Creation permission based on relation?

CRUGG · June 29, 2025, 11:28am

Hey there,

I want to create what is more or less a ticket system using Directus.

I have a ticket model and a ticket_message model. There’s a one-to-many relation between the two.

How would I set up the permissions so that users can only create ticket messages related to their own tickets?

I’ve tried to set up an access policy, but there I can only create a validation for the ticket_id itself, not for the user_created field on the related item.

ahmad_quvor · June 29, 2025, 1:52pm

Hello,

You can set the field as mentioned in the below image, in that way whoever is creating the ticket it will be stored that user ID

CRUGG · June 29, 2025, 2:02pm

Yes, that’s the approach I currently have for creating tickets.
What I am talking about however is creating ticket messages. I only want users to be able to create messages related to tickets that they have created.

ahmad_quvor · June 29, 2025, 2:43pm


import { defineHook } from '@directus/extensions-sdk';

export default defineHook(({ filter }, { services }) => {
  const { ItemsService } = services;

  filter('ticket_messages.items.create', async (payload, { database, schema, accountability }) => {
    const currentUserId = accountability?.user;

    if (!currentUserId) {
      throw new Error('Unauthorized: No user found in request.');
    }

    const ticketId = payload.ticket_id;

    if (!ticketId) {
      throw new Error('ticket_id is required.');
    }

    const ticketService = new ItemsService('ticket', {
      database,
      schema,
      accountability,
    });

    const ticket = await ticketService.readOne(ticketId, {
      fields: ['id', 'user_created'],
    });

    if (ticket.user_created !== currentUserId) {
      throw new Error('You can only post messages to your own tickets.');
    }

    return payload; // required
  });
});

Nik · June 29, 2025, 3:14pm

If you want to solve this solely with permissions, there is an Directus Dev blog post describing a pretty similar use case. (There seems to be a strange redirect for the provided link in place. The url is: https://docs.directus.io/blog/building-a-support-system-in-the-directus-data-studio.html but i guess you have to google for “directus dev blog ticket system”)
(Maybe someone from Directus @bryantgillespie can figure out, why this url is redirected to https://directus.io/docs/tutorials)

Basically you are looking for a rule limiting the update permission to $CURRENT_USER dynamic variable
(Even this link doesn’t seem to work atm. google for “directus filter rules”)

Topic		Replies	Views
Directus user read permissions on specific users Help	1	23	May 21, 2025
How to use an external system’s ID (e.g. Lightspeed) as the primary key in Directus collection? Help data-modeling , custom-extensions	2	18	June 13, 2025
Using Directus permissions and access policies in existing Node backend Help	1	52	April 30, 2025
New User fields not editable for non admins Help permissions	1	38	June 14, 2025
Multi-tenant, Different roles per tenant Help data-modeling , permissions , authentication	4	77	May 21, 2025

Creation permission based on relation?

Related topics