fix(perms): scope-aware filter sanitisation for translation sub-fields (I-1)

Previously `sanitizeFilter` only checked the root field of each filter
clause, so a search/filter like
  { translations: { _some: { description: { _icontains: 'foo' } } } }
slipped through unchanged when the user had read on `translations` but
not on the `description` sub-field of the junction collection. The API
then rejected the query with 403 and the layout showed an empty table —
exactly the symptom Bug E was supposed to eliminate.

Fix: extend `sanitizeFilter` with a `nestedScopes` option mapping
parent-field-name → nested-collection-name. The walker now:
  - treats _some / _none / _every as relation-match operators that
    recurse with the same scope (we are already inside the relation)
  - recurses into the value of a configured nested-scope field with
    the nested collection set as scope
  - calls canRead(field, scope) so the caller can dispatch to the
    right collection's permissions

Caller in super-table.vue passes
  { nestedScopes: { translations: <junction collection> } }
and uses (field, scope) => permissions.canRead(scope ?? collection, field).

Tests:
  - 6 baseline tests still pass (canRead's optional second arg is
    backward-compatible).
  - 7 new tests cover the nested cases: _some/_none/_every, mixed
    siblings (one allowed one denied), translation branch dropped
    inside _or, no-options backward-compat, and the trivial case
    where filter never touches the nested scope.

Live verification: as the test user, with description read removed
from the junction collection and the bookmark filter set to
{translations: {_some: {description: {_icontains: 'test'}}}}, the
items query is now sent without any filter clause and returns 200 OK
with all three items, instead of 403 and an empty table.

Surfaced by code review on PR #57.

Author: smartlabsAT

src/super-table.vue

@@ -921,7 +921,21 @@ const sanitizedFilterResult = computed(() => {
     filters.length === 0 ? undefined : filters.length === 1 ? filters[0] : { _and: filters };
   if (!merged) return { sanitized: undefined, removed: [] as string[] };
 
-  return sanitizeFilter(merged, (field: string) => permissions.canRead(collection.value, field));
+  // Permission check is scope-aware: when the walker descends into the
+  // translations junction (via `_some`/`_none`/`_every`), `scope` will be
+  // the junction collection name and we check sub-field permissions there
+  // instead of on the parent collection. Without this, a filter like
+  // `{ translations: { _some: { description: ... } } }` would slip past
+  // the parent `canRead('translations')` check and hit the server with a
+  // sub-field the user can't read — re-opening Bug E for nested filters.
+  const nestedScopes: Record<string, string | undefined> = {
+    translations: translationsCollectionRef.value ?? undefined,
+  };
+  return sanitizeFilter(
+    merged,
+    (field, scope) => permissions.canRead(scope ?? collection.value, field),
+    { nestedScopes }
+  );
 });
 
 const combinedFilter = computed(() => (sanitizedFilterResult.value.sanitized ?? undefined) as any);

src/utils/sanitizeFilter.ts

@@ -5,43 +5,109 @@ export interface SanitizeResult {
   removed: string[];
 }
 
+export interface SanitizeFilterOptions {
+  /**
+   * Map from a parent-field name to the collection it nests into.
+   * When the walker traverses into the value of a field listed here,
+   * inner field names will be checked against the nested collection's
+   * permissions instead of the outer scope.
+   *
+   * Example: `{ translations: 'pages_translations' }`
+   *  - Top-level `translations` is checked against the parent collection.
+   *  - Sub-fields inside relation match operators (`_some`, `_none`, `_every`)
+   *    are checked against `pages_translations`.
+   */
+  nestedScopes?: Record<string, string | undefined>;
+}
+
 const LOGICAL_KEYS = new Set(['_and', '_or']);
+const RELATION_MATCH_OPS = new Set(['_some', '_none', '_every']);
 
+/**
+ * Walk a Directus filter tree and remove conditions that reference fields
+ * the caller can't read. Logical operators (`_and`, `_or`) collapse if all
+ * their branches are dropped. Relation match operators (`_some`, `_none`,
+ * `_every`) recurse into a nested scope when configured via `nestedScopes`,
+ * so e.g. `{ translations: { _some: { description: ... } } }` is checked
+ * both at the parent level (translations field readable?) and at the
+ * junction collection level (description field readable?).
+ *
+ * The `canRead` callback receives `(field, scope?)`. When `scope` is
+ * undefined, the caller should check against the outer/parent collection.
+ * When `scope` is set (matches a value from `nestedScopes`), the caller
+ * should check against that collection.
+ */
 export function sanitizeFilter(
   filter: FilterValue,
-  canRead: (field: string) => boolean
+  canRead: (field: string, scope?: string) => boolean,
+  options: SanitizeFilterOptions = {}
 ): SanitizeResult {
   const removed: string[] = [];
+  const nestedScopes = options.nestedScopes ?? {};
+
+  function isEmpty(node: FilterValue): boolean {
+    if (node === null || node === undefined) return true;
+    if (Array.isArray(node)) return node.length === 0;
+    if (typeof node === 'object') return Object.keys(node).length === 0;
+    return false;
+  }
 
-  function walk(node: FilterValue): FilterValue {
+  function walk(node: FilterValue, scope?: string): FilterValue {
     if (node === null || node === undefined || typeof node !== 'object') return node;
 
     if (Array.isArray(node)) {
-      const cleaned = node
-        .map((entry) => walk(entry as FilterValue))
-        .filter((entry) => {
-          if (entry === null) return false;
-          if (typeof entry === 'object' && !Array.isArray(entry) && Object.keys(entry).length === 0)
-            return false;
-          return true;
-        });
-      return cleaned;
+      return node
+        .map((entry) => walk(entry as FilterValue, scope))
+        .filter((entry) => !isEmpty(entry as FilterValue));
     }
 
     const out: Record<string, unknown> = {};
     for (const [key, value] of Object.entries(node)) {
+      // Logical: `_and` / `_or` — recurse into the array, same scope.
       if (LOGICAL_KEYS.has(key)) {
-        const cleaned = walk(value as FilterValue);
+        const cleaned = walk(value as FilterValue, scope);
         if (Array.isArray(cleaned) && cleaned.length > 0) out[key] = cleaned;
         continue;
       }
 
