directus
Add Access Control section and link it to best practices
Describe the Improvement
Docs about best practices for access control
Examples.
If you give someone full permissions to a M2M relation to create they can create stuff trough the api even if both sides of the relationship have custom permissions so you can't see them This would be a common miss configuration since 1 if you don't have create you can't create the relation 2 validation only goos 1 layer deep so you can't validate someting one one of the 2 sides of the relationship 3 so you give full access not realizing the risk that now anyone can trough the api create relations trough this m2m field. (Name this in the docs and add examples of how to fix this with hooks)
Never give full control to create new so that they can't add custom admin roles to the users they create.
I think this could be interesting. Even framing it as "advanced access control" which could talk about these scenarios as well as how to use the custom permissions interface. What do you think @estheragbaje?
@phazonoverload Main reason why this is needed in my opinion is since there are a lot of ways to miss configure it.
a easy one is using createdBy to check if they can do someting but in m2m you can't do this on create since it does not see relations 1 disabled (I can't make my many to many relation) 2 can't use rules since I only have ids and can't go deeper. 3 so you give full access what means that anyone with that role can now create relations to anyting including to stuff that relations that are protected by createdBy. and there is no clear documentation how to protect it in this cease with a flow or hooks.
@Boegie19 You've raised a good point about permissions on M2M relations. I can see how this can be a common mistake. We’d create a section in the docs to expand on best practices for access control.
![linear[bot] avatar](https://avatars.githubusercontent.com/in/20150?v=4 "Published by a pub.dev verified publisher"){kind=small}