[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fields that are not editable because of policies are not disabled in O2M relationships #23910

Open
djigoio opened this issue Oct 24, 2024 · 0 comments · May be fixed by #24045
Open

Fields that are not editable because of policies are not disabled in O2M relationships #23910

djigoio opened this issue Oct 24, 2024 · 0 comments · May be fixed by #24045
Assignees
@ComfortablyCoding
Labels
Bug Permissions

Comments

@djigoio
Copy link
Member
djigoio commented Oct 24, 2024
edited by ComfortablyCoding
Loading

Description

There's an inconsistency in how access control rules are enforced when editing related items directly versus through a relation field. This creates a confusing user experience and potentially misleading UI state.

  • A user has two collections, exhibition and exhibition_images
  • Adds an O2M field to exhibition_images in exhibition
  • Has a policy for specific users that does not allow to update exhibition_images if status archived
  • When accessing the item directly, they can't edit it, which is okay
  • When accessing the item through the relation (go to an exhibition item, edit exhibition images inside of it), fields are enabled (see image at the bottom) when they should not.
  • When editing this through the relation, an error with not much info appears. It won't save the information

The error:
error example

Current Behavior

Policies are set up so:
User can update exhibition_images if status of the image is not archived

  • When accessing an archived exhibition_images item directly:

    • Fields are correctly disabled
    • UI properly reflects the user's lack of permissions
    • Unable to edit as expected

  • When accessing the same exhibition_images item through a relation (via parent exhibition item):

    • Fields appear enabled and editable
    • UI suggests the user has edit permissions
    • Saving fails with an unclear error message
    • Changes are not persisted due to permissions

Expected Behavior

  • Fields should be disabled and non-editable in both scenarios
  • UI should consistently reflect the user's actual permissions

To Reproduce

Set up two collections:

  • exhibition
  • exhibition_images or similar (does not need to be an image) with a status field, values archived and enabled
  • add an O2M to exhibition_images from exhibition

Create an access control policy:

  • Restrict updates to exhibition_images where status = 'archived'
  • Apply to specific user role

Create test data:

  • Add an exhibition
  • Add related exhibition images
  • Set some images to 'archived' status

Test direct access:

  • Navigate directly to an archived exhibition image with the new user
  • Verify fields are correctly disabled

Test relational access:

  • Navigate to the parent exhibition
  • Open the relation to edit exhibition images
  • Observe that fields for archived images are incorrectly enabled
  • Attempt to save changes

Directus Version

v11.1.1

Hosting Strategy

Self-Hosted (Docker Image)

Database

PostgreSQL 16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ComfortablyCoding ComfortablyCoding

Labels
Bug Permissions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix item permissions not respected in drawer-item directus/directus
3 participants
@rijkvanzanten @djigoio @ComfortablyCoding