V8-archive: Cannot change collection presents by a non admin user

Created on 3 Mar 2019 · 9Comments · Source: directus/v8-archive

Bug Report

Steps to Reproduce

Create user in a non admin without full write permissions to directus_collection_presets table
Attempt to resize a column as that user
Error is returned due to lack of permission

Expected Behavior

User should be able to edit directus_collection_presets

Actual Behavior

Response is

{code: 302, message: "Updating item from "directus_collection_presets" collection was denied"}

Other Context & Screenshots

2019-03-03 17:22:08] api[_].ERROR: Directus\Permissions\Exception\ForbiddenCollectionUpdateException: Updating item from "directus_collection_presets" collection was denied in /var/www/api/src/core/Directus/Permissions/Acl.php:1072
Stack trace:
#0 /var/www/api/src/core/Directus/Database/TableGateway/BaseTableGateway.php(1276): Directus\Permissions\Acl->enforceUpdateAll
#1 /var/www/api/src/core/Directus/Database/TableGateway/BaseTableGateway.php(852): Directus\Database\TableGateway\BaseTableGateway->enforceUpdatePermission
#2 /var/www/api/vendor/zendframework/zend-db/src/TableGateway/AbstractTableGateway.php(361): Directus\Database\TableGateway\BaseTableGateway->executeUpdate
#3 /var/www/api/src/core/Directus/Database/TableGateway/BaseTableGateway.php(455): Zend\Db\TableGateway\AbstractTableGateway->updateWith
#4 /var/www/api/src/core/Directus/Database/TableGateway/RelationalTableGateway.php(498): Directus\Database\TableGateway\BaseTableGateway->updateRecordByArray
#5 /var/www/api/src/core/Directus/Services/ItemsService.php(156): Directus\Database\TableGateway\RelationalTableGateway->updateRecord
#6 /var/www/api/src/core/Directus/Services/CollectionPresetsService.php(62): Directus\Services\ItemsService->update
#7 /var/www/api/src/endpoints/CollectionPresets.php(89): Directus\Services\CollectionPresetsService->update
#8 [internal function]: Directus\Api\Routes\CollectionPresets->update
#9 /var/www/api/vendor/slim/slim/Slim/Handlers/Strategies/RequestResponse.php(41): call_user_func

Technical Details

Device: Desktop
OS: MacOs High Sierra
Web Server: nginx
PHP Version: 7.2
Database: Mysql 5.2
Install Method: docker 2.0.17 and 7.0.17

bug not reproducible

Source

samvasko

All 9 comments

I think this is because the user column in the presents db is not in the DataTypes getUsersType function and therefore the update cannot be correctly attributed.

samvasko on 3 Mar 2019

Thanks @samvasko — our API Lead is new to the codebase, but we'll take a look and see if we can get this resolved asap!

benhaynes on 3 Mar 2019

👍1

I had a look. it looks like a tough one! 👍

samvasko on 3 Mar 2019

without full write permissions to directus_collection_presets table

The user needs write permission to directus_collection_presets in order to save their permissions. The error that was returned looks like expected behavior to me.

Am I misunderstanding the situation @samvasko ?

rijkvanzanten on 11 Mar 2019

I think the expectation is to have mine permissions to that collection. Or we're not giving users this permission by default (so it only works for admins since they have all permissions by default). Either way, this seems like a bug that needs to be fixed.

benhaynes on 11 Mar 2019

👍1

Definitely a bug. The collection is configured as mine but cannot be edited.
Screen Shot 2019-03-11 at 22 48 37

samvasko on 11 Mar 2019

👍1

I think it might be the same issue that's causing https://github.com/directus/api/issues/723

rijkvanzanten on 12 Mar 2019

I did some debugging and before and It seems the same.

samvasko on 12 Mar 2019

@samvasko It seems the bug is fixed by #828.
We just released API v2.0.20. Can you update to latest and let me know if it still occurs? I can not reproduce this on my side :slightly_smiling_face: