We’re setting up role-based permissions in Directus.
Our setup looks like this:
-
Users are linked to User Roles
-
User Roles have specific Permissions configured (mostly set to Denied)
The problem:
When a user logs in via API, they can still edit or modify items that should be restricted based on their role’s permissions.
We’ve confirmed that:
-
The users are correctly assigned to their roles.
-
The roles have all non-allowed actions set to Denied.
-
We expect that API to follow the same permission rules as the Directus studio.
However, even with these settings, users can still perform actions in the dashboard that go beyond their configured permissions.
Question
Why are the role permissions not being fully enforced in the API call?
Are there specific settings, caching behaviors, or known issues that could cause the API to ignore or override these permission rules?