+      // Relation match: `_some` / `_none` / `_every` — recurse into the
+      // single inner filter object, same scope (we are already inside the
+      // relation; the parent established the scope before calling us).
+      if (RELATION_MATCH_OPS.has(key)) {
+        const cleaned = walk(value as FilterValue, scope);
+        if (!isEmpty(cleaned)) out[key] = cleaned;
+        continue;
+      }
+
+      // Other operators (`_eq`, `_icontains`, etc.) — leaf, passthrough.
+      if (key.startsWith('_')) {
+        out[key] = value;
+        continue;
+      }
+
+      // Field name — check permission at the current scope.
       const rootField = key.split('.')[0];
-      if (!canRead(rootField)) {
+      if (!canRead(rootField, scope)) {
         removed.push(key);
         continue;
       }
 
+      // Field is allowed at this scope. Does traversing into its value
+      // open a nested scope (e.g. translations → pages_translations)?
+      const nestedScope = nestedScopes[rootField];
+      if (nestedScope && value && typeof value === 'object' && !Array.isArray(value)) {
+        const cleanedInner = walk(value as FilterValue, nestedScope);
+        if (!isEmpty(cleanedInner)) {
+          out[key] = cleanedInner;
+        }
+        // If the inner walk dropped everything, the parent's clause is
+        // implicitly removed too. We do NOT push the parent to `removed[]`
+        // because the parent itself was permitted — the user-visible
+        // "removed fields" list contains the actual sub-fields that lost
+        // access (already pushed by the inner walk).
+        continue;
+      }
+
       out[key] = value;
     }
 

tests/unit/utils/sanitizeFilter.test.ts

@@ -43,3 +43,89 @@ describe('sanitizeFilter', () => {
     });
   });
 });
+
+describe('sanitizeFilter with nestedScopes (translation sub-fields)', () => {
+  // Caller mirrors the real super-table.vue wiring: parent collection is
+  // 'pages'; the translations junction is 'pages_translations'. The user
+  // can read `text` in the junction but not `description`.
+  const canRead = (field: string, scope?: string) => {
+    if (scope === 'pages_translations') return field === 'text';
+    return ['title', 'translations', 'id'].includes(field);
+  };
+  const opts = { nestedScopes: { translations: 'pages_translations' } };
+
+  it('keeps allowed sub-field inside _some on translations', () => {
+    const filter = { translations: { _some: { text: { _icontains: 'foo' } } } };
+    expect(sanitizeFilter(filter, canRead, opts)).toEqual({
+      sanitized: { translations: { _some: { text: { _icontains: 'foo' } } } },
+      removed: [],
+    });
+  });
+
+  it('drops disallowed sub-field inside _some, dropping the whole translations clause', () => {
+    const filter = { translations: { _some: { description: { _icontains: 'foo' } } } };
+    expect(sanitizeFilter(filter, canRead, opts)).toEqual({
+      sanitized: null,
+      removed: ['description'],
+    });
+  });
+
+  it('keeps allowed sibling and drops disallowed sibling inside _some', () => {
+    const filter = {
+      translations: {
+        _some: {
+          text: { _icontains: 'foo' },
+          description: { _icontains: 'bar' },
+        },
+      },
+    };
+    expect(sanitizeFilter(filter, canRead, opts)).toEqual({
+      sanitized: { translations: { _some: { text: { _icontains: 'foo' } } } },
+      removed: ['description'],
+    });
+  });
+
+  it('drops translation branch inside _or while keeping accessible siblings', () => {
+    const filter = {
+      _or: [
+        { translations: { _some: { description: { _icontains: 'foo' } } } },
+        { title: { _icontains: 'foo' } },
+      ],
+    };
+    expect(sanitizeFilter(filter, canRead, opts)).toEqual({
+      sanitized: { _or: [{ title: { _icontains: 'foo' } }] },
+      removed: ['description'],
+    });
+  });
+
+  it('handles _none and _every relation match operators', () => {
+    const filter = {
+      _and: [
+        { translations: { _none: { description: { _eq: 'spam' } } } },
+        { translations: { _every: { text: { _nnull: true } } } },
+      ],
+    };
+    expect(sanitizeFilter(filter, canRead, opts)).toEqual({
+      sanitized: { _and: [{ translations: { _every: { text: { _nnull: true } } } }] },
+      removed: ['description'],
+    });
+  });
+
+  it('passes through when no nestedScopes configured (backward compatibility)', () => {
+    // Without nestedScopes, the walker treats translations as a leaf field.
+    // Permission only checks the parent-level field, not sub-fields.
+    const filter = { translations: { _some: { description: { _icontains: 'foo' } } } };
+    expect(sanitizeFilter(filter, canRead)).toEqual({
+      sanitized: filter,
+      removed: [],
+    });
+  });
+
+  it('does not require translations scope when filter touches only parent fields', () => {
+    const filter = { _and: [{ title: { _eq: 'foo' } }, { id: { _eq: 1 } }] };
+    expect(sanitizeFilter(filter, canRead, opts)).toEqual({
+      sanitized: filter,
+      removed: [],
+    });
+  });
+});