Don't surface forbidden reasoning

2026-04-25 03:00:53 -04:00 · 2021-03-03 17:33:11 -05:00
parent bac8b9ebab
commit c3dd7023a7
2 changed files with 19 additions and 2 deletions
--- a/api/src/exceptions/forbidden.ts
+++ b/api/src/exceptions/forbidden.ts
@@ -10,6 +10,13 @@ type Extensions = {

 export class ForbiddenException extends BaseException {
 	constructor(message = `You don't have permission to access this.`, extensions?: Extensions) {
-		super(message, 403, 'FORBIDDEN', extensions);
+		super(`You don't have permission to access this.`, 403, 'FORBIDDEN');
+
+		/**
+		 * We currently don't show the reason for a forbidden exception in the API output, as that
+		 * has the potential to leak schema information (eg a "No permission" vs "No permission to files"
+		 * would leak that a thing called "files" exists.
+		 * Ref https://github.com/directus/directus/discussions/4368
+		 */
 	}
 }
--- a/api/src/services/authorization.ts
+++ b/api/src/services/authorization.ts
@@ -52,7 +52,17 @@ export class AuthorizationService {
 		const uniqueCollectionsRequestedCount = uniq(collectionsRequested.map(({ collection }) => collection)).length;

 		if (uniqueCollectionsRequestedCount !== permissionsForCollections.length) {
-			throw new ForbiddenException();
+			// Find the first collection that doesn't have permissions configured
+			const { collection, field } = collectionsRequested.find(
+				({ collection }) =>
+					permissionsForCollections.find((permission) => permission.collection === collection) === undefined
+			)!;
+
+			if (field) {
+				throw new ForbiddenException(`You don't have permission to access the "${field}" field.`);
+			} else {
+				throw new ForbiddenException(`You don't have permission to access the "${collection}" collection.`);
+			}
 		}

 		validateFields(ast);