directus
Document Permissions being affected by the relational API Limit
Describe the Bug
Permissions O2M / M2O checks are limited to 100.
I have a role, the role has a O2M relation from the directus_users table to customers.
In the permissions I use a custom permission on the read field of the customer table: So the role can see anything they have created and any customers that have been assigned to them
{
"_and": [
{
"_or": [
{
"user_created": {
"_eq": "$CURRENT_USER"
}
},
{
"id": {
"_in": [
"$CURRENT_USER.customers"
]
}
}
]
}
]
}
This works as expected except when a user has more than 100 customers assigned to them, I think the permissions check is hitting the internal API limit of 100 and just returning the first 100 customers in the data studio and API, this has a knock on effect for other items related to the customers like statements where the permissions do a similar check on customer and only returns the statements of the first 100 customers.
Double checked in MySQL to confirm the issue.
SELECT COUNT(id) AS numberOfCustomers FROM customer where account_manager = 'e1ef5c49-942e-451d-a1f0-89f33ec6258c';
returns 250 but in the API and data studio it only shows the first 100 customers.
under the role:
I have not found a way to remove the limit from the permissions using filter rules other than changing the QUERY_LIMIT_DEFAULT on the ENV file.
Hosting is self hosted, Ubuntu instance with MySQL, tested on older versions of Directus and the latest version (v10.10.5)
To Reproduce
O2M relationship between users and a table where the user has more than 100 items assigned to them, then configure permissions for a role according to that relationship.
Directus Version
10.10.5
Hosting Strategy
Self-Hosted (Custom)
