search

directus / directus

The flexible backend for all your projects 🐰 Turn your DB into a headless CMS, admin panels, or apps with a custom UI, instant APIs, auth & more.
https://directus.io
Other
28.19k stars 3.92k forks source link

Full access policy is not the same as manual adding all fields #24062

Open nskartoredjo opened 2 days ago

nskartoredjo commented 2 days ago

Describe the Bug

Add the policy collection, you have two options: all access and use custom.

What I expect is that, all access to be a shortcut to enabling all fields without any filters.

However if I enable all fields, the behaviour still differs from if I opted for the all access option.

To Reproduce

  1. Create a policy with app access and recommended settings (which provide read access to all users)
  2. Assign the policy to a role
  3. Create and add a user A under this role
  4. Create and add a user B
  5. Login with A; you should see user B
  6. Remove the token field from the user read policy
  7. As user A, you can't see any user now (this is another issue)
  8. Re-add the token field to the policy
  9. As user A, things are still broken
  10. Use the all access option now
  11. As user A, you can now see user B again

Directus Version

v11.1.1

Hosting Strategy

Self-Hosted (Docker Image)

Database

PostgreSQL 16

hanneskuettner commented 2 days ago

Oh interesting. This issue is the cause of #24063 and the observed problem is limited to system collections that have "minimal app permissions" and can get additional permissions.

The reason is that the "additional permissions" don't include the app minimal permission fields, but just the additional fields. This seems like an oversight on the app side we will have to look in to.