You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Perhaps this issue is related to #17117 - not sure.
This was not an issue in one of the previous versions (I know for sure it was no issue in Directus v10.4.x).
I have a couple of collections.
One is "MyCV user", which contains a 1:1 relation to the "directus_users" collection as well as some settings in regards to my application.
When I edit a MyCV user, everything displays properly - no issues whatsoever.
When displaying the list of MyCV users, instead of the actual user, I see "Unknown user" with no avatar:
I get a 403 Forbidden if I hover over the "Unknown User":
Note, that I've chosen "User" for "Display" property of the field:
If I choose "Related values" and fill those in (e.g. Avatar, last name, first name) - it's displayed properly.
I dug deeper and found, that the following query is issued in the case of the "Unknown user":
I just double-checked it and the following worked to reproduce the issue:
Create a collection my_custom_users, include all default fields (status, created-date, etc. - not sure if this is necessary) as well as a many-to-one relation to the directus_users collection.
Create a collection my_custom_list, include all default fields and a field to the my_custom_users table.
Set the Display of the my_custom_list.my_custom_user field to User.
This will result in the "Unknown user" being displayed:
Hovering over the "Unknown user" text will result in a 403 (Forbidden) response in the network tab of the dev-tools, too, as it is using the URL with .../users/<id>?..., which returns forbidden - even for an administrator.
Directus Version
v10.11.0
Hosting Strategy
Self-Hosted (Docker Image)
Database
PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
The text was updated successfully, but these errors were encountered:
This one users?id=... is not a valid API call, it will work as in the id parameter will get ignored and it will just list the users you have access to as the /users endpoint would without the ?id= parameter.
If you're seeing a "permission denied error" in an admin account then that is likely caused by the specific ID not existing. In this specific case it looks like you're trying to use the built-in "Users" display with a non-system users table likely causing it to query system users with a custom user collection ID.
The issue is I am receiving the 403 with this URL: https://directus-mycv.my.family/users/eff301fd-341c-4ef0-a12b-2a158f3e0a2a?fields[]=id&fields[]=first_name&fields[]=last_name&fields[]=avatar.id&fields[]=role.name&fields[]=status&fields[]=email.
The user absolutely does exist.
However: I think you are right: I tried to apply the User-Display to my custom user - which does not work. So it was a mistake on my end.
Describe the Bug
Perhaps this issue is related to #17117 - not sure.
This was not an issue in one of the previous versions (I know for sure it was no issue in Directus v10.4.x).
I have a couple of collections.
One is "MyCV user", which contains a 1:1 relation to the "directus_users" collection as well as some settings in regards to my application.
When I edit a MyCV user, everything displays properly - no issues whatsoever.
When displaying the list of MyCV users, instead of the actual user, I see "Unknown user" with no avatar:
I get a 403 Forbidden if I hover over the "Unknown User":
Note, that I've chosen "User" for "Display" property of the field:
If I choose "Related values" and fill those in (e.g. Avatar, last name, first name) - it's displayed properly.
I dug deeper and found, that the following query is issued in the case of the "Unknown user":
However, the following query works properly:
Note the
users?id=...
instead ofusers/<id>?...
.To Reproduce
I just double-checked it and the following worked to reproduce the issue:
my_custom_users
, include all default fields (status, created-date, etc. - not sure if this is necessary) as well as a many-to-one relation to thedirectus_users
collection.my_custom_list
, include all default fields and a field to themy_custom_users
table.Display
of themy_custom_list.my_custom_user
field toUser
.This will result in the "Unknown user" being displayed:
Hovering over the "Unknown user" text will result in a 403 (Forbidden) response in the network tab of the dev-tools, too, as it is using the URL with
.../users/<id>?...
, which returns forbidden - even for an administrator.Directus Version
v10.11.0
Hosting Strategy
Self-Hosted (Docker Image)
Database
PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
The text was updated successfully, but these errors were encountered: