V8-archive: Was able to delete records from a collection with a user with no delete permissions
Bug Report
Steps to Reproduce
Create a new role called 'Editor' with permissions to Create/Update/Comment on all collections
- Ensure the new role has no Delete permissions on any collections
- Create a new user and assign him the newly created role of 'Editor'
Login as the new user and attempt to delete a record from the collection 'Movies'
Observe that the record is deleted
Expected Behavior
The user should not be able to delete the record.
Ideally, you should not be able to see the 'Delete' button if you don't have permission to see it
Actual Behavior
You are able to see the 'Delete' button and you are able to delete record.
Other Context & Screenshots
Technical Details
From latest install on Directus.app
App Version 7.6.1
Api Version:
- Device: [eg: Desktop, iPhone6, etc]
- OS: [eg: MacOS 10.13.6, Windows 10.1803]
- Web Server: [eg: Apache 2.4.37]
- PHP Version: [eg: 7.2.0]
- Database: [eg: MySQL 8.0.12]
- Install Method: [eg: cloned
masterbranch]
chintohere
All 2 comments
Seems to working as expected now. Not sure what was happening at the time.
chintohere
on 3 Jul 2019
Hello @chintohere
Delete permission is working fine for collections don't have a status field. But, delete permission issue takes place for collections having the status field and that issue still exists.
I am working on it and will send PR for it asap.
itsmerhp
on 3 Jul 2019
Related issues
zeusstl
路
26Comments
carolin-skiply
路
51Comments
futjikato
路
58Comments
benhaynes
路
31Comments
philleepflorence
路
33Comments