Closed abdonrd closed 2 years ago
Maybe this PR https://github.com/directus/directus/pull/12488?
Maybe this PR #12488?
I think #12190
It is unrelated to #12190. The error was thrown in validateFields
before the filter validation occurs as *
is not in the list of allowed columns.
https://github.com/directus/directus/blob/c2cd010eec120f308e3ce43b181200cdf55bda6b/api/src/services/authorization.ts#L116-L124
@rijkvanzanten How should we go about this issue?
count(*)
as long as there's read access to primary key. count(id)
when not all fields are allowed.@abdonrd You may temporarily use the second option above, changing *
to id
for count.
Note, the count value will become nested within.
count: { id: 5 }
@abdonrd You may temporarily use the second option above, changing
*
toid
for count. Note, the count value will become nested within.count: { id: 5 }
Oh! But it's not me who is doing that query. It is the Directus app itself.
@licitdev I think count(*)
should be allowed as soon as you have any read access, doesn't matter what fields. count(*)
doesn't expose any of the fields or data held within, so it shouldn't matter.
@rijkvanzanten I think that the current way of allowing count(*)
to work only if there's full permissions is a good where it can prevent leaks of the total count. The total count might be sensitive info in some use cases.
The count is still applied with the permissions filter though, so count(*)
will always return the count of times you have read access to based on the filter rules, not the total count of the table. The fields you're allowed to read in those roles shouldn't matter for the count * usage though 🙂
Preflight Checklist
Describe the Bug
Custom read permissions breaks count queries.
In the Directus admin panel:
/admin/content/challenges
Admin role:
https://user-images.githubusercontent.com/1007051/161741007-848f6dee-f680-4aa4-9423-193f60f7b35e.mov
Custom role:
https://user-images.githubusercontent.com/1007051/161740990-100bf4a8-93fe-4d1b-aa44-bc1f99492fe8.mov
(in this Custom role we just unchecked one field)
Fixed if I grant
All Access
:To Reproduce
See avove.
Errors Shown
What version of Directus are you using?
9.8.0
What version of Node.js are you using?
16
What database are you using?
Postgres 14
What browser are you using?
Chrome
What operating system are you using?
macOS Monterey (12)
How are you deploying Directus?
Running locally