Document Permissions being affected by the relational API Limit #22197
Comments
As you've found you can change this default limit using the The App itself should paginate where possible, Is the issue here that pagination is missing somewhere? Closing the issue for now as the limit itself is by design. |
|
Hi @br41nslug The issue is in the permissions checks themselves for the role. I know how to change the limit when using the API
I will try out the deep limits on the permissions, thanks for responding |
|
Ah hate to say it but that second rule So the core issue is relational values gotten via dynamic variables |
|
I increased the |
Interesting, maybe that only applies to m2m relations then, fascinating 🤔 |
I thought this might have been an intentional design choice based on performance but was not sure, I could not find it documented somewhere that permissions would check based on the default query limit. |
for M2M relations I have found this to work for nested arrays
{
"_and": [
{
"_or": [
{
"customer": {
"id": {
"_in": [
"$CURRENT_USER.customers"
]
}
}
},
{
"customer": {
"id": {
"_in": [
"$CURRENT_USER.companies.customer_id"
]
}
}
}
]
}
]
}It hits the same default query limit but these arrays are much smaller as a customer might only be part of like 10ish companies max so the limit is not an issue for me here |
|
Fascinating, that is however a separate issue i was debugging before the weekend. Am kinda wondering why that works for ya but let's keep this one on topic 😄 |
Yeah the 100 default was chosen as a "sensible default" (same as the max nesting limit) so im leaning towards this being intentional and needed some docs on the matter to make sure people know about it 🤔 |
|
Thanks for responding, I think it might need to be mentioned somewhere here configure-custom-permissions so others don't fall into the same trap, I first thought it was my permissions but if they were wrong the user would have seen nothing and not 100 items so then I looked at the source code of the Permissions Service I saw it extended the ItemService so figured it was hitting default query limit. |
|
Re-opening as issue for documentation to make sure it doesnt get forgotten 😄 |
br41nslug
changed the title
|
@br41nslug much appreciated, if you would like to discuss my M2M permissions setup for your other debugging issue I would be happy to send you the schema on discord DM if it helps out your debugging for M2M permissions. |
Describe the Bug
Permissions O2M / M2O checks are limited to 100.
I have a role, the role has a O2M relation from the
directus_userstable to customers.In the permissions I use a custom permission on the read field of the
customertable: So the role can see anything they have created and any customers that have been assigned to them{ "_and": [ { "_or": [ { "user_created": { "_eq": "$CURRENT_USER" } }, { "id": { "_in": [ "$CURRENT_USER.customers" ] } } ] } ] }This works as expected except when a user has more than 100 customers assigned to them, I think the permissions check is hitting the internal API limit of 100 and just returning the first 100 customers in the data studio and API, this has a knock on effect for other items related to the customers like statements where the permissions do a similar check on customer and only returns the statements of the first 100 customers.
Double checked in MySQL to confirm the issue.
returns 250 but in the API and data studio it only shows the first 100 customers.
under the role:
I have not found a way to remove the limit from the permissions using filter rules other than changing the
QUERY_LIMIT_DEFAULTon the ENV file.Hosting is self hosted, Ubuntu instance with MySQL, tested on older versions of Directus and the latest version (v10.10.5)
To Reproduce
O2M relationship between users and a table where the user has more than 100 items assigned to them, then configure permissions for a role according to that relationship.
Directus Version
10.10.5
Hosting Strategy
Self-Hosted (Custom)
The text was updated successfully, but these errors were encountered: