V8-archive: Cant do nested filter request with custom user and custom role

Created on 25 Jan 2019  ·  9Comments  ·  Source: directus/v8-archive

Bug Report

I can't do a nested filter (like ?filter[o2mcollection.code][eq]=123456) on my queries even though the token user has full permissions on all tables and on directus_relations.

I get the following error:

{ "error": { "code": 215, "message": "Unable to access \"code\" related data", "class": "Directus\\Database\\Exception\\ForbiddenFieldAccessException", "file": "/var/www/directus7/src/core/Directus/Database/TableGateway/RelationalTableGateway.php", "line": 1205 } }

The query works if I put the token user into the admin role group.
The query works if I filter just by the id of the related collection ?filter[o2mcollection]=1
The query works without the filter and shows all contents of o2mcollection if I query items/parent?fields=*.*

I tried giving the custom role full permissions (all blue checkmarks) on every table including directus tables - no change. I tried setting up a new user and a new role group - no change.

Steps to Reproduce

  1. Set up two collections with a O2M relation
  2. Set up a new user and user role (ideally with only read permissions on created tables and directus_relations)
  3. Set a static token in the DB
  4. Query API & see error

Expected Behavior

Filter the results according to the nested filter

Actual Behavior

Error message above

Other Context & Screenshots

[2019-01-25 10:28:19] api[_].ERROR: Directus\Database\Exception\ForbiddenFieldAccessException: Unable to access "code" related data in /directusapi/src/core/Directus/Database/TableGateway/RelationalTableGateway.php:1205
Stack trace:
#0 /directusapi/src/core/Directus/Database/TableGateway/RelationalTableGateway.php(1445): Directus\Database\TableGateway\RelationalTableGateway->parseDotFilters
#1 [internal function]: Directus\Database\TableGateway\RelationalTableGateway->processFilter
#2 /directusapi/src/core/Directus/Database/TableGateway/RelationalTableGateway.php(799): call_user_func_array
#3 /directusapi/src/core/Directus/Database/TableGateway/RelationalTableGateway.php(1011): Directus\Database\TableGateway\RelationalTableGateway->applyParamsToTableEntriesSelect
#4 /directusapi/src/core/Directus/Database/TableGateway/RelationalTableGateway.php(1131): Directus\Database\TableGateway\RelationalTableGateway->fetchItems
#5 /directusapi/src/core/Directus/Database/TableGateway/RelationalTableGateway.php(819): Directus\Database\TableGateway\RelationalTableGateway->fetchData
#6 [internal function]: Directus\Database\TableGateway\RelationalTableGateway->getItems
#7 /directusapi/src/core/Directus/Services/AbstractService.php(326): call_user_func_array
#8 /directusapi/src/core/Directus/Services/AbstractService.php(270): Directus\Services\AbstractService->getDataAndSetResponseCacheTags
#9 /directusapi/src/core/Directus/Services/ItemsService.php(57): Directus\Services\AbstractService->getItemsAndSetResponseCacheTags
#10 /directusapi/src/endpoints/Items.php(43): Directus\Services\ItemsService->findAll
#11 [internal function]: Directus\Api\Routes\Items->all
#12 /directusapi/vendor/slim/slim/Slim/Handlers/Strategies/RequestResponse.php(41): call_user_func
#13 /directusapi/vendor/slim/slim/Slim/Route.php(356): Slim\Handlers\Strategies\RequestResponse->__invoke
#14 /directusapi/src/core/Directus/Application/Http/Middleware/AbstractRateLimitMiddleware.php(34): Slim\Route->__invoke
#15 [internal function]: Directus\Application\Http\Middleware\AbstractRateLimitMiddleware->__invoke
#16 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#17 [internal function]: Slim\DeferredCallable->__invoke
#18 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#19 /directusapi/src/core/Directus/Application/Http/Middleware/AuthenticationMiddleware.php(80): Slim\Route->Slim\{closure}
#20 [internal function]: Directus\Application\Http\Middleware\AuthenticationMiddleware->__invoke
#21 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#22 [internal function]: Slim\DeferredCallable->__invoke
#23 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#24 /directusapi/src/core/Directus/Application/Http/Middleware/TableGatewayMiddleware.php(25): Slim\Route->Slim\{closure}
#25 [internal function]: Directus\Application\Http\Middleware\TableGatewayMiddleware->__invoke
#26 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#27 [internal function]: Slim\DeferredCallable->__invoke
#28 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#29 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(117): Slim\Route->Slim\{closure}
#30 /directusapi/vendor/slim/slim/Slim/Route.php(334): Slim\Route->callMiddlewareStack
#31 /directusapi/vendor/slim/slim/Slim/App.php(515): Slim\Route->run
#32 /directusapi/src/core/Directus/Application/Http/Middleware/AbstractRateLimitMiddleware.php(34): Slim\App->__invoke
#33 [internal function]: Directus\Application\Http\Middleware\AbstractRateLimitMiddleware->__invoke
#34 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#35 [internal function]: Slim\DeferredCallable->__invoke
#36 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#37 /directusapi/vendor/wellingguzman/proxy-detection/src/ProxyDetectionMiddleware.php(30): Slim\App->Slim\{closure}
#38 /directusapi/src/core/Directus/Application/Http/Middleware/ProxyMiddleware.php(18): RKA\Middleware\ProxyDetectionMiddleware->__invoke
#39 [internal function]: Directus\Application\Http\Middleware\ProxyMiddleware->__invoke
#40 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#41 [internal function]: Slim\DeferredCallable->__invoke
#42 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#43 /directusapi/vendor/akrabat/ip-address-middleware/src/IpAddress.php(113): Slim\App->Slim\{closure}
#44 [internal function]: RKA\Middleware\IpAddress->__invoke
#45 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#46 [internal function]: Slim\DeferredCallable->__invoke
#47 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#48 /directusapi/src/core/Directus/Application/Http/Middleware/CorsMiddleware.php(66): Slim\App->Slim\{closure}
#49 [internal function]: Directus\Application\Http\Middleware\CorsMiddleware->__invoke
#50 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#51 [internal function]: Slim\DeferredCallable->__invoke
#52 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#53 /directusapi/src/core/Directus/Application/Http/Middleware/ResponseCacheMiddleware.php(47): Slim\App->Slim\{closure}
#54 [internal function]: Directus\Application\Http\Middleware\ResponseCacheMiddleware->__invoke
#55 /directusapi/vendor/slim/slim/Slim/DeferredCallable.php(43): call_user_func_array
#56 [internal function]: Slim\DeferredCallable->__invoke
#57 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(70): call_user_func
#58 /directusapi/vendor/slim/slim/Slim/MiddlewareAwareTrait.php(117): Slim\App->Slim\{closure}
#59 /directusapi/vendor/slim/slim/Slim/App.php(406): Slim\App->callMiddlewareStack
#60 /directusapi/vendor/slim/slim/Slim/App.php(314): Slim\App->process
#61 /directusapi/src/core/Directus/Application/Application.php(161): Slim\App->run
#62 /directusapi/public/index.php(5): Directus\Application\Application->run [] []

Technical Details

  • Directus 2.0.15
  • same on localhost MAMP and Ubuntu LAMP
bug not reproducible
Source
picture Kinzi

Most helpful comment

@Kinzi sent me a database dump and I was able to reproduce this issue.

This issue here is when the item has workflow enabled (permissions per statuses), the API fails to verify the user has permission to read values with certain status.

picture wellingguzman on 30 Jan 2019
👍2

All 9 comments

Hey @Kinzi, can you share a database dump so I can replicate this?

wellingguzman picture wellingguzman on 25 Jan 2019

@WellingGuzman Anyway I can get this to you without sharing the dump publicly?

Kinzi picture Kinzi on 25 Jan 2019
👀1

@Kinzi You can send it to me privately via Slack (https://slack.getdirectus.com)

wellingguzman picture wellingguzman on 25 Jan 2019
👍1

Thank you @Kinzi! Looking forward to getting this one resolved!

benhaynes picture benhaynes on 25 Jan 2019

@Kinzi sent me a database dump and I was able to reproduce this issue.

This issue here is when the item has workflow enabled (permissions per statuses), the API fails to verify the user has permission to read values with certain status.

wellingguzman picture wellingguzman on 30 Jan 2019
👍2

Guys please don't forget this! 🙏

Kinzi picture Kinzi on 26 Feb 2019
👍1

We haven't forgotten it — Welling has left the Directus Org and was replaced with a new API Lead. It'll take a little time to get back up to speed with things.

benhaynes picture benhaynes on 27 Feb 2019
👍1

@benhaynes This issue is not reproducible, seems that it is related to #863 and this issue has been resolved with it.
But, O2M nested filter is still generating bad query and it will be resolved in PR of #576

itsmerhp picture itsmerhp on 7 May 2019

Thanks @itsmerhp!

@Kinzi — can you update to the latest version (clear cache and run the database migration script) and then see if this is still a problem? I'll close it for now as not reproducible, but we will happily re-open if you're still experiencing it.

benhaynes picture benhaynes on 7 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andgar2010 picture andgar2010  ·  3Comments
cdwmhcc picture cdwmhcc  ·  3Comments
24js picture 24js  ·  3Comments
cdwmhcc picture cdwmhcc  ·  3Comments
Varulv1997 picture Varulv1997  ·  3Comments