Giters

directus / directus

The flexible backend for all your projects 🐰 Turn your DB into a headless CMS, admin panels, or apps with a custom UI, instant APIs, auth & more.

Home Page:https://directus.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

"You don't have permission to access this." when displaying Directus User in a list in the built-in Directus UI

divStar opened this issue · comments

commented

Describe the Bug

Perhaps this issue is related to #17117 - not sure.

This was not an issue in one of the previous versions (I know for sure it was no issue in Directus v10.4.x).

I have a couple of collections.
One is "MyCV user", which contains a 1:1 relation to the "directus_users" collection as well as some settings in regards to my application.

When I edit a MyCV user, everything displays properly - no issues whatsoever.
grafik

When displaying the list of MyCV users, instead of the actual user, I see "Unknown user" with no avatar:
grafik
I get a 403 Forbidden if I hover over the "Unknown User":
grafik

Note, that I've chosen "User" for "Display" property of the field:
grafik

If I choose "Related values" and fill those in (e.g. Avatar, last name, first name) - it's displayed properly.

I dug deeper and found, that the following query is issued in the case of the "Unknown user":

https://directus-mycv.my.family/users/eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email

However, the following query works properly:

https://directus-mycv.my.family/users?id=eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email

Note the users?id=... instead of users/<id>?....

To Reproduce

I just double-checked it and the following worked to reproduce the issue:

  1. Create a collection my_custom_users, include all default fields (status, created-date, etc. - not sure if this is necessary) as well as a many-to-one relation to the directus_users collection.
  2. Create a collection my_custom_list, include all default fields and a field to the my_custom_users table.
  3. Set the Display of the my_custom_list.my_custom_user field to User.

This will result in the "Unknown user" being displayed:
grafik

Hovering over the "Unknown user" text will result in a 403 (Forbidden) response in the network tab of the dev-tools, too, as it is using the URL with .../users/<id>?..., which returns forbidden - even for an administrator.

Directus Version

v10.11.0

Hosting Strategy

Self-Hosted (Docker Image)

Database

PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit