System permissions for app access (#4004)

* Pass relations through schema, instead of individual reads * Fetch field transforms upfront * Fix length check * List if user has app access or not in accountability * Load permissions up front, merge app access minimal permissions * Show app access required permissions in permissions overview * Show system minimal permissions in permissions detail * Fix app access check in authenticate for jwt use * Fix minimal permissions for presets * Remove /permissions/me in favor of root use w/ permissions * Fix logical nested OR in an AND * Use root permissions endpoint with filter instead of /me * Allow filter query on /permissions * Add system minimal app access permissions into result of /permissions * Remove stray console log * Remove stray console.dir * Set current role as role for minimal permissions * Fix no-permissions state for user detail * Add filter items function that allows altering existing result set
2026-04-25 03:00:53 -04:00 · 2021-02-11 12:50:56 -05:00
parent 8c1402fb88
commit b7d87e581a
55 changed files with 897 additions and 524 deletions
--- a/api/src/database/index.ts
+++ b/api/src/database/index.ts
@@ -1,6 +1,5 @@
 import knex, { Config } from 'knex';
 import dotenv from 'dotenv';
-import camelCase from 'camelcase';
 import path from 'path';
 import logger from '../logger';
 import env from '../env';
--- a/api/src/database/run-ast.ts
+++ b/api/src/database/run-ast.ts
@@ -93,8 +93,8 @@ async function parseCurrentLevel(
 	children: (NestedCollectionNode | FieldNode)[],
 	schema: SchemaOverview
 ) {
-	const primaryKeyField = schema[collection].primary;
-	const columnsInCollection = Object.keys(schema[collection].columns);
+	const primaryKeyField = schema.tables[collection].primary;
+	const columnsInCollection = Object.keys(schema.tables[collection].columns);

 	const columnsToSelect: string[] = [];
 	const nestedCollectionNodes: NestedCollectionNode[] = [];
@@ -154,7 +154,7 @@ async function getDBQuery(

 	query.sort = query.sort || [{ column: primaryKeyField, order: 'asc' }];

-	await applyQuery(knex, table, dbQuery, queryCopy, schema);
+	await applyQuery(table, dbQuery, queryCopy, schema);

 	// Nested filters use joins to filter on the parent level, to prevent duplicate
 	// parents, we group the query by the current tables primary key (which is unique)
--- a/api/src/database/system-data/app-access-permissions/app-access-permissions.yaml
+++ b/api/src/database/system-data/app-access-permissions/app-access-permissions.yaml
@@ -0,0 +1,96 @@
+# NOTE: Activity/collections/fields/presets/relations/revisions will have an extra hardcoded filter
+# to filter out collections you don't have read access
+
+- collection: directus_activity
+  action: read
+  permissions:
+    user:
+      _eq: $CURRENT_USER
+
+- collection: directus_activity
+  action: create
+  validation:
+    comment:
+      _nnull: true
+
+- collection: directus_collections
+  action: read
+
+- collection: directus_fields
+  action: read
+
+- collection: directus_permissions
+  action: read
+  permissions:
+    role:
+      _eq: $CURRENT_ROLE
+
+- collection: directus_presets
+  action: read
+  permissions:
+    _or:
+      - user:
+          _eq: $CURRENT_USER
+      - _and:
+          - user:
+              _null: true
+          - role:
+              _eq: $CURRENT_ROLE
+      - _and:
+          - user:
+              _null: true
+          - role:
+              _null: true
+
+- collection: directus_presets
+  action: create
+  validation:
+    - user:
+      _eq: $CURRENT_USER
+
+- collection: directus_presets
+  action: update
+  permissions:
+    user:
+      _eq: $CURRENT_USER
+
+- collection: directus_presets
+  action: delete
+  permissions:
+    user:
+      _eq: $CURRENT_USER
+
+- collection: directus_relations
+  action: read
+
+- collection: directus_roles
+  action: read
+  permissions:
+    id:
+      _eq: $CURRENT_ROLE
+
+- collection: directus_settings
+  action: read
+
+- collection: directus_users
+  action: read
+  permissions:
+    id:
+      _eq: $CURRENT_USER
+  fields:
+    - id
+    - first_name
+    - last_name
+    - email
+    - password
+    - location
+    - title
+    - description
+    - tags
+    - preferences_divider
+    - avatar
+    - language
+    - theme
+    - tfa_secret
+    - status
+    - role
--- a/api/src/database/system-data/app-access-permissions/index.ts
+++ b/api/src/database/system-data/app-access-permissions/index.ts
@@ -0,0 +1,17 @@
+import { requireYAML } from '../../../utils/require-yaml';
+import { Permission } from '../../../types';
+import { merge } from 'lodash';
+
+const defaults: Partial<Permission> = {
+	role: null,
+	permissions: {},
+	validation: null,
+	presets: null,
+	fields: ['*'],
+	limit: null,
+	system: true,
+};
+
+const permissions = requireYAML(require.resolve('./app-access-permissions.yaml')) as Permission[];
+
+export const appAccessMinimalPermissions: Permission[] = permissions.map((row) => merge({}, defaults, row));