#966)

* Bump version
arboehme pushed a commit to arboehme/api that referenced this pull request Sep 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants