Translations Interface Role with restricted language edit invalid values: language_id

w0kyj commented 2 years ago

Describe the Bug

Created a user role with the language restricted permissions, using the Directus Cloud Demo project. The goal is to restrict the user to only being able to edit pt-BR translations fields.

As long as the translations junction table entries exist, the role permissions seem to work as expected, but when the pt-BR junction entries don't exist for an existing article, then the user gets one of two errors depending on Articles Update permission:

{
  "message": "You don't have permission to access this.",
  "extensions": {
    "code": "FORBIDDEN"
  }
}

OR

The following fields have invalid values:
- languages_id: validationError.undefined
^^ Another user reported getting: languagesCode: value has to be pt

To Reproduce

Directus Cloud Demo project collection permissions for Language Restricted Role:

articles
- Create - None
- Read - All
- Update - All (only way to get the actual junction table error)
- Update - Ideally fields are restricted to Id and Translations with the following filter rule, but get Error: You don't have permission to access this
```
{
  "_and": [
    {
      "translations": {
        "languages_id": {
          "code": {
            "_eq": "pt-BR"
          }
        }
      }
    }
  ]
}
```

articles_translations

Create: All Fields and filter

{
  "_and": [
    {
      "languages_id": {
        "code": {
          "_eq": "pt-BR"
        }
      }
    }
  ]
}

Read: All Fields and filter

{
  "_and": [
    {
      "_or": [
        {
          "languages_id": {
            "code": {
              "_eq": "en-US"
            }
          }
        },
        {
          "languages_id": {
            "code": {
              "_eq": "pt-BR"
            }
          }
        }
      ]
    }
  ]
}

Update: All Fields and filter

{
  "_and": [
    {
      "_or": [
        {
          "languages_id": {
            "code": {
              "_eq": "pt-BR"
            }
          }
        },
        {
          "languages_id": {
            "code": {
              "_eq": "en-US"
            }
          }
        }
      ]
    }
  ]
}

languages

Create: None

Read: All Fields and filter

{
  "_and": [
    {
      "_or": [
        {
          "code": {
            "_eq": "en-US"
          }
        },
        {
          "code": {
            "_eq": "pt-BR"
          }
        }
      ]
    }
  ]
}

Update: None

User with Language Restricted Role:

Edit Article that has existing pt-BR translations, works as expected
Edit article with empty pt-BR translations fields
Attempt to save
Get one of the described errors depending on the collection Articles Update permissions
NOTE: If admin or other authorized user edits the pt-BR and junction created entry then this user can edit as noted in first bullet.

Errors Shown

{
  "message": "You don't have permission to access this.",
  "extensions": {
    "code": "FORBIDDEN"
  }
}

OR

The following fields have invalid values:
- languages_id: validationError.undefined

OR

The following fields have invalid values:
- languagesCode: value has to be pt

What version of Directus are you using?

9.13.0 & 9.14.1

What version of Node.js are you using?

Directus Cloud

What database are you using?

Directus Cloud

What browser are you using?

Chrome

How are you deploying Directus?

Directus Cloud

rijkvanzanten commented 2 years ago

I believe this is the same confusion around validation only checking against the payload, not against the full final object. In this case, the app most likely only submits {id: 1, text: 'some Portuguese text'} to the API, which in turn causes the validation to fail, as language_id isn't set even though it already exists as such in the DB

micheljacquot34 commented 1 year ago

I'm having a similar issue. Using latest version, 9.20.4

I've created a specific role, but I can't restrict the editing to a specific language.

rijkvanzanten commented 1 year ago

Linear: ENG-230

rijkvanzanten commented 1 year ago

I believe this has since been resolved

directus / directus