We’re setting up role-based permissions in Directus.
Our setup looks like this:
-
Users are linked to User Roles
-
User Roles have specific Permissions configured (mostly set to Denied)
The problem:
When a user logs in via API, they can still edit or modify items that should be restricted based on their role’s permissions.
We’ve confirmed that:
-
The users are correctly assigned to their roles.
-
The roles have all non-allowed actions set to Denied.
-
We expect that API to follow the same permission rules as the Directus studio.
However, even with these settings, users can still perform actions in the dashboard that go beyond their configured permissions.
Question
Why are the role permissions not being fully enforced in the API call?
Are there specific settings, caching behaviors, or known issues that could cause the API to ignore or override these permission rules?
Role permissions are fully enforced in the API. The studio app uses the same API itself, so therefore should also behave the same. I find this a bit hard to reproduce without more exact details on the how you've exactly configured the policies for these roles. Has the problem since been resolved? If not, mind sharing some more details so we can reproduce and debug this locally?
– rijkvanzanten