Fix too strict update permission check

Fixes #817

api/src/services/authorization.ts

@@ -399,7 +399,7 @@ export class AuthorizationService {
 			const result = await itemsService.readByKey(pk as any, query, action);
 
 			if (!result) throw '';
-			if (Array.isArray(pk) && result.length !== pk.length) throw '';
+			if (Array.isArray(pk) && pk.length > 1 && result.length !== pk.length) throw '';
 		} catch {
 			throw new ForbiddenException(
 				`You're not allowed to ${action} item "${pk}" in collection "${collection}".`,

api/src/services/items.ts

@@ -257,6 +257,7 @@ export class ItemsService<Item extends AnyItem = AnyItem> implements AbstractSer
 				accountability: this.accountability,
 				knex: this.knex,
 			});
+
 			ast = await authorizationService.processAST(ast, action);
 		}
 

app/src/utils/is-allowed.ts

@@ -19,7 +19,7 @@ export function isAllowed(collection: string, action: Permission['action'], valu
 
 	const permissionsForAction = parseFilter(permissionInfo.permissions || {});
 
-	const schema = generateJoi(permissionsForAction, { allowUnknown: permissionInfo.fields === '*' });
+	const schema = generateJoi(permissionsForAction, { allowUnknown: true });
 	const { error } = schema.validate(value);
 
 	if (!error) {