Logged in as an administrator, the following Dart code is failing with a 403…
final response = await get(
'directus_users',
query: {
'fields': 'id,email',
'filter': {
'email': {'_eq': email},
},
'limit': 1,
},
);
Where get() method is…
Future<Map<String, dynamic>> get(
String collection, {
String? id,
Map<String, dynamic>? query,
bool? authRequiredOverride, // null => auto
}) async {
final path = id != null ? '/items/$collection/$id' : '/items/$collection';
final authRequired = doesPathRequireAuth(path, method: 'GET', override: authRequiredOverride);
Future<Response> doRequest() => _dio.get(path, queryParameters: query);
try {
final Response response = authRequired
? await _authenticatedRequest(doRequest) // Private (auth req'd)
: await doRequest(); // Public
return response.data as Map<String, dynamic>;
} catch (e) {
_logger.severe('Dio.get error: $e');
rethrow;
}
}
Here’s the very unhelpful DIO exception in my log…
flutter: SEVERE: 2026-02-23 22:10:59.732033: DirectusService: Dio.get error: DioException [bad response]: This exception was thrown because the response has a status code of 403 and RequestOptions.validateStatus was configured to throw for this status code.
The status code of 403 has the following meaning: "Client error - the request contains bad syntax or cannot be fulfilled"
Read more about status codes at https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
In order to resolve this exception you typically have either to verify and fix your request code or you have to fix the server code.
This method works great in 1,000 other contexts, so it’s not the method.
I have set READ permissions for my app’s main user policy AND the public policy to wide open for directus_users. But even still, I’m using an admin user to make the query, so it can’t be the permissions (though obviously I need my normal user permissions to suffice for this somehow).
In a browser, this successfully returns the id of my admin user:
https://[API Server]/users/me?fields=id
But this returns a 403-Forbidden:
https://data.foundinjesus.app/items/directus_users?fields=id
Here’s the browser error:
{"errors":[{"message":"You don't have permission to access this.","extensions":{"code":"FORBIDDEN"}}]}
There’s got to be something special about this system collection that I have to do in addition to setting up roles and policies the way I do for every other table. Does anyone know what that might be?