"You don't have permission to access this." when displaying Directus User in a list in the built-in Directus UI
divStar opened this issue · comments
Describe the Bug
Perhaps this issue is related to #17117 - not sure.
This was not an issue in one of the previous versions (I know for sure it was no issue in Directus v10.4.x).
I have a couple of collections.
One is "MyCV user", which contains a 1:1 relation to the "directus_users" collection as well as some settings in regards to my application.
When I edit a MyCV user, everything displays properly - no issues whatsoever.
When displaying the list of MyCV users, instead of the actual user, I see "Unknown user" with no avatar:
I get a 403 Forbidden if I hover over the "Unknown User":
Note, that I've chosen "User" for "Display" property of the field:
If I choose "Related values" and fill those in (e.g. Avatar, last name, first name) - it's displayed properly.
I dug deeper and found, that the following query is issued in the case of the "Unknown user":
https://directus-mycv.my.family/users/eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email
However, the following query works properly:
https://directus-mycv.my.family/users?id=eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email
Note the users?id=...
instead of users/<id>?...
.
To Reproduce
I just double-checked it and the following worked to reproduce the issue:
- Create a collection
my_custom_users
, include all default fields (status, created-date, etc. - not sure if this is necessary) as well as a many-to-one relation to thedirectus_users
collection. - Create a collection
my_custom_list
, include all default fields and a field to themy_custom_users
table. - Set the
Display
of themy_custom_list.my_custom_user
field toUser
.
This will result in the "Unknown user" being displayed:
Hovering over the "Unknown user" text will result in a 403 (Forbidden) response in the network tab of the dev-tools, too, as it is using the URL with .../users/<id>?...
, which returns forbidden - even for an administrator.
Directus Version
v10.11.0
Hosting Strategy
Self-Hosted (Docker Image)
Database
PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit