-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
Description
Bug report
Required System information
- Node.js version: 18.14.0
- NPM version: 9.3.1
- Strapi version: 4.11.1 (but this seems to be the problem for longer time)
- Database: PostgreSQL
- Operating system: MacOS Monterey
- Is your project Javascript or Typescript: Javascript
Describe the bug
I have multiple DB tables that have "user" fields which are relations to users-permissions.
All tables with issues have this relation:
"user": {
"type": "relation",
"relation": "oneToOne",
"target": "plugin::users-permissions.user"
},
This tables are for example orders on the web-shop, service records for devices and so on. All related to logged-in users.
I discovered that filtering by these relations are not working at all anymore and all my registered users could see ALL orders - good thing that I still have small number of registered users, but I presume, someone could have the same issue on very large system!
Also - population does not work on same fields - if I use "populate=*" or "populate[0]=user" in query - this does nothing.
I noticed that all other relations seem to work - filtering + population. So it seems, only relation to users-permissions is broken.
But this is quite a big issue.
I need to note that these queries did not change for over 8 months in my code so I did not even have this on the radar that it could be a problem. Now I need to write some new tests.
Steps to reproduce the behavior
Simply try REST query on the table where you want to filter by related ID - for example, if I execute this when using 4.11.1:
http://localhost:1337/api/orders?filters[$and][0][user][id][$eq]=30&sort[id]=DESC&populate[0]=user&filters[id]=366
I get all orders and I should only get the ones related to user with ID 30.
Also - none of the records have "user" populated in response.
Same thing happens on all my tables with relation to users-permissions.
Expected behavior
Filtering by related table should work.
Population should work
Code snippets
By dumping ctx.request.query into my log - I can see that REST query seems correct:
[2023-06-13 20:40:30.095] http: GET /api/orders?filters[$and][0][user][id][$eq]=30&sort[id]=DESC&populate[0]=user (171 ms) 200
[2023-06-13 20:40:35.580] orders-find-query {
"filters": {
"$and": [
{
"user": {
"id": {
"$eq": "30"
}
}
}
]
},
"sort": {
"id": "DESC"
},
"populate": [
"user"
]
}
Additional context
I went back to vesion 4.6.2 just to test - and there the filtering works but population does not. I did not go back to where population works also.
If seems that from version 4.8.1 both filtering and population on these relations does not work. So, as said, this seems to be an issue for longer time.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status