test(perms): pin canAction behaviour against Directus's access: 'full' quirk

smartlabsAT · smartlabsAT · commit 0a09e5554d58 · 2026-05-11T13:44:54.000+02:00
Critical-review finding that turned into a regression test instead of a
behaviour change.

Real `/permissions/me` payloads from Directus 11 set `access: 'full'`
even when `fields` is an explicit allow-list — e.g. a restricted user's
read entry on `issue_37_test`:

  { "access": "full", "fields": ["id", "title", "translations"] }

(no `thumbnail`). The natural-language reading of `'full'` suggests
unrestricted access, but in practice `fields` remains the authoritative
gate; Directus uses `access` as a coarser hint that does not override
the whitelist. Short-circuiting on `access === 'full'` would let denied
fields through and silently re-introduce the original Bug A-D class.

- Add a comment on `canAction` documenting why we deliberately don't
  trust `access` for the field check.
- Add a regression test mirroring the real payload shape so a future
  contributor's "obvious cleanup" cannot remove this guard unnoticed.

181/181 tests, type-check, lint, prettier all green.
diff --git a/src/composables/usePermissions.ts b/src/composables/usePermissions.ts
@@ -40,6 +40,10 @@ export function usePermissions() {
 
     if (!field) return true;
 
+    // `entry.fields` is the authoritative field-level whitelist. `access` is
+    // a coarser hint that Directus also reports as `'full'` for permissions
+    // whose `fields` is an explicit allow-list — so do NOT short-circuit on
+    // `access === 'full'` here, that would let denied fields through.
     const fields = entry.fields ?? [];
     if (fields.includes('*')) return true;
     return fields.includes(field);
diff --git a/tests/unit/composables/usePermissions.test.ts b/tests/unit/composables/usePermissions.test.ts
@@ -35,6 +35,18 @@ describe('usePermissions.canRead', () => {
     expect(canRead('issue_37_test', 'anything')).toBe(true);
   });
 
+  // Directus reports `access: 'full'` even when the field-level whitelist is
+  // a restricted subset — `fields` stays the authoritative gate.
+  it('honours the field whitelist even when access is reported as full', () => {
+    mockPermissions.value.issue_37_test.read = {
+      access: 'full',
+      fields: ['id', 'title'],
+    };
+    const { canRead } = usePermissions();
+    expect(canRead('issue_37_test', 'title')).toBe(true);
+    expect(canRead('issue_37_test', 'thumbnail')).toBe(false);
+  });
+
   it('returns false when collection has access "none"', () => {
     mockPermissions.value.issue_37_test.read.access = 'none';
     const { canRead } = usePermissions();
