From 7ab359eacfcee1e79713202cd2c661d51de58867 Mon Sep 17 00:00:00 2001
From: Rijk van Zanten <rijkvanzanten@me.com>
Date: Wed, 3 Mar 2021 17:04:39 -0500
Subject: [PATCH] Throw forbidden error on /fields (#4366)

Fixes #4349
---
 api/src/services/collections.ts |  7 ++-----
 api/src/services/fields.ts      | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/api/src/services/collections.ts b/api/src/services/collections.ts
index 241e52b781..1dfae5bde3 100644
--- a/api/src/services/collections.ts
+++ b/api/src/services/collections.ts
@@ -158,6 +158,7 @@ export class CollectionsService {
 		const collectionItemsService = new ItemsService('directus_collections', {
 			knex: this.knex,
 			schema: this.schema,
+			accountability: this.accountability,
 		});
 
 		let tablesInDatabase = await schemaInspector.tableInfo();
@@ -172,10 +173,6 @@ export class CollectionsService {
 			tablesInDatabase = tablesInDatabase.filter((table) => {
 				return collectionsYouHavePermissionToRead.includes(table.name);
 			});
-
-			if (tablesInDatabase.length === 0) {
-				throw new ForbiddenException();
-			}
 		}
 
 		const tablesToFetchInfoFor = tablesInDatabase.map((table) => table.name);
@@ -204,7 +201,7 @@ export class CollectionsService {
 
 	/**
 	 * @NOTE
-	 * We only suppport updating the content in directus_collections
+	 * We only support updating the content in directus_collections
 	 */
 	update(data: Partial<Collection>, keys: string[]): Promise<string[]>;
 	update(data: Partial<Collection>, key: string): Promise<string>;
diff --git a/api/src/services/fields.ts b/api/src/services/fields.ts
index d545e408c5..cc008c2830 100644
--- a/api/src/services/fields.ts
+++ b/api/src/services/fields.ts
@@ -1,7 +1,7 @@
 import { ALIAS_TYPES } from '../constants';
 import database, { schemaInspector } from '../database';
 import { Field } from '../types/field';
-import { Accountability, AbstractServiceOptions, FieldMeta, Relation, SchemaOverview } from '../types';
+import { Accountability, AbstractServiceOptions, FieldMeta, SchemaOverview } from '../types';
 import { ItemsService } from '../services/items';
 import { ColumnBuilder } from 'knex';
 import getLocalType from '../utils/get-local-type';
@@ -36,8 +36,19 @@ export class FieldsService {
 		this.schema = options.schema;
 	}
 
+	private get hasReadAccess() {
+		return !!this.schema.permissions.find((permission) => {
+			return permission.collection === 'directus_fields' && permission.action === 'read';
+		});
+	}
+
 	async readAll(collection?: string): Promise<Field[]> {
 		let fields: FieldMeta[];
+
+		if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
+			throw new ForbiddenException();
+		}
+
 		const nonAuthorizedItemsService = new ItemsService('directus_fields', {
 			knex: this.knex,
 			schema: this.schema,
@@ -147,6 +158,10 @@ export class FieldsService {
 
 	async readOne(collection: string, field: string) {
 		if (this.accountability && this.accountability.admin !== true) {
+			if (this.hasReadAccess === false) {
+				throw new ForbiddenException();
+			}
+
 			const permissions = this.schema.permissions.find((permission) => {
 				return permission.action === 'read' && permission.collection === collection;
 			});