"You don't have permission to access this." when displaying Directus User in a list in the built-in Directus UI

[divStar]

Describe the Bug

Perhaps this issue is related to #17117 - not sure.

This was not an issue in one of the previous versions (I know for sure it was no issue in Directus v10.4.x).

I have a couple of collections.
One is "MyCV user", which contains a 1:1 relation to the "directus_users" collection as well as some settings in regards to my application.

When I edit a MyCV user, everything displays properly - no issues whatsoever.

When displaying the list of MyCV users, instead of the actual user, I see "Unknown user" with no avatar:

I get a 403 Forbidden if I hover over the "Unknown User":

Note, that I've chosen "User" for "Display" property of the field:

If I choose "Related values" and fill those in (e.g. Avatar, last name, first name) - it's displayed properly.

I dug deeper and found, that the following query is issued in the case of the "Unknown user":

https://directus-mycv.my.family/users/eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email

However, the following query works properly:

https://directus-mycv.my.family/users?id=eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email

Note the users?id=... instead of users/<id>?....

To Reproduce

I just double-checked it and the following worked to reproduce the issue:

1. Create a collection my_custom_users, include all default fields (status, created-date, etc. - not sure if this is necessary) as well as a many-to-one relation to the directus_users collection.
2. Create a collection my_custom_list, include all default fields and a field to the my_custom_users table.
3. Set the Display of the my_custom_list.my_custom_user field to User.

This will result in the "Unknown user" being displayed:

Hovering over the "Unknown user" text will result in a 403 (Forbidden) response in the network tab of the dev-tools, too, as it is using the URL with .../users/<id>?..., which returns forbidden - even for an administrator.

Directus Version

v10.11.0

Hosting Strategy

Self-Hosted (Docker Image)

Database

PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit

[br41nslug]

I dug deeper and found, that the following query is issued in the case of the "Unknown user":

https://directus-mycv.my.family/users/eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email

However, the following query works properly:

https://directus-mycv.my.family/users?id=eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email

Note the users?id=... instead of sers/<id>?....

This one users?id=... is not a valid API call, it will work as in the id parameter will get ignored and it will just list the users you have access to as the /users endpoint would without the ?id= parameter.

If you're seeing a "permission denied error" in an admin account then that is likely caused by the specific ID not existing. In this specific case it looks like you're trying to use the built-in "Users" display with a non-system users table likely causing it to query system users with a custom user collection ID.

[divStar]

The issue is I am receiving the 403 with this URL:
https://directus-mycv.my.family/users/eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email.

The user absolutely does exist.

However: I think you are right: I tried to apply the User-Display to my custom user - which does not work. So it was a mistake on my end.

Thank you for your response!