From 1ba8577a384a022ff2cd0b28e5d046f1798ff105 Mon Sep 17 00:00:00 2001
From: rijkvanzanten <rijkvanzanten@me.com>
Date: Fri, 21 Aug 2020 12:14:09 -0600
Subject: [PATCH] Use update permissions explicitly

---
 api/src/services/utils.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/api/src/services/utils.ts b/api/src/services/utils.ts
index 18f4faf23a..a6199dfaf6 100644
--- a/api/src/services/utils.ts
+++ b/api/src/services/utils.ts
@@ -29,7 +29,15 @@ export default class UtilsService {
 		}
 
 		if (this.accountability?.admin !== true) {
-			const permissions = await this.knex.select('fields').from('directus_permissions').where({ role: this.accountability?.role || null, collection }).first();
+			const permissions = await this.knex
+				.select('fields')
+				.from('directus_permissions')
+				.where({
+					collection,
+					operation: 'update',
+					role: this.accountability?.role || null,
+				})
+				.first();
 
 			if (!permissions) {
 				throw new ForbiddenException();